diff --git a/.gitignore b/.gitignore
index 1aa675e..5a98fc1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/freeipa-4.8.0.tar.gz
+SOURCES/freeipa-4.8.4.tar.gz
diff --git a/.ipa.metadata b/.ipa.metadata
index 965cc09..8d08b2e 100644
--- a/.ipa.metadata
+++ b/.ipa.metadata
@@ -1 +1 @@
-4cbc1d041eef6d9f5381bdfcfebf9a96d40b94cb SOURCES/freeipa-4.8.0.tar.gz
+72c91f01b2039795223417dc6761edf8ee0f36ee SOURCES/freeipa-4.8.4.tar.gz
diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch b/SOURCES/0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch
new file mode 100644
index 0000000..9fba237
--- /dev/null
+++ b/SOURCES/0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch
@@ -0,0 +1,47 @@
+From 2c2cef7063315766d893b275185b422be3f3c019 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Dec 16 2019 20:37:17 +0000
+Subject: DNS install check: Fix overlapping DNS zone from the master itself
+
+
+The change to allow overlapping zone to be from the master itself has
+introduced two issues: The check for the master itself should only executed
+if options.force and options.allow_zone_overlap are both false and the
+reverse zone check later on was still handling ValueError instead of
+dnsutil.DNSZoneAlreadyExists.
+
+Both issues have been fixed and the deployment with existing name servers
+is properly working again.
+
+Fixes: https://pagure.io/freeipa/issue/8150
+Signed-off-by: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+
+---
+
+diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
+index 36ba6f8..9f08e86 100644
+--- a/ipaserver/install/dns.py
++++ b/ipaserver/install/dns.py
+@@ -135,15 +135,15 @@ def install_check(standalone, api, replica, options, hostname):
+ logger.warning("%s Please make sure that the domain is "
+ "properly delegated to this IPA server.",
+ e)
+-
+- hst = dnsutil.DNSName(hostname).make_absolute().to_text()
+- if hst not in e.kwargs['ns']:
+- raise ValueError(str(e))
++ else:
++ hst = dnsutil.DNSName(hostname).make_absolute().to_text()
++ if hst not in e.kwargs['ns']:
++ raise ValueError(str(e))
+
+ for reverse_zone in options.reverse_zones:
+ try:
+ dnsutil.check_zone_overlap(reverse_zone)
+- except ValueError as e:
++ except dnsutil.DNSZoneAlreadyExists as e:
+ if options.force or options.allow_zone_overlap:
+ logger.warning('%s', str(e))
+ else:
+
diff --git a/SOURCES/0001-No-need-to-call-rhel-specific-domainname-service.patch b/SOURCES/0001-No-need-to-call-rhel-specific-domainname-service.patch
deleted file mode 100644
index bcc4ceb..0000000
--- a/SOURCES/0001-No-need-to-call-rhel-specific-domainname-service.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From b3378c32603e83ea3d4651cee3af99e644a30457 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Fri, 20 Jul 2018 11:06:55 -0400
-Subject: [PATCH] No need to call rhel-specific domainname service
-
-It was moved upstream into hostname package which named it
-nis-domainname. When it was in the initscripts package there were
-separate fedora-domainname and rhel-domainname services.
-
-From F29+ it will be nis-domainname. We can use that as well in
-RHEL 8.
----
- ipaplatform/rhel/services.py | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/ipaplatform/rhel/services.py b/ipaplatform/rhel/services.py
-index 1403d08..06fa633 100644
---- a/ipaplatform/rhel/services.py
-+++ b/ipaplatform/rhel/services.py
-@@ -30,9 +30,6 @@ from ipaplatform.redhat import services as redhat_services
- # to their actual systemd service names
- rhel_system_units = redhat_services.redhat_system_units
-
--# Service that sets domainname on RHEL is called rhel-domainname.service
--rhel_system_units['domainname'] = 'rhel-domainname.service'
--
-
- # Service classes that implement RHEL-specific behaviour
-
---
-2.13.6
-
diff --git a/SOURCES/0002-Fix-test_webui.test_selinuxusermap.patch b/SOURCES/0002-Fix-test_webui.test_selinuxusermap.patch
deleted file mode 100644
index ab3d133..0000000
--- a/SOURCES/0002-Fix-test_webui.test_selinuxusermap.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From 96af5394c210e637a5ab81d6925be3b0a429fc08 Mon Sep 17 00:00:00 2001
-From: Stanislav Levin <slev@altlinux.org>
-Date: Fri, 5 Jul 2019 14:39:17 +0300
-Subject: [PATCH] Fix `test_webui.test_selinuxusermap`
-
-A previous refactoring of SELinux tests has have a wrong
-assumption about the user field separator within
-ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.
-
-Actually, '.ldif' and '.update' files are passed through
-Python template string substitution:
-
-> $$ is an escape; it is replaced with a single $.
-> $identifier names a substitution placeholder matching
-> a mapping key of "identifier"
-
-This means that the text to be substituted on should not be escaped.
-The wrong ipaSELinuxUserMapOrder previously set will be replaced on
-upgrade.
-
-Fixes: https://pagure.io/freeipa/issue/7996
-Fixes: https://pagure.io/freeipa/issue/8005
-Signed-off-by: Stanislav Levin <slev@altlinux.org>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- install/updates/50-ipaconfig.update | 1 +
- ipaplatform/base/constants.py | 10 +++++-----
- ipaserver/install/ldapupdate.py | 3 +++
- ipatests/test_integration/test_winsyncmigrate.py | 2 +-
- ipatests/test_webui/data_selinuxusermap.py | 4 ++--
- ipatests/test_xmlrpc/test_selinuxusermap_plugin.py | 4 ++--
- 6 files changed, 14 insertions(+), 10 deletions(-)
-
-diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
-index 2e1c5c357..35e154b4e 100644
---- a/install/updates/50-ipaconfig.update
-+++ b/install/updates/50-ipaconfig.update
-@@ -1,4 +1,5 @@
- dn: cn=ipaConfig,cn=etc,$SUFFIX
-+replace: ipaSELinuxUserMapOrder: guest_u:s0$$$$xguest_u:s0$$$$user_u:s0$$$$staff_u:s0-s0:c0.c1023$$$$sysadm_u:s0-s0:c0.c1023$$$$unconfined_u:s0-s0:c0.c1023::$SELINUX_USERMAP_ORDER
- replace: ipaSELinuxUserMapOrder: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
- replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
- add:ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
-diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
-index cdb72e74a..eac60cac3 100644
---- a/ipaplatform/base/constants.py
-+++ b/ipaplatform/base/constants.py
-@@ -62,11 +62,11 @@ class BaseConstantsNamespace:
- SELINUX_USERMAP_DEFAULT = "unconfined_u:s0-s0:c0.c1023"
- SELINUX_USERMAP_ORDER = (
- "guest_u:s0"
-- "$$xguest_u:s0"
-- "$$user_u:s0"
-- "$$staff_u:s0-s0:c0.c1023"
-- "$$sysadm_u:s0-s0:c0.c1023"
-- "$$unconfined_u:s0-s0:c0.c1023"
-+ "$xguest_u:s0"
-+ "$user_u:s0"
-+ "$staff_u:s0-s0:c0.c1023"
-+ "$sysadm_u:s0-s0:c0.c1023"
-+ "$unconfined_u:s0-s0:c0.c1023"
- )
- SSSD_USER = "sssd"
- # WSGI module override, only used on Fedora
-diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
-index d9e47dcc0..0cdea6a82 100644
---- a/ipaserver/install/ldapupdate.py
-+++ b/ipaserver/install/ldapupdate.py
-@@ -322,6 +322,9 @@ class LDAPUpdate:
- if not self.sub_dict.get("SELINUX_USERMAP_DEFAULT"):
- self.sub_dict["SELINUX_USERMAP_DEFAULT"] = \
- platformconstants.SELINUX_USERMAP_DEFAULT
-+ if not self.sub_dict.get("SELINUX_USERMAP_ORDER"):
-+ self.sub_dict["SELINUX_USERMAP_ORDER"] = \
-+ platformconstants.SELINUX_USERMAP_ORDER
- self.api = create_api(mode=None)
- self.api.bootstrap(in_server=True,
- context='updates',
-diff --git a/ipatests/test_integration/test_winsyncmigrate.py b/ipatests/test_integration/test_winsyncmigrate.py
-index 593fc2065..be9f44072 100644
---- a/ipatests/test_integration/test_winsyncmigrate.py
-+++ b/ipatests/test_integration/test_winsyncmigrate.py
-@@ -59,7 +59,7 @@ class TestWinsyncMigrate(IntegrationTest):
- ipa_group = 'ipa_group'
- ad_user = 'testuser'
- default_shell = platformconstants.DEFAULT_SHELL
-- selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
-+ selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
- test_role = 'test_role'
- test_hbac_rule = 'test_hbac_rule'
- test_selinux_map = 'test_selinux_map'
-diff --git a/ipatests/test_webui/data_selinuxusermap.py b/ipatests/test_webui/data_selinuxusermap.py
-index ca7b1dcdd..312e7592f 100644
---- a/ipatests/test_webui/data_selinuxusermap.py
-+++ b/ipatests/test_webui/data_selinuxusermap.py
-@@ -5,8 +5,8 @@
- from ipaplatform.constants import constants as platformconstants
-
- # for example, user_u:s0
--selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
--selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
-+selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
-+selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1]
-
- selinux_mcs_max = platformconstants.SELINUX_MCS_MAX
- selinux_mls_max = platformconstants.SELINUX_MLS_MAX
-diff --git a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
-index 0b73992aa..e5b23bd4d 100644
---- a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
-+++ b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
-@@ -32,8 +32,8 @@ from ipatests.test_xmlrpc.test_user_plugin import get_user_result
- import pytest
-
- rule1 = u'selinuxrule1'
--selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
--selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
-+selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
-+selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1]
-
- INVALID_MCS = "Invalid MCS value, must match {}, where max category {}".format(
- platformconstants.SELINUX_MCS_REGEX,
---
-2.21.0
-
diff --git a/SOURCES/0002-krbtktpolicy-reset.patch b/SOURCES/0002-krbtktpolicy-reset.patch
new file mode 100644
index 0000000..fe12776
--- /dev/null
+++ b/SOURCES/0002-krbtktpolicy-reset.patch
@@ -0,0 +1,90 @@
+From a8b52eaf3cf56c90e3d94fdef0b9e426052634ea Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 18 Dec 2019 12:08:59 +0200
+Subject: [PATCH] Reset per-indicator Kerberos policy
+
+When 'ipa krbtpolicy-reset' is called, we need to reset all policy
+settings, including per-indicator ones. Per-indicator policy uses
+subtyped attributes (foo;bar), the current krbtpolicy-reset code does
+not deal with those.
+
+Add support for per-indicator policy reset. It is a bit tricky, as we
+need to drop the values to defaults but avoid adding non-per-indicator
+variants of the same attributes.
+
+Add test to check that policy has been resetted by observing a new
+Kerberos TGT for the user after its policy reset.
+
+Fixes: https://pagure.io/freeipa/issue/8153
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/plugins/krbtpolicy.py | 21 +++++++++++++++++++-
+ ipatests/test_integration/test_krbtpolicy.py | 13 ++++++++++++
+ 2 files changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/plugins/krbtpolicy.py b/ipaserver/plugins/krbtpolicy.py
+index 997fe7e81..b01c44e93 100644
+--- a/ipaserver/plugins/krbtpolicy.py
++++ b/ipaserver/plugins/krbtpolicy.py
+@@ -68,6 +68,8 @@ register = Registry()
+ _default_values = {
+ 'krbmaxticketlife': 86400,
+ 'krbmaxrenewableage': 604800,
++ 'krbauthindmaxticketlife': 86400,
++ 'krbauthindmaxrenewableage': 604800,
+ }
+
+ # These attributes never have non-optional values, so they should be
+@@ -311,9 +313,26 @@ class krbtpolicy_reset(baseldap.LDAPQuery):
+ def_values[a] = None
+ # if reseting global policy - set values to default
+ else:
+- def_values = _default_values
++ def_values = _default_values.copy()
+
+ entry = ldap.get_entry(dn, list(def_values))
++
++ # For per-indicator policies, drop them to defaults
++ for subtype in _supported_options:
++ for attr in _option_based_attrs:
++ name = '{};{}'.format(attr, subtype)
++ if name in entry:
++ if uid is not None:
++ def_values[name] = None
++ else:
++ def_values[name] = _default_values[attr]
++
++ # Remove non-subtyped attrs variants,
++ # they should never be used directly.
++ for attr in _option_based_attrs:
++ if attr in def_values:
++ del def_values[attr]
++
+ entry.update(def_values)
+ try:
+ ldap.update_entry(entry)
+diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
+index b2264de7a..08e332096 100644
+--- a/ipatests/test_integration/test_krbtpolicy.py
++++ b/ipatests/test_integration/test_krbtpolicy.py
+@@ -112,3 +112,16 @@ class TestPWPolicy(IntegrationTest):
+ assert maxlife_within_policy(result.stdout_text, 1200) is True
+
+ tasks.kdestroy_all(master)
++
++ def test_krbtpolicy_reset(self):
++ """Test a hardened kerberos ticket policy reset"""
++ master = self.master
++
++ tasks.kinit_admin(master)
++ master.run_command(['ipa', 'krbtpolicy-reset', USER2])
++ master.run_command(['kinit', USER2],
++ stdin_text=PASSWORD + '\n')
++ result = master.run_command('klist | grep krbtgt')
++ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
++
++ tasks.kdestroy_all(master)
+--
+2.24.1
+
diff --git a/SOURCES/0003-Remove-posixAccount-from-service_find-search-filter-2f9cbff_rhbz#1731437.patch b/SOURCES/0003-Remove-posixAccount-from-service_find-search-filter-2f9cbff_rhbz#1731437.patch
deleted file mode 100644
index 17c769a..0000000
--- a/SOURCES/0003-Remove-posixAccount-from-service_find-search-filter-2f9cbff_rhbz#1731437.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 2f9cbffb6e57ded2d0107f457241f33b17869a96 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Jul 19 2019 19:16:16 +0000
-Subject: Remove posixAccount from service_find search filter
-
-
-This will allow cifs principals to be found. They were suppressed
-because they include objectclass=posixAccount.
-
-This is a bit of a historical anomaly. This was included in the
-filter from the initial commit (though it was person, not
-posixAccount). I believe it was a mistake from the beginning but
-it wasn't noticed because it didn't cause any obvious issues.
-
-https://pagure.io/freeipa/issue/8013
-
-Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
-
----
-
-diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
-index f58fe4b..c118b80 100644
---- a/ipaserver/plugins/service.py
-+++ b/ipaserver/plugins/service.py
-@@ -889,7 +889,6 @@ class service_find(LDAPSearch):
- assert isinstance(base_dn, DN)
- # lisp style!
- custom_filter = '(&(objectclass=ipaService)' \
-- '(!(objectClass=posixAccount))' \
- '(!(|(krbprincipalname=kadmin/*)' \
- '(krbprincipalname=K/M@*)' \
- '(krbprincipalname=krbtgt/*))' \
-
diff --git a/SOURCES/0003-adtrust-print-DNS-records-for-external-DNS-case-after-role-is-enabled_936e27f_rhbz#1665051.patch b/SOURCES/0003-adtrust-print-DNS-records-for-external-DNS-case-after-role-is-enabled_936e27f_rhbz#1665051.patch
new file mode 100644
index 0000000..f86aeaf
--- /dev/null
+++ b/SOURCES/0003-adtrust-print-DNS-records-for-external-DNS-case-after-role-is-enabled_936e27f_rhbz#1665051.patch
@@ -0,0 +1,193 @@
+From 936e27f75961c67e619ecfa641e256ce80662d68 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Feb 14 2020 07:24:58 +0000
+Subject: adtrust: print DNS records for external DNS case after role is enabled
+
+
+We cannot gather information about required DNS records before "ADTrust
+Controller" role is enabled on this server. As result, we need to call
+the step to add DNS records after the role was enabled.
+
+Fixes: https://pagure.io/freeipa/issue/8192
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+
+---
+
+diff --git a/install/tools/ipa-adtrust-install.in b/install/tools/ipa-adtrust-install.in
+index 1abfea9..7d94b71 100644
+--- a/install/tools/ipa-adtrust-install.in
++++ b/install/tools/ipa-adtrust-install.in
+@@ -214,7 +214,13 @@ def main():
+
+ # Enable configured services and update DNS SRV records
+ service.sync_services_state(api.env.host)
+- api.Command.dns_update_system_records()
++
++ dns_help = adtrust.generate_dns_service_records_help(api)
++ if dns_help:
++ for line in dns_help:
++ service.print_msg(line, sys.stdout)
++ else:
++ api.Command.dns_update_system_records()
+
+ print("""
+ =============================================================================
+diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
+index 70c4359..6c14e84 100644
+--- a/ipaserver/install/adtrust.py
++++ b/ipaserver/install/adtrust.py
+@@ -26,6 +26,8 @@ from ipaserver.install import installutils
+ from ipaserver.install import adtrustinstance
+ from ipaserver.install import service
+ from ipaserver.install.plugins.adtrust import update_host_cifs_keytabs
++from ipaserver.install.bindinstance import dns_zone_exists
++from ipaserver.dns_data_management import IPASystemRecords
+
+
+ if six.PY3:
+@@ -436,6 +438,41 @@ def install(standalone, options, fstore, api):
+ add_new_adtrust_agents(api, options)
+
+
++def generate_dns_service_records_help(api):
++ """
++ Return list of instructions to create DNS service records for Windows
++ if in case DNS is not enabled and the DNS zone is not managed by IPA.
++ In case IPA manages the DNS zone, nothing is returned.
++ """
++
++ zone = api.env.domain
++
++ err_msg = []
++
++ ret = api.Command['dns_is_enabled']()
++ if not ret['result']:
++ err_msg.append("DNS management was not enabled at install time.")
++ else:
++ if not dns_zone_exists(zone):
++ err_msg.append(
++ "DNS zone %s cannot be managed as it is not defined in "
++ "IPA" % zone)
++
++ if err_msg:
++ err_msg.append("Add the following service records to your DNS "
++ "server for DNS zone %s: " % zone)
++ system_records = IPASystemRecords(api, all_servers=True)
++ adtrust_records = system_records.get_base_records(
++ [api.env.host], ["AD trust controller"],
++ include_master_role=False, include_kerberos_realm=False)
++ for r_name, node in adtrust_records.items():
++ for rec in IPASystemRecords.records_list_from_node(r_name, node):
++ err_msg.append(rec)
++ return err_msg
++
++ return None
++
++
+ @group
+ class ADTrustInstallInterface(ServiceAdminInstallInterface):
+ """
+diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
+index 8699d53..a59e85d 100644
+--- a/ipaserver/install/adtrustinstance.py
++++ b/ipaserver/install/adtrustinstance.py
+@@ -32,10 +32,8 @@ import socket
+
+ import six
+
+-from ipaserver.dns_data_management import IPASystemRecords
+ from ipaserver.install import service
+ from ipaserver.install import installutils
+-from ipaserver.install.bindinstance import dns_zone_exists
+ from ipaserver.install.replication import wait_for_task
+ from ipalib import errors, api
+ from ipalib.util import normalize_zone
+@@ -586,43 +584,6 @@ class ADTRUSTInstance(service.Service):
+ logger.critical("Failed to remove old key for %s",
+ self.principal)
+
+- def srv_rec(self, host, port, prio):
+- return "%(prio)d 100 %(port)d %(host)s" % dict(host=host,prio=prio,port=port)
+-
+- def __add_dns_service_records(self):
+- """
+- Add DNS service records for Windows if DNS is enabled and the DNS zone
+- is managed. If there are already service records for LDAP and Kerberos
+- their values are used. Otherwise default values are used.
+- """
+-
+- zone = api.env.domain
+-
+- err_msg = None
+-
+- ret = api.Command['dns_is_enabled']()
+- if not ret['result']:
+- err_msg = "DNS management was not enabled at install time."
+- else:
+- if not dns_zone_exists(zone):
+- err_msg = (
+- "DNS zone %s cannot be managed as it is not defined in "
+- "IPA" % zone)
+-
+- if err_msg:
+- self.print_msg(err_msg)
+- self.print_msg("Add the following service records to your DNS " \
+- "server for DNS zone %s: " % zone)
+- system_records = IPASystemRecords(api, all_servers=True)
+- adtrust_records = system_records.get_base_records(
+- [self.fqdn], ["AD trust controller"],
+- include_master_role=False, include_kerberos_realm=False)
+- for r_name, node in adtrust_records.items():
+- for rec in IPASystemRecords.records_list_from_node(r_name, node):
+- self.print_msg(rec)
+- else:
+- api.Command.dns_update_system_records()
+-
+ def __configure_selinux_for_smbd(self):
+ try:
+ tasks.set_selinux_booleans(constants.SELINUX_BOOLEAN_ADTRUST,
+@@ -876,8 +837,6 @@ class ADTRUSTInstance(service.Service):
+ self.step("map BUILTIN\\Guests to nobody group",
+ self.__map_Guests_to_nobody)
+ self.step("configuring smbd to start on boot", self.__enable)
+- self.step("adding special DNS service records", \
+- self.__add_dns_service_records)
+
+ if self.enable_compat:
+ self.step("enabling trusted domains support for older clients via Schema Compatibility plugin",
+diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
+index 6b08b70..afce0d7 100644
+--- a/ipaserver/install/server/install.py
++++ b/ipaserver/install/server/install.py
+@@ -984,6 +984,12 @@ def install(installer):
+ service.enable_services(host_name)
+ api.Command.dns_update_system_records()
+
++ if options.setup_adtrust:
++ dns_help = adtrust.generate_dns_service_records_help(api)
++ if dns_help:
++ for line in dns_help:
++ service.print_msg(line, sys.stdout)
++
+ if not options.setup_dns:
+ # After DNS and AD trust are configured and services are
+ # enabled, create a dummy instance to dump DNS configuration.
+diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
+index 536f0db..71ea091 100644
+--- a/ipaserver/install/server/replicainstall.py
++++ b/ipaserver/install/server/replicainstall.py
+@@ -1351,6 +1351,12 @@ def install(installer):
+ # enabled-service case, also perform update in hidden replica case.
+ api.Command.dns_update_system_records()
+
++ if options.setup_adtrust:
++ dns_help = adtrust.generate_dns_service_records_help(api)
++ if dns_help:
++ for line in dns_help:
++ service.print_msg(line, sys.stdout)
++
+ ca_servers = find_providing_servers('CA', api.Backend.ldap2, api=api)
+ api.Backend.ldap2.disconnect()
+
+
diff --git a/SOURCES/0004-AD-user-without-override-receive-InternalServerError-with-API_4db18be_rhbz#1782572.patch b/SOURCES/0004-AD-user-without-override-receive-InternalServerError-with-API_4db18be_rhbz#1782572.patch
new file mode 100644
index 0000000..3795958
--- /dev/null
+++ b/SOURCES/0004-AD-user-without-override-receive-InternalServerError-with-API_4db18be_rhbz#1782572.patch
@@ -0,0 +1,41 @@
+From 4db18be5467c0b8f7633b281c724f469f907e573 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Jan 13 2020 12:08:19 +0000
+Subject: AD user without override receive InternalServerError with API
+
+
+When ipa commands are used by an Active Directory user that
+does not have any idoverride-user set, they return the
+following error message which can be misleading:
+$ kinit aduser@ADDOMAIN.COM
+$ ipa ping
+ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Internal Server Error
+
+The fix properly handles ACIError exception received when
+creating the context, and now the following message can be seen:
+
+$ kinit aduser@ADDOMAIN.COM
+$ ipa ping
+ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Unauthorized
+
+with the following log in /var/log/httpd/error_log:
+ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
+
+Fixes: https://pagure.io/freeipa/issue/8163
+
+---
+
+diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
+index 0495557..194cbbc 100644
+--- a/ipaserver/rpcserver.py
++++ b/ipaserver/rpcserver.py
+@@ -694,7 +694,7 @@ class KerberosWSGIExecutioner(WSGIExecutioner, KerberosSession):
+ status = HTTP_STATUS_SUCCESS
+ response = status.encode('utf-8')
+ start_response(status, self.headers)
+- return self.marshal(None, e)
++ return [self.marshal(None, e)]
+ finally:
+ destroy_context()
+ return response
+
diff --git a/SOURCES/0004-Repeated-uninstallation-of-ipa-client-samba-crashes_rhbz#1732529.patch b/SOURCES/0004-Repeated-uninstallation-of-ipa-client-samba-crashes_rhbz#1732529.patch
deleted file mode 100644
index 374534b..0000000
--- a/SOURCES/0004-Repeated-uninstallation-of-ipa-client-samba-crashes_rhbz#1732529.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-From b9b98097a47f27b56500edc972c438597e6609b1 Mon Sep 17 00:00:00 2001
-From: François Cami <fcami@redhat.com>
-Date: Jul 26 2019 13:09:42 +0000
-Subject: ipatests: test multiple invocations of ipa-client-samba --uninstall
-
-
-Related-to: https://pagure.io/freeipa/issue/8019
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Sergey Orlov <sorlov@redhat.com>
-
----
-
-diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
-index 4e295c0..26d70b3 100644
---- a/ipatests/test_integration/test_smb.py
-+++ b/ipatests/test_integration/test_smb.py
-@@ -150,3 +150,6 @@ class TestSMB(IntegrationTest):
-
- smbsrv = self.replicas[0]
- smbsrv.run_command(['ipa-client-samba', '--uninstall', '-U'])
-+ # test for https://pagure.io/freeipa/issue/8019
-+ # try another uninstall after the first one:
-+ smbsrv.run_command(['ipa-client-samba', '--uninstall', '-U'])
-
-From 256a6a879061d2b97c11e9cd97b2427579610fa1 Mon Sep 17 00:00:00 2001
-From: François Cami <fcami@redhat.com>
-Date: Jul 26 2019 13:09:42 +0000
-Subject: ipa-client-samba: remove and restore smb.conf only on first uninstall
-
-
-Fixes: https://pagure.io/freeipa/issue/8019
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Sergey Orlov <sorlov@redhat.com>
-
----
-
-diff --git a/ipaclient/install/ipa_client_samba.py b/ipaclient/install/ipa_client_samba.py
-index e2be67d..6a3c3bd 100755
---- a/ipaclient/install/ipa_client_samba.py
-+++ b/ipaclient/install/ipa_client_samba.py
-@@ -433,8 +433,9 @@ def uninstall(fstore, statestore, options):
- ipautil.remove_ccache(ccache_path=paths.KRB5CC_SAMBA)
-
- # Remove samba's configuration file
-- ipautil.remove_file(paths.SMB_CONF)
-- fstore.restore_file(paths.SMB_CONF)
-+ if fstore.has_file(paths.SMB_CONF):
-+ ipautil.remove_file(paths.SMB_CONF)
-+ fstore.restore_file(paths.SMB_CONF)
-
- # Remove samba's persistent and temporary tdb files
- tdb_files = [
-@@ -624,7 +625,7 @@ def run():
- api.Command.service_del(api.env.smb_princ)
- except AttributeError:
- logger.error(
-- "Chosen IPA master %s does not have support to"
-+ "Chosen IPA master %s does not have support to "
- "set up Samba domain members", server,
- )
- return 1
-
-From 00ba2ae6681dafa92d3f00f2a4e11adaa477ea0e Mon Sep 17 00:00:00 2001
-From: François Cami <fcami@redhat.com>
-Date: Jul 26 2019 13:09:42 +0000
-Subject: ipatests: test ipa-client-samba after --uninstall
-
-
-Related-to: https://pagure.io/freeipa/issue/8021
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Sergey Orlov <sorlov@redhat.com>
-
----
-
-diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
-index 26d70b3..933d468 100644
---- a/ipatests/test_integration/test_smb.py
-+++ b/ipatests/test_integration/test_smb.py
-@@ -153,3 +153,8 @@ class TestSMB(IntegrationTest):
- # test for https://pagure.io/freeipa/issue/8019
- # try another uninstall after the first one:
- smbsrv.run_command(['ipa-client-samba', '--uninstall', '-U'])
-+ # test for https://pagure.io/freeipa/issue/8021
-+ # try to install again:
-+ smbsrv.run_command(["ipa-client-samba", "-U"])
-+ # cleanup:
-+ smbsrv.run_command(['ipa-client-samba', '--uninstall', '-U'])
-
-From 551cd68d0959b1ee761ead6338dc06c544c0c5da Mon Sep 17 00:00:00 2001
-From: François Cami <fcami@redhat.com>
-Date: Jul 26 2019 13:09:42 +0000
-Subject: ipa-client-samba: remove state on uninstall
-
-
-The "domain_member" state was not removed at uninstall time.
-Remove it so that future invocations of ipa-client-samba work.
-
-Fixes: https://pagure.io/freeipa/issue/8021
-Signed-off-by: François Cami <fcami@redhat.com>
-
-https://pagure.io/freeipa/issue/8021
-
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Sergey Orlov <sorlov@redhat.com>
-
----
-
-diff --git a/ipaclient/install/ipa_client_samba.py b/ipaclient/install/ipa_client_samba.py
-index 6a3c3bd..126ef32 100755
---- a/ipaclient/install/ipa_client_samba.py
-+++ b/ipaclient/install/ipa_client_samba.py
-@@ -523,11 +523,25 @@ def run():
- if options.uninstall:
- if statestore.has_state("domain_member"):
- uninstall(fstore, statestore, options)
-- print(
-- "Samba configuration is reverted. "
-- "However, Samba databases were fully cleaned and "
-- "old configuration file will not be usable anymore."
-- )
-+ try:
-+ keys = (
-+ "configured", "hardening", "groupmap", "tdb",
-+ "service.principal", "smb.conf"
-+ )
-+ for key in keys:
-+ statestore.delete_state("domain_member", key)
-+ except Exception as e:
-+ print(
-+ "Error: Failed to remove the domain_member statestores: "
-+ "%s" % e
-+ )
-+ return 1
-+ else:
-+ print(
-+ "Samba configuration is reverted. "
-+ "However, Samba databases were fully cleaned and "
-+ "old configuration file will not be usable anymore."
-+ )
- else:
- print("Samba domain member is not configured yet")
- return 0
-
diff --git a/SOURCES/0005-WebUI-Add-PKINIT-status-field-to-Configuration-page-a46383f_rhbz#1518153.patch b/SOURCES/0005-WebUI-Add-PKINIT-status-field-to-Configuration-page-a46383f_rhbz#1518153.patch
deleted file mode 100644
index 1060da1..0000000
--- a/SOURCES/0005-WebUI-Add-PKINIT-status-field-to-Configuration-page-a46383f_rhbz#1518153.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From a46383ffe414f703264f8a81450f44abbd95d78e Mon Sep 17 00:00:00 2001
-From: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Date: Jul 26 2019 20:36:58 +0000
-Subject: WebUI: Add PKINIT status field to 'Configuration' page
-
-
-- Add 'Server Options' section to the page
-- Add 'IPA master capable of PKINIT' field to the 'Server Options'
-
-Ticket: https://pagure.io/freeipa/issue/7305
-
-Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-
----
-
-diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
-index 25f484a..6c82b40 100644
---- a/install/ui/src/freeipa/serverconfig.js
-+++ b/install/ui/src/freeipa/serverconfig.js
-@@ -50,6 +50,24 @@ return {
- ]
- },
- {
-+ name: 'server',
-+ label: '@i18n:objects.config.server',
-+ fields: [
-+ {
-+ $type: 'entity_select',
-+ name: 'ca_renewal_master_server',
-+ other_entity: 'server',
-+ other_field: 'cn',
-+ flags: ['w_if_no_aci']
-+ },
-+ {
-+ $type: 'multivalued',
-+ name: 'pkinit_server_server',
-+ read_only: true
-+ }
-+ ]
-+ },
-+ {
- name: 'user',
- label: '@i18n:objects.config.user',
- fields: [
-@@ -99,13 +117,6 @@ return {
- {
- $type: 'multivalued',
- name: 'ipauserobjectclasses'
-- },
-- {
-- $type: 'entity_select',
-- name: 'ca_renewal_master_server',
-- other_entity: 'server',
-- other_field: 'cn',
-- flags: ['w_if_no_aci']
- }
- ]
- },
-diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
-index 0f0ad3a..19957d7 100644
---- a/ipaserver/plugins/internal.py
-+++ b/ipaserver/plugins/internal.py
-@@ -726,6 +726,7 @@ class i18n_messages(Command):
- "group": _("Group Options"),
- "search": _("Search Options"),
- "selinux": _("SELinux Options"),
-+ "server": _("Server Options"),
- "service": _("Service Options"),
- "user": _("User Options"),
- },
-
diff --git a/SOURCES/0005-ipa-client-automount-fails-after-repeated-installation-uninstallation_rhbz#1790886.patch b/SOURCES/0005-ipa-client-automount-fails-after-repeated-installation-uninstallation_rhbz#1790886.patch
new file mode 100644
index 0000000..dbb6db5
--- /dev/null
+++ b/SOURCES/0005-ipa-client-automount-fails-after-repeated-installation-uninstallation_rhbz#1790886.patch
@@ -0,0 +1,82 @@
+From 6332aed9ba67e2ee759a9d988ba92139486469d4 Mon Sep 17 00:00:00 2001
+From: François Cami <fcami@redhat.com>
+Date: Feb 14 2020 16:38:19 +0000
+Subject: ipa-client-automount: call save_domain() for each change
+
+
+Call sssdconfig.save_domain(domain) after each configuration
+change during ipa-client-automount --uninstall.
+
+Previously, sssdconfig.save_domain(domain) was called only
+outside of the domain detection loop which changed the domain
+configuration. This introduced issues as this method's behavior
+is only consistent when configuration items are removed in a
+certain order: https://pagure.io/SSSD/sssd/issue/4149
+Plus, it is more correct to save the configuration from within
+the loop if ever we support multiple domains.
+
+Fixes: https://pagure.io/freeipa/issue/8190
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/ipaclient/install/ipa_client_automount.py b/ipaclient/install/ipa_client_automount.py
+index 3ef257a..fdf974d 100644
+--- a/ipaclient/install/ipa_client_automount.py
++++ b/ipaclient/install/ipa_client_automount.py
+@@ -355,9 +355,10 @@ def uninstall(fstore, statestore):
+ continue
+ if provider == "ipa":
+ domain.remove_option('ipa_automount_location')
++ sssdconfig.save_domain(domain)
+ domain.remove_provider('autofs')
++ sssdconfig.save_domain(domain)
+ break
+- sssdconfig.save_domain(domain)
+ sssdconfig.write(paths.SSSD_CONF)
+ sssd = services.service('sssd', api)
+ sssd.restart()
+
+From 7ae804c726970ae467a7f76efa21bae40405551d Mon Sep 17 00:00:00 2001
+From: François Cami <fcami@redhat.com>
+Date: Feb 14 2020 16:38:19 +0000
+Subject: ipatests: make sure ipa-client-automount reverts sssd.conf
+
+
+Due to https://pagure.io/SSSD/sssd/issue/4149 ipa-client-automount
+fails to remove the ipa_automount_location entry from sssd.conf.
+Test that autofs_provider and ipa_automount_location are removed.
+
+Fixes: https://pagure.io/freeipa/issue/8190
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
+index 7d29836..532dd61 100644
+--- a/ipatests/test_integration/test_nfs.py
++++ b/ipatests/test_integration/test_nfs.py
+@@ -332,6 +332,20 @@ class TestIpaClientAutomountFileRestore(IntegrationTest):
+ "ipa-client-automount", "--uninstall", "-U"
+ ])
+
++ if not no_sssd:
++ # https://pagure.io/freeipa/issue/8190
++ # check that no ipa_automount_location is left in sssd.conf
++ # also check for autofs_provider for good measure
++ grep_automount_in_sssdconf_cmd = \
++ "egrep ipa_automount_location\\|autofs_provider " \
++ "/etc/sssd/sssd.conf"
++ cmd = self.clients[0].run_command(
++ grep_automount_in_sssdconf_cmd, raiseonerr=False
++ )
++ assert cmd.returncode == 1, \
++ "PG8190 regression found: ipa_automount_location still " \
++ "present in sssd.conf"
++
+ cmd = self.clients[0].run_command(grep_automount_command)
+ assert cmd.stdout_text.split() == after_ipa_client_install
+
+
diff --git a/SOURCES/0006-external-ca-profile-fix_rhbz#1731813.patch b/SOURCES/0006-external-ca-profile-fix_rhbz#1731813.patch
deleted file mode 100644
index ca70f28..0000000
--- a/SOURCES/0006-external-ca-profile-fix_rhbz#1731813.patch
+++ /dev/null
@@ -1,1339 +0,0 @@
-From d0d29ccc324bb9f95bffbe3162ee5c3c61c6086a Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Thu, 11 Jul 2019 15:17:04 +1000
-Subject: [PATCH] move MSCSTemplate classes to ipalib
-
-As we expand the integration tests for external CA functionality, it
-is helpful (and avoids duplication) to use the MSCSTemplate*
-classes. These currently live in ipaserver.install.cainstance, but
-ipatests is no longer permitted to import from ipaserver (see commit
-81714976e5e13131654c78eb734746a20237c933). So move these classes to
-ipalib.
-
-Part of: https://pagure.io/freeipa/issue/7548
-
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- install/tools/ipa-ca-install.in | 6 +-
- ipalib/x509.py | 171 +++++++++++++++++
- ipaserver/install/ca.py | 11 +-
- ipaserver/install/cainstance.py | 180 +-----------------
- ipaserver/install/ipa_cacert_manage.py | 14 +-
- ipatests/test_integration/test_external_ca.py | 11 +-
- ipatests/test_ipalib/test_x509.py | 115 +++++++++++
- .../test_install/test_cainstance.py | 123 ------------
- 8 files changed, 307 insertions(+), 324 deletions(-)
- delete mode 100644 ipatests/test_ipaserver/test_install/test_cainstance.py
-
-diff --git a/install/tools/ipa-ca-install.in b/install/tools/ipa-ca-install.in
-index 0700c0c38b..ce6d5fcb52 100644
---- a/install/tools/ipa-ca-install.in
-+++ b/install/tools/ipa-ca-install.in
-@@ -37,7 +37,7 @@ from ipaserver.install import cainstance, service
- from ipaserver.install import custodiainstance
- from ipaserver.masters import find_providing_server
- from ipapython import version
--from ipalib import api
-+from ipalib import api, x509
- from ipalib.constants import DOMAIN_LEVEL_1
- from ipapython.config import IPAOptionParser
- from ipapython.ipa_log_manager import standard_logging_setup
-@@ -68,13 +68,13 @@ def parse_options():
- default=False, help="unattended installation never prompts the user")
- parser.add_option("--external-ca", dest="external_ca", action="store_true",
- default=False, help="Generate a CSR to be signed by an external CA")
-- ext_cas = tuple(x.value for x in cainstance.ExternalCAType)
-+ ext_cas = tuple(x.value for x in x509.ExternalCAType)
- parser.add_option("--external-ca-type", dest="external_ca_type",
- type="choice", choices=ext_cas,
- metavar="{{{0}}}".format(",".join(ext_cas)),
- help="Type of the external CA. Default: generic")
- parser.add_option("--external-ca-profile", dest="external_ca_profile",
-- type='constructor', constructor=cainstance.ExternalCAProfile,
-+ type='constructor', constructor=x509.ExternalCAProfile,
- default=None, metavar="PROFILE-SPEC",
- help="Specify the certificate profile/template to use "
- "at the external CA")
-diff --git a/ipalib/x509.py b/ipalib/x509.py
-index ab3c5f553d..1f612a3797 100644
---- a/ipalib/x509.py
-+++ b/ipalib/x509.py
-@@ -34,6 +34,7 @@
- import os
- import binascii
- import datetime
-+import enum
- import ipaddress
- import ssl
- import base64
-@@ -47,6 +48,7 @@
- Encoding, PublicFormat, PrivateFormat, load_pem_private_key
- )
- import pyasn1
-+import pyasn1.error
- from pyasn1.type import univ, char, namedtype, tag
- from pyasn1.codec.der import decoder, encoder
- from pyasn1_modules import rfc2315, rfc2459
-@@ -745,3 +747,172 @@ def format_datetime(t):
- if t.tzinfo is None:
- t = t.replace(tzinfo=UTC())
- return unicode(t.strftime("%a %b %d %H:%M:%S %Y %Z"))
-+
-+
-+class ExternalCAType(enum.Enum):
-+ GENERIC = 'generic'
-+ MS_CS = 'ms-cs'
-+
-+
-+class ExternalCAProfile:
-+ """
-+ An external CA profile configuration. Currently the only
-+ subclasses are for Microsoft CAs, for providing data in the
-+ "Certificate Template" extension.
-+
-+ Constructing this class will actually return an instance of a
-+ subclass.
-+
-+ Subclasses MUST set ``valid_for``.
-+
-+ """
-+ def __init__(self, s=None):
-+ self.unparsed_input = s
-+
-+ # Which external CA types is the data valid for?
-+ # A set of VALUES of the ExternalCAType enum.
-+ valid_for = set()
-+
-+ def __new__(cls, s=None):
-+ """Construct the ExternalCAProfile value.
-+
-+ Return an instance of a subclass determined by
-+ the format of the argument.
-+
-+ """
-+ # we are directly constructing a subclass; instantiate
-+ # it and be done
-+ if cls is not ExternalCAProfile:
-+ return super(ExternalCAProfile, cls).__new__(cls)
-+
-+ # construction via the base class; therefore the string
-+ # argument is required, and is used to determine which
-+ # subclass to construct
-+ if s is None:
-+ raise ValueError('string argument is required')
-+
-+ parts = s.split(':')
-+
-+ try:
-+ # Is the first part on OID?
-+ _oid = univ.ObjectIdentifier(parts[0])
-+
-+ # It is; construct a V2 template
-+ # pylint: disable=too-many-function-args
-+ return MSCSTemplateV2.__new__(MSCSTemplateV2, s)
-+
-+ except pyasn1.error.PyAsn1Error:
-+ # It is not an OID; treat as a template name
-+ # pylint: disable=too-many-function-args
-+ return MSCSTemplateV1.__new__(MSCSTemplateV1, s)
-+
-+ def __getstate__(self):
-+ return self.unparsed_input
-+
-+ def __setstate__(self, state):
-+ # explicitly call __init__ method to initialise object
-+ self.__init__(state)
-+
-+
-+class MSCSTemplate(ExternalCAProfile):
-+ """
-+ An Microsoft AD-CS Template specifier.
-+
-+ Subclasses MUST set ext_oid.
-+
-+ Subclass constructors MUST set asn1obj.
-+
-+ """
-+ valid_for = set([ExternalCAType.MS_CS.value])
-+
-+ ext_oid = None # extension OID, as a Python str
-+ asn1obj = None # unencoded extension data
-+
-+ def get_ext_data(self):
-+ """Return DER-encoded extension data."""
-+ return encoder.encode(self.asn1obj)
-+
-+
-+class MSCSTemplateV1(MSCSTemplate):
-+ """
-+ A v1 template specifier, per
-+ https://msdn.microsoft.com/en-us/library/cc250011.aspx.
-+
-+ ::
-+
-+ CertificateTemplateName ::= SEQUENCE {
-+ Name UTF8String
-+ }
-+
-+ But note that a bare BMPString is used in practice.
-+
-+ """
-+ ext_oid = "1.3.6.1.4.1.311.20.2"
-+
-+ def __init__(self, s):
-+ super(MSCSTemplateV1, self).__init__(s)
-+ parts = s.split(':')
-+ if len(parts) > 1:
-+ raise ValueError(
-+ "Cannot specify certificate template version when using name.")
-+ self.asn1obj = char.BMPString(str(parts[0]))
-+
-+
-+class MSCSTemplateV2(MSCSTemplate):
-+ """
-+ A v2 template specifier, per
-+ https://msdn.microsoft.com/en-us/library/windows/desktop/aa378274(v=vs.85).aspx
-+
-+ ::
-+
-+ CertificateTemplate ::= SEQUENCE {
-+ templateID EncodedObjectID,
-+ templateMajorVersion TemplateVersion,
-+ templateMinorVersion TemplateVersion OPTIONAL
-+ }
-+
-+ TemplateVersion ::= INTEGER (0..4294967295)
-+
-+ """
-+ ext_oid = "1.3.6.1.4.1.311.21.7"
-+
-+ @staticmethod
-+ def check_version_in_range(desc, n):
-+ if n < 0 or n >= 2**32:
-+ raise ValueError(
-+ "Template {} version must be in range 0..4294967295"
-+ .format(desc))
-+
-+ def __init__(self, s):
-+ super(MSCSTemplateV2, self).__init__(s)
-+
-+ parts = s.split(':')
-+
-+ obj = CertificateTemplateV2()
-+ if len(parts) < 2 or len(parts) > 3:
-+ raise ValueError(
-+ "Incorrect template specification; required format is: "
-+ "<oid>:<majorVersion>[:<minorVersion>]")
-+ try:
-+ obj['templateID'] = univ.ObjectIdentifier(parts[0])
-+
-+ major = int(parts[1])
-+ self.check_version_in_range("major", major)
-+ obj['templateMajorVersion'] = major
-+
-+ if len(parts) > 2:
-+ minor = int(parts[2])
-+ self.check_version_in_range("minor", minor)
-+ obj['templateMinorVersion'] = int(parts[2])
-+
-+ except pyasn1.error.PyAsn1Error:
-+ raise ValueError("Could not parse certificate template specifier.")
-+ self.asn1obj = obj
-+
-+
-+class CertificateTemplateV2(univ.Sequence):
-+ componentType = namedtype.NamedTypes(
-+ namedtype.NamedType('templateID', univ.ObjectIdentifier()),
-+ namedtype.NamedType('templateMajorVersion', univ.Integer()),
-+ namedtype.OptionalNamedType('templateMinorVersion', univ.Integer())
-+ )
-diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
-index 6b040b311a..8fb5e3ec91 100644
---- a/ipaserver/install/ca.py
-+++ b/ipaserver/install/ca.py
-@@ -28,7 +28,7 @@
- from ipaplatform.paths import paths
- from ipaserver.install import installutils, certs
- from ipaserver.install.replication import replica_conn_check
--from ipalib import api, errors
-+from ipalib import api, errors, x509
- from ipapython.dn import DN
-
- from . import conncheck, dogtag, cainstance
-@@ -216,8 +216,7 @@ def install_check(standalone, replica_config, options):
- paths.ROOT_IPA_CSR)
-
- if not options.external_ca_type:
-- options.external_ca_type = \
-- cainstance.ExternalCAType.GENERIC.value
-+ options.external_ca_type = x509.ExternalCAType.GENERIC.value
-
- if options.external_ca_profile is not None:
- # check that profile is valid for the external ca type
-@@ -478,13 +477,11 @@ class CAInstallInterface(dogtag.DogtagInstallInterface,
- external_ca = master_install_only(external_ca)
-
- external_ca_type = knob(
-- cainstance.ExternalCAType, None,
-- description="Type of the external CA",
-- )
-+ x509.ExternalCAType, None, description="Type of the external CA")
- external_ca_type = master_install_only(external_ca_type)
-
- external_ca_profile = knob(
-- type=cainstance.ExternalCAProfile,
-+ type=x509.ExternalCAProfile,
- default=None,
- description=(
- "Specify the certificate profile/template to use at the "
-diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
-index 6e1fc724db..2295581870 100644
---- a/ipaserver/install/cainstance.py
-+++ b/ipaserver/install/cainstance.py
-@@ -26,7 +26,6 @@
- import logging
-
- import dbus
--import enum
- import ldap
- import os
- import pwd
-@@ -39,10 +38,6 @@
- import tempfile
- from configparser import RawConfigParser
-
--from pyasn1.codec.der import encoder
--from pyasn1.type import char, univ, namedtype
--import pyasn1.error
--
- from ipalib import api
- from ipalib import x509
- from ipalib import errors
-@@ -80,11 +75,6 @@
- ]
-
-
--class ExternalCAType(enum.Enum):
-- GENERIC = 'generic'
-- MS_CS = 'ms-cs'
--
--
- def check_ports():
- """Check that dogtag ports (8080, 8443) are available.
-
-@@ -367,7 +357,7 @@ def configure_instance(self, host_name, dm_password, admin_password,
- if ca_type is not None:
- self.ca_type = ca_type
- else:
-- self.ca_type = ExternalCAType.GENERIC.value
-+ self.ca_type = x509.ExternalCAType.GENERIC.value
- self.external_ca_profile = external_ca_profile
-
- self.no_db_setup = promote
-@@ -537,12 +527,12 @@ def __spawn_instance(self):
- pki_ca_signing_csr_path=self.csr_file,
- )
-
-- if self.ca_type == ExternalCAType.MS_CS.value:
-+ if self.ca_type == x509.ExternalCAType.MS_CS.value:
- # Include MS template name extension in the CSR
- template = self.external_ca_profile
- if template is None:
- # default template name
-- template = MSCSTemplateV1(u"SubCA")
-+ template = x509.MSCSTemplateV1(u"SubCA")
-
- ext_data = binascii.hexlify(template.get_ext_data())
- cfg.update(
-@@ -2081,170 +2071,6 @@ def update_ipa_conf():
- parser.write(f)
-
-
--class ExternalCAProfile:
-- """
-- An external CA profile configuration. Currently the only
-- subclasses are for Microsoft CAs, for providing data in the
-- "Certificate Template" extension.
--
-- Constructing this class will actually return an instance of a
-- subclass.
--
-- Subclasses MUST set ``valid_for``.
--
-- """
-- def __init__(self, s=None):
-- self.unparsed_input = s
--
-- # Which external CA types is the data valid for?
-- # A set of VALUES of the ExternalCAType enum.
-- valid_for = set()
--
-- def __new__(cls, s=None):
-- """Construct the ExternalCAProfile value.
--
-- Return an instance of a subclass determined by
-- the format of the argument.
--
-- """
-- # we are directly constructing a subclass; instantiate
-- # it and be done
-- if cls is not ExternalCAProfile:
-- return super(ExternalCAProfile, cls).__new__(cls)
--
-- # construction via the base class; therefore the string
-- # argument is required, and is used to determine which
-- # subclass to construct
-- if s is None:
-- raise ValueError('string argument is required')
--
-- parts = s.split(':')
--
-- try:
-- # Is the first part on OID?
-- _oid = univ.ObjectIdentifier(parts[0])
--
-- # It is; construct a V2 template
-- # pylint: disable=too-many-function-args
-- return MSCSTemplateV2.__new__(MSCSTemplateV2, s)
--
-- except pyasn1.error.PyAsn1Error:
-- # It is not an OID; treat as a template name
-- # pylint: disable=too-many-function-args
-- return MSCSTemplateV1.__new__(MSCSTemplateV1, s)
--
-- def __getstate__(self):
-- return self.unparsed_input
--
-- def __setstate__(self, state):
-- # explicitly call __init__ method to initialise object
-- self.__init__(state)
--
--
--class MSCSTemplate(ExternalCAProfile):
-- """
-- An Microsoft AD-CS Template specifier.
--
-- Subclasses MUST set ext_oid.
--
-- Subclass constructors MUST set asn1obj.
--
-- """
-- valid_for = set([ExternalCAType.MS_CS.value])
--
-- ext_oid = None # extension OID, as a Python str
-- asn1obj = None # unencoded extension data
--
-- def get_ext_data(self):
-- """Return DER-encoded extension data."""
-- return encoder.encode(self.asn1obj)
--
--
--class MSCSTemplateV1(MSCSTemplate):
-- """
-- A v1 template specifier, per
-- https://msdn.microsoft.com/en-us/library/cc250011.aspx.
--
-- ::
--
-- CertificateTemplateName ::= SEQUENCE {
-- Name UTF8String
-- }
--
-- But note that a bare BMPString is used in practice.
--
-- """
-- ext_oid = "1.3.6.1.4.1.311.20.2"
--
-- def __init__(self, s):
-- super(MSCSTemplateV1, self).__init__(s)
-- parts = s.split(':')
-- if len(parts) > 1:
-- raise ValueError(
-- "Cannot specify certificate template version when using name.")
-- self.asn1obj = char.BMPString(str(parts[0]))
--
--
--class MSCSTemplateV2(MSCSTemplate):
-- """
-- A v2 template specifier, per
-- https://msdn.microsoft.com/en-us/library/windows/desktop/aa378274(v=vs.85).aspx
--
-- ::
--
-- CertificateTemplate ::= SEQUENCE {
-- templateID EncodedObjectID,
-- templateMajorVersion TemplateVersion,
-- templateMinorVersion TemplateVersion OPTIONAL
-- }
--
-- TemplateVersion ::= INTEGER (0..4294967295)
--
-- """
-- ext_oid = "1.3.6.1.4.1.311.21.7"
--
-- @staticmethod
-- def check_version_in_range(desc, n):
-- if n < 0 or n >= 2**32:
-- raise ValueError(
-- "Template {} version must be in range 0..4294967295"
-- .format(desc))
--
-- def __init__(self, s):
-- super(MSCSTemplateV2, self).__init__(s)
--
-- parts = s.split(':')
--
-- obj = CertificateTemplateV2()
-- if len(parts) < 2 or len(parts) > 3:
-- raise ValueError(
-- "Incorrect template specification; required format is: "
-- "<oid>:<majorVersion>[:<minorVersion>]")
-- try:
-- obj['templateID'] = univ.ObjectIdentifier(parts[0])
--
-- major = int(parts[1])
-- self.check_version_in_range("major", major)
-- obj['templateMajorVersion'] = major
--
-- if len(parts) > 2:
-- minor = int(parts[2])
-- self.check_version_in_range("minor", minor)
-- obj['templateMinorVersion'] = int(parts[2])
--
-- except pyasn1.error.PyAsn1Error:
-- raise ValueError("Could not parse certificate template specifier.")
-- self.asn1obj = obj
--
--
--class CertificateTemplateV2(univ.Sequence):
-- componentType = namedtype.NamedTypes(
-- namedtype.NamedType('templateID', univ.ObjectIdentifier()),
-- namedtype.NamedType('templateMajorVersion', univ.Integer()),
-- namedtype.OptionalNamedType('templateMinorVersion', univ.Integer())
-- )
--
--
- if __name__ == "__main__":
- standard_logging_setup("install.log")
- ds = dsinstance.DsInstance()
-diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
-index 3f113c35bf..37dcc2befa 100644
---- a/ipaserver/install/ipa_cacert_manage.py
-+++ b/ipaserver/install/ipa_cacert_manage.py
-@@ -65,7 +65,7 @@ def add_options(cls, parser):
- "--external-ca", dest='self_signed',
- action='store_false',
- help="Sign the renewed certificate by external CA")
-- ext_cas = tuple(x.value for x in cainstance.ExternalCAType)
-+ ext_cas = tuple(x.value for x in x509.ExternalCAType)
- renew_group.add_option(
- "--external-ca-type", dest="external_ca_type",
- type="choice", choices=ext_cas,
-@@ -73,7 +73,7 @@ def add_options(cls, parser):
- help="Type of the external CA. Default: generic")
- renew_group.add_option(
- "--external-ca-profile", dest="external_ca_profile",
-- type='constructor', constructor=cainstance.ExternalCAProfile,
-+ type='constructor', constructor=x509.ExternalCAProfile,
- default=None, metavar="PROFILE-SPEC",
- help="Specify the certificate profile/template to use "
- "at the external CA")
-@@ -224,11 +224,11 @@ def renew_external_step_1(self, ca):
- options = self.options
-
- if not options.external_ca_type:
-- options.external_ca_type = cainstance.ExternalCAType.GENERIC.value
-+ options.external_ca_type = x509.ExternalCAType.GENERIC.value
-
-- if options.external_ca_type == cainstance.ExternalCAType.MS_CS.value \
-+ if options.external_ca_type == x509.ExternalCAType.MS_CS.value \
- and options.external_ca_profile is None:
-- options.external_ca_profile = cainstance.MSCSTemplateV1(u"SubCA")
-+ options.external_ca_profile = x509.MSCSTemplateV1(u"SubCA")
-
- if options.external_ca_profile is not None:
- # check that profile is valid for the external ca type
-@@ -352,11 +352,11 @@ def resubmit_request(self, ca=RENEWAL_CA_NAME, profile=None):
- timeout = api.env.startup_timeout + 60
-
- cm_profile = None
-- if isinstance(profile, cainstance.MSCSTemplateV1):
-+ if isinstance(profile, x509.MSCSTemplateV1):
- cm_profile = profile.unparsed_input
-
- cm_template = None
-- if isinstance(profile, cainstance.MSCSTemplateV2):
-+ if isinstance(profile, x509.MSCSTemplateV2):
- cm_template = profile.unparsed_input
-
- logger.debug("resubmitting certmonger request '%s'", self.request_id)
-diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
-index a42355217d..5aa2b7bba0 100644
---- a/ipatests/test_integration/test_external_ca.py
-+++ b/ipatests/test_integration/test_external_ca.py
-@@ -108,14 +108,14 @@ def check_ipaca_issuerDN(host, expected_dn):
- assert "Issuer DN: {}".format(expected_dn) in result.stdout_text
-
-
--def check_mscs_extension(ipa_csr, oid, value):
-+def check_mscs_extension(ipa_csr, template):
- csr = x509.load_pem_x509_csr(ipa_csr, default_backend())
- extensions = [
- ext for ext in csr.extensions
-- if ext.oid.dotted_string == oid
-+ if ext.oid.dotted_string == template.ext_oid
- ]
- assert extensions
-- assert extensions[0].value.value == value
-+ assert extensions[0].value.value == template.get_ext_data()
-
-
- class TestExternalCA(IntegrationTest):
-@@ -134,10 +134,7 @@ def test_external_ca(self):
-
- # check CSR for extension
- ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
-- # Values for MSCSTemplateV1('SubCA')
-- oid = "1.3.6.1.4.1.311.20.2"
-- value = b'\x1e\n\x00S\x00u\x00b\x00C\x00A'
-- check_mscs_extension(ipa_csr, oid, value)
-+ check_mscs_extension(ipa_csr, ipa_x509.MSCSTemplateV1(u'SubCA'))
-
- # Sign CA, transport it to the host and get ipa a root ca paths.
- root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
-diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py
-index ff7e6de2f7..284b998316 100644
---- a/ipatests/test_ipalib/test_x509.py
-+++ b/ipatests/test_ipalib/test_x509.py
-@@ -22,7 +22,11 @@
- """
-
- import base64
-+from binascii import hexlify
-+from configparser import RawConfigParser
- import datetime
-+from io import StringIO
-+import pickle
-
- import pytest
-
-@@ -268,3 +272,114 @@ def test_ipa_demo_letsencrypt(self):
- b'0 \x06\x03U\x1d%\x01\x01\xff\x04\x160\x14\x06\x08+\x06\x01'
- b'\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x02'
- )
-+
-+
-+class test_ExternalCAProfile:
-+ def test_MSCSTemplateV1_good(self):
-+ o = x509.MSCSTemplateV1("MySubCA")
-+ assert hexlify(o.get_ext_data()) == b'1e0e004d007900530075006200430041'
-+
-+ def test_MSCSTemplateV1_bad(self):
-+ with pytest.raises(ValueError):
-+ x509.MSCSTemplateV1("MySubCA:1")
-+
-+ def test_MSCSTemplateV1_pickle_roundtrip(self):
-+ o = x509.MSCSTemplateV1("MySubCA")
-+ s = pickle.dumps(o)
-+ assert o.get_ext_data() == pickle.loads(s).get_ext_data()
-+
-+ def test_MSCSTemplateV2_too_few_parts(self):
-+ with pytest.raises(ValueError):
-+ x509.MSCSTemplateV2("1.2.3.4")
-+
-+ def test_MSCSTemplateV2_too_many_parts(self):
-+ with pytest.raises(ValueError):
-+ x509.MSCSTemplateV2("1.2.3.4:100:200:300")
-+
-+ def test_MSCSTemplateV2_bad_oid(self):
-+ with pytest.raises(ValueError):
-+ x509.MSCSTemplateV2("not_an_oid:1")
-+
-+ def test_MSCSTemplateV2_non_numeric_major_version(self):
-+ with pytest.raises(ValueError):
-+ x509.MSCSTemplateV2("1.2.3.4:major:200")
-+
-+ def test_MSCSTemplateV2_non_numeric_minor_version(self):
-+ with pytest.raises(ValueError):
-+ x509.MSCSTemplateV2("1.2.3.4:100:minor")
-+
-+ def test_MSCSTemplateV2_major_version_lt_zero(self):
-+ with pytest.raises(ValueError):
-+ x509.MSCSTemplateV2("1.2.3.4:-1:200")
-+
-+ def test_MSCSTemplateV2_minor_version_lt_zero(self):
-+ with pytest.raises(ValueError):
-+ x509.MSCSTemplateV2("1.2.3.4:100:-1")
-+
-+ def test_MSCSTemplateV2_major_version_gt_max(self):
-+ with pytest.raises(ValueError):
-+ x509.MSCSTemplateV2("1.2.3.4:4294967296:200")
-+
-+ def test_MSCSTemplateV2_minor_version_gt_max(self):
-+ with pytest.raises(ValueError):
-+ x509.MSCSTemplateV2("1.2.3.4:100:4294967296")
-+
-+ def test_MSCSTemplateV2_good_major(self):
-+ o = x509.MSCSTemplateV2("1.2.3.4:4294967295")
-+ assert hexlify(o.get_ext_data()) == b'300c06032a0304020500ffffffff'
-+
-+ def test_MSCSTemplateV2_good_major_minor(self):
-+ o = x509.MSCSTemplateV2("1.2.3.4:4294967295:0")
-+ assert hexlify(o.get_ext_data()) \
-+ == b'300f06032a0304020500ffffffff020100'
-+
-+ def test_MSCSTemplateV2_pickle_roundtrip(self):
-+ o = x509.MSCSTemplateV2("1.2.3.4:4294967295:0")
-+ s = pickle.dumps(o)
-+ assert o.get_ext_data() == pickle.loads(s).get_ext_data()
-+
-+ def test_ExternalCAProfile_dispatch(self):
-+ """
-+ Test that constructing ExternalCAProfile actually returns an
-+ instance of the appropriate subclass.
-+ """
-+ assert isinstance(
-+ x509.ExternalCAProfile("MySubCA"),
-+ x509.MSCSTemplateV1)
-+ assert isinstance(
-+ x509.ExternalCAProfile("1.2.3.4:100"),
-+ x509.MSCSTemplateV2)
-+
-+ def test_write_pkispawn_config_file_MSCSTemplateV1(self):
-+ template = x509.MSCSTemplateV1(u"SubCA")
-+ expected = (
-+ '[CA]\n'
-+ 'pki_req_ext_oid = 1.3.6.1.4.1.311.20.2\n'
-+ 'pki_req_ext_data = 1e0a00530075006200430041\n\n'
-+ )
-+ self._test_write_pkispawn_config_file(template, expected)
-+
-+ def test_write_pkispawn_config_file_MSCSTemplateV2(self):
-+ template = x509.MSCSTemplateV2(u"1.2.3.4:4294967295")
-+ expected = (
-+ '[CA]\n'
-+ 'pki_req_ext_oid = 1.3.6.1.4.1.311.21.7\n'
-+ 'pki_req_ext_data = 300c06032a0304020500ffffffff\n\n'
-+ )
-+ self._test_write_pkispawn_config_file(template, expected)
-+
-+ def _test_write_pkispawn_config_file(self, template, expected):
-+ """
-+ Test that the values we read from an ExternalCAProfile
-+ object can be used to produce a reasonable-looking pkispawn
-+ configuration.
-+ """
-+ config = RawConfigParser()
-+ config.optionxform = str
-+ config.add_section("CA")
-+ config.set("CA", "pki_req_ext_oid", template.ext_oid)
-+ config.set("CA", "pki_req_ext_data",
-+ hexlify(template.get_ext_data()).decode('ascii'))
-+ out = StringIO()
-+ config.write(out)
-+ assert out.getvalue() == expected
-diff --git a/ipatests/test_ipaserver/test_install/test_cainstance.py b/ipatests/test_ipaserver/test_install/test_cainstance.py
-deleted file mode 100644
-index 02d9758e4a..0000000000
---- a/ipatests/test_ipaserver/test_install/test_cainstance.py
-+++ /dev/null
-@@ -1,123 +0,0 @@
--#
--# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
--#
--
--from binascii import hexlify
--from io import StringIO
--import pickle
--from configparser import RawConfigParser
--import pytest
--from ipaserver.install import cainstance
--
--pytestmark = pytest.mark.tier0
--
--
--class test_ExternalCAProfile:
-- def test_MSCSTemplateV1_good(self):
-- o = cainstance.MSCSTemplateV1("MySubCA")
-- assert hexlify(o.get_ext_data()) == b'1e0e004d007900530075006200430041'
--
-- def test_MSCSTemplateV1_bad(self):
-- with pytest.raises(ValueError):
-- cainstance.MSCSTemplateV1("MySubCA:1")
--
-- def test_MSCSTemplateV1_pickle_roundtrip(self):
-- o = cainstance.MSCSTemplateV1("MySubCA")
-- s = pickle.dumps(o)
-- assert o.get_ext_data() == pickle.loads(s).get_ext_data()
--
-- def test_MSCSTemplateV2_too_few_parts(self):
-- with pytest.raises(ValueError):
-- cainstance.MSCSTemplateV2("1.2.3.4")
--
-- def test_MSCSTemplateV2_too_many_parts(self):
-- with pytest.raises(ValueError):
-- cainstance.MSCSTemplateV2("1.2.3.4:100:200:300")
--
-- def test_MSCSTemplateV2_bad_oid(self):
-- with pytest.raises(ValueError):
-- cainstance.MSCSTemplateV2("not_an_oid:1")
--
-- def test_MSCSTemplateV2_non_numeric_major_version(self):
-- with pytest.raises(ValueError):
-- cainstance.MSCSTemplateV2("1.2.3.4:major:200")
--
-- def test_MSCSTemplateV2_non_numeric_minor_version(self):
-- with pytest.raises(ValueError):
-- cainstance.MSCSTemplateV2("1.2.3.4:100:minor")
--
-- def test_MSCSTemplateV2_major_version_lt_zero(self):
-- with pytest.raises(ValueError):
-- cainstance.MSCSTemplateV2("1.2.3.4:-1:200")
--
-- def test_MSCSTemplateV2_minor_version_lt_zero(self):
-- with pytest.raises(ValueError):
-- cainstance.MSCSTemplateV2("1.2.3.4:100:-1")
--
-- def test_MSCSTemplateV2_major_version_gt_max(self):
-- with pytest.raises(ValueError):
-- cainstance.MSCSTemplateV2("1.2.3.4:4294967296:200")
--
-- def test_MSCSTemplateV2_minor_version_gt_max(self):
-- with pytest.raises(ValueError):
-- cainstance.MSCSTemplateV2("1.2.3.4:100:4294967296")
--
-- def test_MSCSTemplateV2_good_major(self):
-- o = cainstance.MSCSTemplateV2("1.2.3.4:4294967295")
-- assert hexlify(o.get_ext_data()) == b'300c06032a0304020500ffffffff'
--
-- def test_MSCSTemplateV2_good_major_minor(self):
-- o = cainstance.MSCSTemplateV2("1.2.3.4:4294967295:0")
-- assert hexlify(o.get_ext_data()) \
-- == b'300f06032a0304020500ffffffff020100'
--
-- def test_MSCSTemplateV2_pickle_roundtrip(self):
-- o = cainstance.MSCSTemplateV2("1.2.3.4:4294967295:0")
-- s = pickle.dumps(o)
-- assert o.get_ext_data() == pickle.loads(s).get_ext_data()
--
-- def test_ExternalCAProfile_dispatch(self):
-- """
-- Test that constructing ExternalCAProfile actually returns an
-- instance of the appropriate subclass.
-- """
-- assert isinstance(
-- cainstance.ExternalCAProfile("MySubCA"),
-- cainstance.MSCSTemplateV1)
-- assert isinstance(
-- cainstance.ExternalCAProfile("1.2.3.4:100"),
-- cainstance.MSCSTemplateV2)
--
-- def test_write_pkispawn_config_file_MSCSTemplateV1(self):
-- template = cainstance.MSCSTemplateV1(u"SubCA")
-- expected = (
-- '[CA]\n'
-- 'pki_req_ext_oid = 1.3.6.1.4.1.311.20.2\n'
-- 'pki_req_ext_data = 1e0a00530075006200430041\n\n'
-- )
-- self._test_write_pkispawn_config_file(template, expected)
--
-- def test_write_pkispawn_config_file_MSCSTemplateV2(self):
-- template = cainstance.MSCSTemplateV2(u"1.2.3.4:4294967295")
-- expected = (
-- '[CA]\n'
-- 'pki_req_ext_oid = 1.3.6.1.4.1.311.21.7\n'
-- 'pki_req_ext_data = 300c06032a0304020500ffffffff\n\n'
-- )
-- self._test_write_pkispawn_config_file(template, expected)
--
-- def _test_write_pkispawn_config_file(self, template, expected):
-- """
-- Test that the values we read from an ExternalCAProfile
-- object can be used to produce a reasonable-looking pkispawn
-- configuration.
-- """
-- config = RawConfigParser()
-- config.optionxform = str
-- config.add_section("CA")
-- config.set("CA", "pki_req_ext_oid", template.ext_oid)
-- config.set("CA", "pki_req_ext_data",
-- hexlify(template.get_ext_data()).decode('ascii'))
-- out = StringIO()
-- config.write(out)
-- assert out.getvalue() == expected
-From e632b220798833bcd65c6b266610c800ed0914d7 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Fri, 12 Jul 2019 13:13:02 +1000
-Subject: [PATCH] install: fix --external-ca-profile option
-
-Commit dd47cfc75a69618f486abefb70f2649ebf8264e7 removed the ability
-to set pki_req_ext_oid and pki_req_ext_data in the pkispawn config.
-This results in the --external-ca-profile option never setting the
-requested values in the CSR (the default V1 template type specifying
-"SubCA" is always used).
-
-Remove relevant fields from both ipaca_default.ini and
-ipaca_customize.ini. This allows the IPA framework to set the
-values (i.e. when --external-ca-type=ms-cs and
---external-ca-profile=... demand it). It also allows users to
-override the pki_req_ext_* settings.
-
-Part of: https://pagure.io/freeipa/issue/7548
-Related: https://pagure.io/freeipa/issue/5608
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- install/share/ipaca_customize.ini | 5 -----
- install/share/ipaca_default.ini | 1 -
- 2 files changed, 6 deletions(-)
-
-diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini
-index 130ec2c102..6d58579af8 100644
---- a/install/share/ipaca_customize.ini
-+++ b/install/share/ipaca_customize.ini
-@@ -93,11 +93,6 @@ pki_ca_signing_key_type=%(ipa_ca_key_type)s
- pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
- pki_ca_signing_token=%(pki_token_name)s
-
--# MS subca request ext data
--pki_req_ext_oid=1.3.6.1.4.1.311.20.2
--pki_req_ext_critical=False
--pki_req_ext_data=1E0A00530075006200430041
--
- ## ocspSigningCert cert-pki-ca
- pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
- pki_ocsp_signing_key_size=%(ipa_key_size)s
-diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
-index fedc1b9a74..2b9900286e 100644
---- a/install/share/ipaca_default.ini
-+++ b/install/share/ipaca_default.ini
-@@ -115,7 +115,6 @@ pki_ca_starting_crl_number=0
-
- pki_external=False
- pki_external_step_two=False
--pki_req_ext_add=False
-
- pki_external_pkcs12_path=%(pki_pkcs12_path)s
- pki_external_pkcs12_password=%(pki_pkcs12_password)s
-From 71af731b3069fa1b2c0b51a3b917b5bc4da54350 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Fri, 12 Jul 2019 13:24:51 +1000
-Subject: [PATCH] Fix use of incorrect variable
-
-Part of: https://pagure.io/freeipa/issue/7548
-Related: https://pagure.io/freeipa/issue/5608
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipaserver/install/dogtaginstance.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
-index cc75d89746..5dca721d6c 100644
---- a/ipaserver/install/dogtaginstance.py
-+++ b/ipaserver/install/dogtaginstance.py
-@@ -853,7 +853,7 @@ def _verify_immutable(self, config, immutable_settings, filename):
- if errs:
- raise ValueError(
- '{} overrides immutable options:\n{}'.format(
-- filename, '\n'.join(errors)
-+ filename, '\n'.join(errs)
- )
- )
-
-From 83ed05725110de19a7098678274ecaaaf6a2c9c9 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <frase@frase.id.au>
-Date: Wed, 20 Feb 2019 18:34:33 +1100
-Subject: [PATCH] Add more tests for --external-ca-profile handling
-
-Add tests for remaining untested scenarios of --external-ca-profile
-handling in ipa-server-install.
-
-ipa-ca-install and ipa-cacert-manage remain untested at present.
-
-Fixes: https://pagure.io/freeipa/issue/7548
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipatests/test_integration/test_external_ca.py | 97 ++++++++++++++++++-
- 1 file changed, 95 insertions(+), 2 deletions(-)
-
-diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
-index 5aa2b7bba0..dc9a09b43b 100644
---- a/ipatests/test_integration/test_external_ca.py
-+++ b/ipatests/test_integration/test_external_ca.py
-@@ -74,10 +74,10 @@ def match_in_journal(host, string, since='today', services=('certmonger',)):
- return match
-
-
--def install_server_external_ca_step1(host, extra_args=()):
-+def install_server_external_ca_step1(host, extra_args=(), raiseonerr=True):
- """Step 1 to install the ipa server with external ca"""
- return tasks.install_master(
-- host, external_ca=True, extra_args=extra_args
-+ host, external_ca=True, extra_args=extra_args, raiseonerr=raiseonerr,
- )
-
-
-@@ -478,3 +478,96 @@ def test_master_install_ca2(self):
- 'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
- '-n', cert_nick])
- assert "CN=RootCA2" in result.stdout_text
-+
-+
-+def _step1_profile(master, s):
-+ return install_server_external_ca_step1(
-+ master,
-+ extra_args=['--external-ca-type=ms-cs', f'--external-ca-profile={s}'],
-+ raiseonerr=False,
-+ )
-+
-+
-+def _test_invalid_profile(master, profile):
-+ result = _step1_profile(master, profile)
-+ assert result.returncode != 0
-+ assert '--external-ca-profile' in result.stderr_text
-+
-+
-+def _test_valid_profile(master, profile_cls, profile):
-+ result = _step1_profile(master, profile)
-+ assert result.returncode == 0
-+ ipa_csr = master.get_file_contents(paths.ROOT_IPA_CSR)
-+ check_mscs_extension(ipa_csr, profile_cls(profile))
-+
-+
-+class TestExternalCAProfileV1(IntegrationTest):
-+ """
-+ Test that --external-ca-profile=Foo gets propagated to the CSR.
-+
-+ The default template extension when --external-ca-type=ms-cs,
-+ a V1 extension with value "SubCA", already gets tested by the
-+ ``TestExternalCA`` class.
-+
-+ We only need to do Step 1 of installation, then check the CSR.
-+
-+ """
-+ def test_invalid_v1_template(self):
-+ _test_invalid_profile(self.master, 'NotAnOid:1')
-+
-+ def test_valid_v1_template(self):
-+ _test_valid_profile(
-+ self.master, ipa_x509.MSCSTemplateV1, 'TemplateOfAwesome')
-+
-+
-+class TestExternalCAProfileV2MajorOnly(IntegrationTest):
-+ """
-+ Test that V2 template specifiers without minor version get
-+ propagated to CSR. This class also tests all error modes in
-+ specifying a V2 template, those being:
-+
-+ - no major version specified
-+ - too many parts specified (i.e. major, minor, and then some more)
-+ - major version is not an int
-+ - major version is negative
-+ - minor version is not an int
-+ - minor version is negative
-+
-+ We only need to do Step 1 of installation, then check the CSR.
-+
-+ """
-+ def test_v2_template_too_few_parts(self):
-+ _test_invalid_profile(self.master, '1.2.3.4')
-+
-+ def test_v2_template_too_many_parts(self):
-+ _test_invalid_profile(self.master, '1.2.3.4:100:200:300')
-+
-+ def test_v2_template_major_version_not_int(self):
-+ _test_invalid_profile(self.master, '1.2.3.4:wat:200')
-+
-+ def test_v2_template_major_version_negative(self):
-+ _test_invalid_profile(self.master, '1.2.3.4:-1:200')
-+
-+ def test_v2_template_minor_version_not_int(self):
-+ _test_invalid_profile(self.master, '1.2.3.4:100:wat')
-+
-+ def test_v2_template_minor_version_negative(self):
-+ _test_invalid_profile(self.master, '1.2.3.4:100:-2')
-+
-+ def test_v2_template_valid_major_only(self):
-+ _test_valid_profile(
-+ self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100')
-+
-+
-+class TestExternalCAProfileV2MajorMinor(IntegrationTest):
-+ """
-+ Test that V2 template specifiers _with_ minor version get
-+ propagated to CSR. All error modes of V2 template specifiers
-+ were tested in ``TestExternalCAProfileV2Major``.
-+
-+ We only need to do Step 1 of installation, then check the CSR.
-+
-+ """
-+ def test_v2_template_valid_major_minor(self):
-+ _test_valid_profile(
-+ self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100:200')
-From a627df87c31e4d8399bd9fab43c0c4772ddd8955 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Thu, 11 Jul 2019 20:22:33 +1000
-Subject: [PATCH] Collapse --external-ca-profile tests into single class
-
-To avoid having to spawn new CI hosts for each kind of
---external-ca-profile argument we are testing, collapse the three
-separate test classes into one. Uninstall the half-installed IPA
-after each section of tests.
-
-This change is in response to review comment
-https://github.com/freeipa/freeipa/pull/2852#pullrequestreview-220442170.
-
-Part of: https://pagure.io/freeipa/issue/7548
-
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipatests/test_integration/test_external_ca.py | 34 ++++++++++++++-----
- 1 file changed, 26 insertions(+), 8 deletions(-)
-
-diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
-index dc9a09b43b..714aebd4a8 100644
---- a/ipatests/test_integration/test_external_ca.py
-+++ b/ipatests/test_integration/test_external_ca.py
-@@ -501,8 +501,18 @@ def _test_valid_profile(master, profile_cls, profile):
- check_mscs_extension(ipa_csr, profile_cls(profile))
-
-
--class TestExternalCAProfileV1(IntegrationTest):
-+class TestExternalCAProfileScenarios(IntegrationTest):
- """
-+ Test the various --external-ca-profile scenarios.
-+ This test is broken into sections, with each section first
-+ testing invalid arguments, then a valid argument, and finally
-+ uninstalling the half-installed IPA.
-+
-+ """
-+
-+ '''
-+ Tranche 1: version 1 templates.
-+
- Test that --external-ca-profile=Foo gets propagated to the CSR.
-
- The default template extension when --external-ca-type=ms-cs,
-@@ -511,7 +521,7 @@ class TestExternalCAProfileV1(IntegrationTest):
-
- We only need to do Step 1 of installation, then check the CSR.
-
-- """
-+ '''
- def test_invalid_v1_template(self):
- _test_invalid_profile(self.master, 'NotAnOid:1')
-
-@@ -519,9 +529,12 @@ def test_valid_v1_template(self):
- _test_valid_profile(
- self.master, ipa_x509.MSCSTemplateV1, 'TemplateOfAwesome')
-
-+ def test_uninstall_1(self):
-+ tasks.uninstall_master(self.master)
-+
-+ '''
-+ Tranche 2: V2 templates without minor version.
-
--class TestExternalCAProfileV2MajorOnly(IntegrationTest):
-- """
- Test that V2 template specifiers without minor version get
- propagated to CSR. This class also tests all error modes in
- specifying a V2 template, those being:
-@@ -535,7 +548,7 @@ class TestExternalCAProfileV2MajorOnly(IntegrationTest):
-
- We only need to do Step 1 of installation, then check the CSR.
-
-- """
-+ '''
- def test_v2_template_too_few_parts(self):
- _test_invalid_profile(self.master, '1.2.3.4')
-
-@@ -558,16 +571,21 @@ def test_v2_template_valid_major_only(self):
- _test_valid_profile(
- self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100')
-
-+ def test_uninstall_2(self):
-+ tasks.uninstall_master(self.master)
-+
-+ '''
-+ Tranche 3: V2 templates with minor version.
-
--class TestExternalCAProfileV2MajorMinor(IntegrationTest):
-- """
- Test that V2 template specifiers _with_ minor version get
- propagated to CSR. All error modes of V2 template specifiers
- were tested in ``TestExternalCAProfileV2Major``.
-
- We only need to do Step 1 of installation, then check the CSR.
-
-- """
-+ '''
- def test_v2_template_valid_major_minor(self):
- _test_valid_profile(
- self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100:200')
-+
-+ # this is the end; no need to uninstall.
-From 740964c3c47fd2cd216c233d8d9df1840eaa01ee Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Thu, 11 Jul 2019 20:27:02 +1000
-Subject: [PATCH] ci: add --external-ca-profile tests to nightly
-
-Part of: https://pagure.io/freeipa/issue/7548
-
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipatests/prci_definitions/nightly_f28.yaml | 12 ++++++++++++
- ipatests/prci_definitions/nightly_f29.yaml | 12 ++++++++++++
- ipatests/prci_definitions/nightly_master.yaml | 12 ++++++++++++
- ipatests/prci_definitions/nightly_master_pki.yaml | 12 ++++++++++++
- ipatests/prci_definitions/nightly_rawhide.yaml | 12 ++++++++++++
- 5 files changed, 60 insertions(+)
-
-diff --git a/ipatests/prci_definitions/nightly_f28.yaml b/ipatests/prci_definitions/nightly_f28.yaml
-index fe86730444..d1605e6b5c 100644
---- a/ipatests/prci_definitions/nightly_f28.yaml
-+++ b/ipatests/prci_definitions/nightly_f28.yaml
-@@ -75,6 +75,18 @@ jobs:
- timeout: 3600
- topology: *master_1repl
-
-+ fedora-28/external_ca_templates:
-+ requires: [fedora-28/build]
-+ priority: 50
-+ job:
-+ class: RunPytest
-+ args:
-+ build_url: '{fedora-28/build_url}'
-+ test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
-+ template: *ci-master-f28
-+ timeout: 3600
-+ topology: *master_1repl
-+
- fedora-28/test_topologies:
- requires: [fedora-28/build]
- priority: 50
-diff --git a/ipatests/prci_definitions/nightly_f29.yaml b/ipatests/prci_definitions/nightly_f29.yaml
-index 57c1b624fe..ed88eb15c8 100644
---- a/ipatests/prci_definitions/nightly_f29.yaml
-+++ b/ipatests/prci_definitions/nightly_f29.yaml
-@@ -75,6 +75,18 @@ jobs:
- timeout: 3600
- topology: *master_1repl
-
-+ fedora-29/external_ca_templates:
-+ requires: [fedora-29/build]
-+ priority: 50
-+ job:
-+ class: RunPytest
-+ args:
-+ build_url: '{fedora-29/build_url}'
-+ test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
-+ template: *ci-master-f29
-+ timeout: 3600
-+ topology: *master_1repl
-+
- fedora-29/test_topologies:
- requires: [fedora-29/build]
- priority: 50
-diff --git a/ipatests/prci_definitions/nightly_master.yaml b/ipatests/prci_definitions/nightly_master.yaml
-index dc63f37426..0a66a13490 100644
---- a/ipatests/prci_definitions/nightly_master.yaml
-+++ b/ipatests/prci_definitions/nightly_master.yaml
-@@ -75,6 +75,18 @@ jobs:
- timeout: 3600
- topology: *master_1repl
-
-+ fedora-30/external_ca_templates:
-+ requires: [fedora-30/build]
-+ priority: 50
-+ job:
-+ class: RunPytest
-+ args:
-+ build_url: '{fedora-30/build_url}'
-+ test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
-+ template: *ci-master-f30
-+ timeout: 3600
-+ topology: *master_1repl
-+
- fedora-30/test_topologies:
- requires: [fedora-30/build]
- priority: 50
-diff --git a/ipatests/prci_definitions/nightly_master_pki.yaml b/ipatests/prci_definitions/nightly_master_pki.yaml
-index 1bb0af0244..ed2e38d3ed 100644
---- a/ipatests/prci_definitions/nightly_master_pki.yaml
-+++ b/ipatests/prci_definitions/nightly_master_pki.yaml
-@@ -75,6 +75,18 @@ jobs:
- timeout: 3600
- topology: *master_1repl
-
-+ fedora-29/external_ca_templates:
-+ requires: [fedora-29/build]
-+ priority: 50
-+ job:
-+ class: RunPytest
-+ args:
-+ build_url: '{fedora-29/build_url}'
-+ test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
-+ template: *pki-master-f29
-+ timeout: 3600
-+ topology: *master_1repl
-+
- fedora-29/test_vault:
- requires: [fedora-29/build]
- priority: 50
-diff --git a/ipatests/prci_definitions/nightly_rawhide.yaml b/ipatests/prci_definitions/nightly_rawhide.yaml
-index 301878467c..14433fcc0a 100644
---- a/ipatests/prci_definitions/nightly_rawhide.yaml
-+++ b/ipatests/prci_definitions/nightly_rawhide.yaml
-@@ -75,6 +75,18 @@ jobs:
- timeout: 3600
- topology: *master_1repl
-
-+ fedora-rawhide/external_ca_templates:
-+ requires: [fedora-rawhide/build]
-+ priority: 50
-+ job:
-+ class: RunPytest
-+ args:
-+ build_url: '{fedora-rawhide/build_url}'
-+ test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
-+ template: *ci-master-frawhide
-+ timeout: 3600
-+ topology: *master_1repl
-+
- fedora-rawhide/test_topologies:
- requires: [fedora-rawhide/build]
- priority: 50
-From 011c5283cec28ea4361eff5d2ee98da9cd3db41a Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Thu, 11 Jul 2019 20:27:02 +1000
-Subject: [PATCH] ci: add --external-ca-profile tests to gating
-
-Part of: https://pagure.io/freeipa/issue/7548
-
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipatests/prci_definitions/gating.yaml | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
-index 4d0107d956..81fa4bba10 100644
---- a/ipatests/prci_definitions/gating.yaml
-+++ b/ipatests/prci_definitions/gating.yaml
-@@ -87,6 +87,18 @@ jobs:
- timeout: 3600
- topology: *master_1repl
-
-+ fedora-30/external_ca_templates:
-+ requires: [fedora-30/build]
-+ priority: 50
-+ job:
-+ class: RunPytest
-+ args:
-+ build_url: '{fedora-30/build_url}'
-+ test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
-+ template: *ci-master-f30
-+ timeout: 3600
-+ topology: *master_1repl
-+
- fedora-30/test_topologies:
- requires: [fedora-30/build]
- priority: 50
diff --git a/SOURCES/0006-install-updates-move-external-members-past-schema-compat-update_14dbf04_rhbz#1803165.patch b/SOURCES/0006-install-updates-move-external-members-past-schema-compat-update_14dbf04_rhbz#1803165.patch
new file mode 100644
index 0000000..04a3bdf
--- /dev/null
+++ b/SOURCES/0006-install-updates-move-external-members-past-schema-compat-update_14dbf04_rhbz#1803165.patch
@@ -0,0 +1,62 @@
+From 14dbf04148c6284b176eca34aa70df4bef09b857 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Feb 12 2020 14:16:42 +0000
+Subject: install/updates: move external members past schema compat update
+
+
+There is an ordering discrepancy because the base compat tree
+configuration is in install/updates/80-schema_compat.update so it is ran
+after 50-externalmembers.update. And since at that point
+cn=groups,cn=Schema ... does not exist yet, external members
+configuration is not applied.
+
+Move it around to make sure it is applied after Schema Compatibility
+plugin configuration is created.
+
+Fixes: https://pagure.io/freeipa/issue/8193
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+
+---
+
+diff --git a/install/updates/50-externalmembers.update b/install/updates/50-externalmembers.update
+deleted file mode 100644
+index 6b9c5dd..0000000
+--- a/install/updates/50-externalmembers.update
++++ /dev/null
+@@ -1,3 +0,0 @@
+-dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
+-addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
+-addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup
+diff --git a/install/updates/81-externalmembers.update b/install/updates/81-externalmembers.update
+new file mode 100644
+index 0000000..6b9c5dd
+--- /dev/null
++++ b/install/updates/81-externalmembers.update
+@@ -0,0 +1,3 @@
++dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
++addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
++addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup
+diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
+index 68facba..8a4d9cc 100644
+--- a/install/updates/Makefile.am
++++ b/install/updates/Makefile.am
+@@ -52,7 +52,6 @@ app_DATA = \
+ 50-krbenctypes.update \
+ 50-nis.update \
+ 50-ipaconfig.update \
+- 50-externalmembers.update \
+ 55-pbacmemberof.update \
+ 59-trusts-sysacount.update \
+ 60-trusts.update \
+@@ -65,7 +64,8 @@ app_DATA = \
+ 73-winsync.update \
+ 73-certmap.update \
+ 75-user-trust-attributes.update \
+- 80-schema_compat.update \
++ 80-schema_compat.update \
++ 81-externalmembers.update \
+ 90-post_upgrade_plugins.update \
+ $(NULL)
+
+
diff --git a/SOURCES/0007-Allow-insecure-binds-for-migration-8e207fd3_rhbz#1731963.patch b/SOURCES/0007-Allow-insecure-binds-for-migration-8e207fd3_rhbz#1731963.patch
deleted file mode 100644
index 57b2ba4..0000000
--- a/SOURCES/0007-Allow-insecure-binds-for-migration-8e207fd3_rhbz#1731963.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 8e207fd33d524f5cde2dfd8a41a08926a328a92b Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Tue, 13 Aug 2019 17:22:01 +0200
-Subject: [PATCH] Allow insecure binds for migration
-
-Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind
-over an insecure connection. Password logins were only allowed over LDAPS
-or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.
-
-This commit lifts the restriction and permits insecure binds over plain
-LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
-certificate is configured with a plain LDAP connection.
-
-Fixes: https://pagure.io/freeipa/issue/8040
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- ipapython/ipaldap.py | 8 +++++---
- ipaserver/plugins/migration.py | 9 ++++-----
- 2 files changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
-index 9ff443fe4f..f40858e27f 100644
---- a/ipapython/ipaldap.py
-+++ b/ipapython/ipaldap.py
-@@ -1206,12 +1206,14 @@ def _connect(self):
- return conn
-
- def simple_bind(self, bind_dn, bind_password, server_controls=None,
-- client_controls=None):
-+ client_controls=None, insecure_bind=False):
- """
- Perform simple bind operation.
- """
-- if self.protocol == 'ldap' and not self._start_tls and bind_password:
-- # non-empty bind must use a secure connection
-+ if (self.protocol == 'ldap' and not self._start_tls and
-+ bind_password and not insecure_bind):
-+ # non-empty bind must use a secure connection unless
-+ # insecure bind is explicitly enabled
- raise ValueError('simple_bind over insecure LDAP connection')
- with self.error_handler():
- self._flush_schema()
-diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
-index d0ca8369ae..b025c46cc5 100644
---- a/ipaserver/plugins/migration.py
-+++ b/ipaserver/plugins/migration.py
-@@ -901,20 +901,19 @@ def execute(self, ldapuri, bindpw, **options):
- return dict(result={}, failed={}, enabled=False, compat=True)
-
- # connect to DS
-- cacert = None
- if options.get('cacertfile') is not None:
- # store CA cert into file
- tmp_ca_cert_f = write_tmp_file(options['cacertfile'])
- cacert = tmp_ca_cert_f.name
-
-- # start TLS connection
-- ds_ldap = LDAPClient(ldapuri, cacert=cacert)
-+ # start TLS connection or STARTTLS
-+ ds_ldap = LDAPClient(ldapuri, cacert=cacert, start_tls=True)
- ds_ldap.simple_bind(options['binddn'], bindpw)
-
- tmp_ca_cert_f.close()
- else:
-- ds_ldap = LDAPClient(ldapuri, cacert=cacert)
-- ds_ldap.simple_bind(options['binddn'], bindpw)
-+ ds_ldap = LDAPClient(ldapuri)
-+ ds_ldap.simple_bind(options['binddn'], bindpw, insecure_bind=True)
-
- # check whether the compat plugin is enabled
- if not options.get('compat'):
diff --git a/SOURCES/0007-kdb-make-sure-audit_as_req-callback-signature-change-is-preserved_rhbz#1803786.patch b/SOURCES/0007-kdb-make-sure-audit_as_req-callback-signature-change-is-preserved_rhbz#1803786.patch
new file mode 100644
index 0000000..593f8e0
--- /dev/null
+++ b/SOURCES/0007-kdb-make-sure-audit_as_req-callback-signature-change-is-preserved_rhbz#1803786.patch
@@ -0,0 +1,67 @@
+From 30b8c8b9985a5eb41e700b80fd03f95548e45fba Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 17 Feb 2020 13:58:51 +0200
+Subject: [PATCH] kdb: make sure audit_as_req callback signature change is
+ preserved
+
+audit_as_req() callback has changed its signature with MIT krb5 commit
+20991d55efbe1f987c1dbc1065f2d58c8f34031b in 2017, we should preserve the
+change for any newer DAL versions. Otherwise audit_as_req() callback
+would reference wrong data and we might crash.
+
+Fixes: https://pagure.io/freeipa/issue/8200
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb.h | 2 +-
+ daemons/ipa-kdb/ipa_kdb_audit_as.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
+index 7519f26e26..ae37a5a033 100644
+--- a/daemons/ipa-kdb/ipa_kdb.h
++++ b/daemons/ipa-kdb/ipa_kdb.h
+@@ -345,7 +345,7 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
+
+ void ipadb_audit_as_req(krb5_context kcontext,
+ krb5_kdc_req *request,
+-#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
++#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
+ const krb5_address *local_addr,
+ const krb5_address *remote_addr,
+ #endif
+diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
+index 77748a75d6..a60bc82b6d 100644
+--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
++++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
+@@ -25,7 +25,7 @@
+
+ void ipadb_audit_as_req(krb5_context kcontext,
+ krb5_kdc_req *request,
+-#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
++#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
+ const krb5_address *local_addr,
+ const krb5_address *remote_addr,
+ #endif
+#From 4eb48492b354ecc30ffe1dd9654dcc0e0e833d64 Mon Sep 17 00:00:00 2001
+#From: Alexander Bokovoy <abokovoy@redhat.com>
+#Date: Mon, 17 Feb 2020 14:21:10 +0200
+#Subject: [PATCH] Azure Pipelines: re-enable nodejs:12 stream for Fedora 31+
+#
+#Reviewed-By: Christian Heimes <cheimes@redhat.com>
+#---
+# ipatests/azure/templates/prepare-build.yml | 1 +
+# 1 file changed, 1 insertion(+)
+#
+#diff --git a/ipatests/azure/templates/prepare-build.yml b/ipatests/azure/templates/prepare-build.yml
+#index 0528efe129..643910f085 100644
+#--- a/ipatests/azure/templates/prepare-build.yml
+#+++ b/ipatests/azure/templates/prepare-build.yml
+#@@ -13,6 +13,7 @@ steps:
+# for metalink in $(sudo dnf repolist -v |grep Repo-metalink | awk '{print $2}' ) ; do echo '###############' ; echo '####' ; echo $metalink ; echo '####' ; curl $metalink ; done
+# echo "Fastestmirror results:"
+# sudo cat /var/cache/dnf/fastestmirror.cache
+#+ sudo dnf -y module enable nodejs:12
+# sudo dnf makecache || :
+# echo "Installing base development environment"
+# sudo dnf install -y \
diff --git a/SOURCES/0008-Allow-an-empty-cookie-in-dogtag-ipa-ca-renew-agent-submit_3d7d58d_rhbz#1790663.patch b/SOURCES/0008-Allow-an-empty-cookie-in-dogtag-ipa-ca-renew-agent-submit_3d7d58d_rhbz#1790663.patch
new file mode 100644
index 0000000..586ac94
--- /dev/null
+++ b/SOURCES/0008-Allow-an-empty-cookie-in-dogtag-ipa-ca-renew-agent-submit_3d7d58d_rhbz#1790663.patch
@@ -0,0 +1,120 @@
+From 3d7d58d8214f3c899c0afd1a3a6a6678f38b7b39 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Jan 13 2020 18:41:53 +0000
+Subject: Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit
+
+
+A "cookie" is used with certmonger to track the state of a
+request across multiple requests to a CA (in ca-cookie). This
+is used with the certmonger POLL operation to submit a request
+to the CA for the status of a certificate request. This, along
+with the profile, are passed to the certmonger CA helper
+scripts via environment variables when a request is made. It is
+cleared from the certmonger request once the certificate is
+issued.
+
+This CA helper can do a number of things:
+
+- SUBMIT new certicate requests (including the CA)
+- POLL for status of an existing certificate request
+- For non renewal masters, POLL to see if an updated cert is in
+ LDAP
+
+A POLL operation requires a cookie so that the state about the
+request can be passed to the CA. For the case of retrieving an
+updated cert from LDAP there is no state to maintain. It just
+checks LDAP and returns either a cert or WAIT_WITH_DELAY if one
+is not yet available.
+
+There are two kinds of cookies in operation here:
+1. The CERTMONGER_CA_COOKIE environment variable passed via
+ certmonger to this helper which is a JSON object.
+2. The cookie value within the JSON object which contains the
+ URL to be passed to dogtag.
+
+For the purposes of clarity "cookie" here is the value within
+the JSON.
+
+The CERTMONGER_CA_COOKIE is deconstructed and reconstructed as
+the request is processed, doing double duty. It initially comes
+in as a JSON dict object with two keys: profile and cookie.
+In call_handler the CERTMONGER_CA_COOKIE is decomposed into a
+python object and the profile compared to the requested profile
+(and request rejected if they don't match) and the cookie key
+overrides the CERTMONGER_CA_COOKIE environment variable. This is
+then reversed at the end of the request when it again becomes a
+JSON object containing the profile and cookie.
+
+This script was previously enforcing that a cookie be available on
+all POLL requests, whether it is actually required or not. This
+patch relaxes that requirement.
+
+The first request of a non-renewal master for an updated certicate
+from LDAP is a SUBMIT operation. This is significant because it
+doesn't require a cookie: there is no state on a new request. If
+there is no updated cert in LDAP then the tracking request goes
+into the CA_WORKING state and certmonger will wait 8 hours (as
+returned by this script) and try again.
+
+Subsequent requests are done using POLL. This required a cookie
+so all such requests would fail with the ca-error
+Invalid cookie: u'' as it was empty (because there is no state).
+
+There is no need to fail early on a missing cookie. Enforcement
+will be done later if needed (and it isn't always needed). So
+if CERTMONGER_CA_COOKIE is an empty string then generate a new
+CERTMONGER_CA_COOKIE containing the requested profile and an empty
+cookie. It still will fail if certmonger doesn't set a cookie at
+all.
+
+An example of a cookie when retrieving a new RA Agent certificate
+is:
+
+{"profile": "caServerCert", "cookie": "state=retrieve&requestId=20"}
+
+This will result in this request to the CA:
+[09/Jan/2020:14:29:54 -0500] "GET
+/ca/ee/ca/displayCertFromRequest?requestId=20&importCert=true&xml=true
+HTTP/1.1" 200 9857
+
+For a renewal, the reconstructed cookie will consist of:
+
+{"profile": "caServerCert", "cookie": ""}
+
+https://pagure.io/freeipa/issue/8164
+
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+
+---
+
+diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
+index 10efb4c..95ad080 100644
+--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
++++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
+@@ -123,7 +123,9 @@ def call_handler(_handler, *args, **kwargs):
+ operation = os.environ['CERTMONGER_OPERATION']
+ if operation == 'POLL':
+ cookie = os.environ.pop('CERTMONGER_CA_COOKIE', None)
+- if cookie is not None:
++ if cookie is None:
++ return (UNCONFIGURED, "Cookie not provided")
++ if len(cookie) > 0:
+ try:
+ context = json.loads(cookie)
+ if not isinstance(context, dict):
+@@ -131,7 +133,13 @@ def call_handler(_handler, *args, **kwargs):
+ except (TypeError, ValueError):
+ return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
+ else:
+- return (UNCONFIGURED, "Cookie not provided")
++ # Reconstruct the data for the missing cookie. Sanity checking
++ # is done elsewhere, when needed.
++ context = dict(cookie=u'')
++ profile = os.environ.get('CERTMONGER_CA_PROFILE')
++ if profile is not None:
++ profile = profile.encode('ascii').decode('raw_unicode_escape')
++ context['profile'] = profile
+
+ if 'profile' in context:
+ profile = context.pop('profile')
+
diff --git a/SOURCES/0008-install-Add-missing-scripts-to-app_DATA_rhbz#1741170.patch b/SOURCES/0008-install-Add-missing-scripts-to-app_DATA_rhbz#1741170.patch
deleted file mode 100644
index 4b5ecd9..0000000
--- a/SOURCES/0008-install-Add-missing-scripts-to-app_DATA_rhbz#1741170.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-install/updates/30-ipservices.update from 39eaf2fa as it is not part of the
-release tarball of 4.8.0 but needed for 27586cb7:
-
-commit 39eaf2fab5e27bd12edfb2a24c439a8ea5fb26f0
-Author: Christian Heimes <cheimes@redhat.com>
-Date: Fri Dec 7 13:08:49 2018 +0100
-
- Add index and container for RFC 2307 IP services
-
- IPA doesn't officially support RFC 2307 IP services. However SSSD has a
- nsswitch plugin to provide service lookups. The subtree search for
- (&(ipserviceport=$PORT)(ipserviceprotocol=$SRV)(objectclass=ipservice)) in
- cn=accounts,$SUFFIX has caused performance issues on large
- installations.
-
- This patch introduced a dedicated container
- cn=ipservices,cn=accounts,$SUFFIX for IP services for future use or 3rd
- party extensions. SSSD will be change its search base in an upcoming
- release, too.
-
- A new ipServicePort index is added to optimize searches for an IP
- service by port. There is no index on ipServiceProtocol because the index
- would have poor selectivity. An ipService entry has either 'tcp' or 'udp'
- as protocol.
-
- Fixes: https://pagure.io/freeipa/issue/7797
- See: https://pagure.io/freeipa/issue/7786
- Signed-off-by: Christian Heimes <cheimes@redhat.com>
- Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-
-diff --git a/install/updates/30-ipservices.update b/install/updates/30-ipservices.update
-new file mode 100644
-index 000000000..01a6d52f8
---- /dev/null
-+++ b/install/updates/30-ipservices.update
-@@ -0,0 +1,6 @@
-+# container for RFC 2307 IP services
-+
-+dn: cn=ipservices,cn=accounts,$SUFFIX
-+default: objectClass: top
-+default: objectClass: nsContainer
-+default: cn: ipservices
-install/updates/75-user-trust-attributes.update from c18ee9b6 as it is not
-part of the release tarball of 4.8.0 but needed for 27586cb7:
-
-commit c18ee9b641ddc1e6b52d0413caa1fb98ac13785d
-Author: Tibor Dudlák <tdudlak@redhat.com>
-Date: Tue Apr 2 16:23:09 2019 +0200
-
- Add SMB attributes for users
-
- SMB attributes are used by Samba domain controller when reporting
- details about IPA users via LSA DCE RPC calls.
-
- Based on the initial work from the external plugin:
- https://github.com/abbra/freeipa-user-trust-attributes
-
- Related: https://pagure.io/freeipa/issue/3999
-
- Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
- Signed-off-by: Tibor Dudlák <tdudlak@redhat.com>
- Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
- Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
-
-diff --git a/install/updates/75-user-trust-attributes.update b/install/updates/75-user-trust-attributes.update
-new file mode 100644
-index 000000000..43bb40c7d
---- /dev/null
-+++ b/install/updates/75-user-trust-attributes.update
-@@ -0,0 +1,5 @@
-+# Add an explicit self-service ACI to allow writing to manage trust attributes
-+# for the owner of the object
-+dn: cn=users,cn=accounts,$SUFFIX
-+add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "system:Allow trust agents to read user SMB attributes";allow (read) groupdn = "ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
-+add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "selfservice:Users can manage their SMB attributes";allow (write) userdn = "ldap:///self";)
-commit 27586cb7ae32af191cb8a3c36fc8856957300f08
-Author: Timo Aaltonen <tjaalton@debian.org>
-Date: Fri Aug 9 23:03:25 2019 +0300
-
- install: Add missing scripts to app_DATA.
-
- Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
- Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-
-diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
-index bce8a56b1..68facbaf2 100644
---- a/install/updates/Makefile.am
-+++ b/install/updates/Makefile.am
-@@ -30,6 +30,7 @@ app_DATA = \
- 21-ca_renewal_container.update \
- 21-certstore_container.update \
- 25-referint.update \
-+ 30-ipservices.update \
- 30-provisioning.update \
- 30-s4u2proxy.update \
- 37-locations.update \
-@@ -63,6 +64,7 @@ app_DATA = \
- 73-custodia.update \
- 73-winsync.update \
- 73-certmap.update \
-+ 75-user-trust-attributes.update \
- 80-schema_compat.update \
- 90-post_upgrade_plugins.update \
- $(NULL)
diff --git a/SOURCES/0009-extdom-unify-error-code-handling-especially-LDAP_NO_SUCH_OBJECT_rhbz#1741530.patch b/SOURCES/0009-extdom-unify-error-code-handling-especially-LDAP_NO_SUCH_OBJECT_rhbz#1741530.patch
deleted file mode 100644
index 237532d..0000000
--- a/SOURCES/0009-extdom-unify-error-code-handling-especially-LDAP_NO_SUCH_OBJECT_rhbz#1741530.patch
+++ /dev/null
@@ -1,345 +0,0 @@
-From 3bb72545fc337564e0843b0c72906a9a1e3f6a06 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 14 Jun 2019 11:13:54 +0200
-Subject: [PATCH] extdom: unify error code handling especially
- LDAP_NO_SUCH_OBJECT
-
-A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
-remove the searched object from the cache. As a consequence
-LDAP_NO_SUCH_OBJECT should only be returned if the object really does
-not exists otherwise the data of existing objects might be removed form
-the cache of the clients causing unexpected behaviour like
-authentication errors.
-
-Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code.
-With this patch LDAP_NO_SUCH_OBJECT is only returned if the related
-lookup functions return ENOENT. Timeout related error code will lead to
-LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default
-error code.
-
-Fixes: https://pagure.io/freeipa/issue/8044
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- .../ipa-extdom-extop/back_extdom_sss_idmap.c | 4 +-
- .../ipa-extdom-extop/ipa_extdom_common.c | 77 ++++++++++++++-----
- .../ipa-extdom-extop/ipa_extdom_extop.c | 2 +
- 3 files changed, 61 insertions(+), 22 deletions(-)
-
-diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c
-index ef552a9a37..163e8e1371 100644
---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c
-+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c
-@@ -62,10 +62,10 @@ static enum nss_status __convert_sss_nss2nss_status(int errcode) {
- return NSS_STATUS_SUCCESS;
- case ENOENT:
- return NSS_STATUS_NOTFOUND;
-- case ETIME:
-- /* fall-through */
- case ERANGE:
- return NSS_STATUS_TRYAGAIN;
-+ case ETIME:
-+ /* fall-through */
- case ETIMEDOUT:
- /* fall-through */
- default:
-diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
-index 525487c9e4..65c723ce65 100644
---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
-+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
-@@ -523,7 +523,7 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
- if (strcasecmp(locat+1, domain_name) == 0 ) {
- locat[0] = '\0';
- } else {
-- ret = LDAP_NO_SUCH_OBJECT;
-+ ret = LDAP_INVALID_SYNTAX;
- goto done;
- }
- }
-@@ -568,10 +568,12 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
- ret = getgrgid_r_wrapper(ctx,
- groups[c], &grp, &buf, &buf_len);
- if (ret != 0) {
-- if (ret == ENOMEM || ret == ERANGE) {
-- ret = LDAP_OPERATIONS_ERROR;
-- } else {
-+ if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
-+ } else {
-+ ret = LDAP_OPERATIONS_ERROR;
- }
- goto done;
- }
-@@ -634,7 +636,7 @@ int pack_ber_group(enum response_types response_type,
- if (strcasecmp(locat+1, domain_name) == 0 ) {
- locat[0] = '\0';
- } else {
-- ret = LDAP_NO_SUCH_OBJECT;
-+ ret = LDAP_INVALID_SYNTAX;
- goto done;
- }
- }
-@@ -836,6 +838,8 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
- || id_type == SSS_ID_TYPE_BOTH)) {
- if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT || ret == ETIME) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
- } else {
- set_err_msg(req, "Failed to lookup SID by UID");
- ret = LDAP_OPERATIONS_ERROR;
-@@ -847,10 +851,12 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
- } else {
- ret = getpwuid_r_wrapper(ctx, uid, &pwd, &buf, &buf_len);
- if (ret != 0) {
-- if (ret == ENOMEM || ret == ERANGE) {
-- ret = LDAP_OPERATIONS_ERROR;
-- } else {
-+ if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
-+ } else {
-+ ret = LDAP_OPERATIONS_ERROR;
- }
- goto done;
- }
-@@ -862,6 +868,8 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
- set_err_msg(req, "Failed to read original data");
- if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT || ret == ETIME) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
- } else {
- ret = LDAP_OPERATIONS_ERROR;
- }
-@@ -907,6 +915,8 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx,
- if (ret != 0 || id_type != SSS_ID_TYPE_GID) {
- if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT || ret == ETIME) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
- } else {
- set_err_msg(req, "Failed to lookup SID by GID");
- ret = LDAP_OPERATIONS_ERROR;
-@@ -918,10 +928,12 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx,
- } else {
- ret = getgrgid_r_wrapper(ctx, gid, &grp, &buf, &buf_len);
- if (ret != 0) {
-- if (ret == ENOMEM || ret == ERANGE) {
-- ret = LDAP_OPERATIONS_ERROR;
-- } else {
-+ if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
-+ } else {
-+ ret = LDAP_OPERATIONS_ERROR;
- }
- goto done;
- }
-@@ -933,6 +945,8 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx,
- set_err_msg(req, "Failed to read original data");
- if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT || ret == ETIME) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
- } else {
- ret = LDAP_OPERATIONS_ERROR;
- }
-@@ -976,6 +990,8 @@ static int handle_cert_request(struct ipa_extdom_ctx *ctx,
- if (ret != 0) {
- if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT || ret == ETIME) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
- } else {
- set_err_msg(req, "Failed to lookup name by certificate");
- ret = LDAP_OPERATIONS_ERROR;
-@@ -1020,6 +1036,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
- if (ret != 0) {
- if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT || ret == ETIME) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
- } else {
- set_err_msg(req, "Failed to lookup name by SID");
- ret = LDAP_OPERATIONS_ERROR;
-@@ -1057,10 +1075,12 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
- case SSS_ID_TYPE_BOTH:
- ret = getpwnam_r_wrapper(ctx, fq_name, &pwd, &buf, &buf_len);
- if (ret != 0) {
-- if (ret == ENOMEM || ret == ERANGE) {
-- ret = LDAP_OPERATIONS_ERROR;
-- } else {
-+ if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
-+ } else {
-+ ret = LDAP_OPERATIONS_ERROR;
- }
- goto done;
- }
-@@ -1072,6 +1092,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
- set_err_msg(req, "Failed to read original data");
- if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT || ret == ETIME) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
- } else {
- ret = LDAP_OPERATIONS_ERROR;
- }
-@@ -1089,10 +1111,12 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
- case SSS_ID_TYPE_GID:
- ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len);
- if (ret != 0) {
-- if (ret == ENOMEM || ret == ERANGE) {
-- ret = LDAP_OPERATIONS_ERROR;
-- } else {
-+ if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
-+ } else {
-+ ret = LDAP_OPERATIONS_ERROR;
- }
- goto done;
- }
-@@ -1104,6 +1128,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
- set_err_msg(req, "Failed to read original data");
- if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT || ret == ETIME) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
- } else {
- ret = LDAP_OPERATIONS_ERROR;
- }
-@@ -1167,6 +1193,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
- if (ret != 0) {
- if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT || ret == ETIME) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
- } else {
- set_err_msg(req, "Failed to lookup SID by name");
- ret = LDAP_OPERATIONS_ERROR;
-@@ -1190,6 +1218,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
- set_err_msg(req, "Failed to read original data");
- if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT || ret == ETIME) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
- } else {
- ret = LDAP_OPERATIONS_ERROR;
- }
-@@ -1205,6 +1235,9 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
- } else if (ret == ENOMEM || ret == ERANGE) {
- ret = LDAP_OPERATIONS_ERROR;
- goto done;
-+ } else if (ret == ETIMEDOUT) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
-+ goto done;
- } else { /* no user entry found */
- /* according to the getpwnam() man page there are a couple of
- * error codes which can indicate that the user was not found. To
-@@ -1212,10 +1245,12 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
- * errors. */
- ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len);
- if (ret != 0) {
-- if (ret == ENOMEM || ret == ERANGE) {
-- ret = LDAP_OPERATIONS_ERROR;
-- } else {
-+ if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
-+ } else {
-+ ret = LDAP_OPERATIONS_ERROR;
- }
- goto done;
- }
-@@ -1226,6 +1261,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
- || id_type == SSS_ID_TYPE_BOTH)) {
- if (ret == ENOENT) {
- ret = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == ETIMEDOUT || ret == ETIME) {
-+ ret = LDAP_TIMELIMIT_EXCEEDED;
- } else {
- set_err_msg(req, "Failed to read original data");
- ret = LDAP_OPERATIONS_ERROR;
-diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
-index 10d3f86eba..48fcecc1ee 100644
---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
-+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
-@@ -242,6 +242,8 @@ static int ipa_extdom_extop(Slapi_PBlock *pb)
- if (ret != LDAP_SUCCESS) {
- if (ret == LDAP_NO_SUCH_OBJECT) {
- rc = LDAP_NO_SUCH_OBJECT;
-+ } else if (ret == LDAP_TIMELIMIT_EXCEEDED) {
-+ rc = LDAP_TIMELIMIT_EXCEEDED;
- } else {
- rc = LDAP_OPERATIONS_ERROR;
- err_msg = "Failed to handle the request.\n";
-From 0ead6f59732e8b3370c5d8d05acd29f2d56c52bb Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Mon, 19 Aug 2019 10:15:50 +0300
-Subject: [PATCH] ipa-extdom-extop: test timed out getgrgid_r
-
-Simulate getgrgid_r() timeout when packing list of groups user is a
-member of in pack_ber_user().
-
-Related: https://pagure.io/freeipa/issue/8044
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- .../ipa_extdom_cmocka_tests.c | 29 +++++++++++++++++++
- 1 file changed, 29 insertions(+)
-
-diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
-index 29699cfa39..1fa4c6af82 100644
---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
-+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
-@@ -493,6 +493,34 @@ void test_set_err_msg(void **state)
- #define TEST_SID "S-1-2-3-4"
- #define TEST_DOMAIN_NAME "DOMAIN"
-
-+/* Always time out for test */
-+static
-+enum nss_status getgrgid_r_timeout(gid_t gid, struct group *result,
-+ char *buffer, size_t buflen, int *errnop) {
-+ return NSS_STATUS_UNAVAIL;
-+}
-+
-+void test_pack_ber_user_timeout(void **state)
-+{
-+ int ret;
-+ struct berval *resp_val = NULL;
-+ struct test_data *test_data;
-+ enum nss_status (*oldgetgrgid_r)(gid_t gid, struct group *result,
-+ char *buffer, size_t buflen, int *errnop);
-+
-+ test_data = (struct test_data *) *state;
-+
-+ oldgetgrgid_r = test_data->ctx->nss_ctx->getgrgid_r;
-+ test_data->ctx->nss_ctx->getgrgid_r = getgrgid_r_timeout;
-+
-+ ret = pack_ber_user(test_data->ctx, RESP_USER_GROUPLIST,
-+ TEST_DOMAIN_NAME, "member001", 12345, 54321,
-+ "gecos", "homedir", "shell", NULL, &resp_val);
-+ test_data->ctx->nss_ctx->getgrgid_r = oldgetgrgid_r;
-+ assert_int_equal(ret, LDAP_TIMELIMIT_EXCEEDED);
-+ ber_bvfree(resp_val);
-+}
-+
- char res_sid[] = {0x30, 0x0e, 0x0a, 0x01, 0x01, 0x04, 0x09, 0x53, 0x2d, 0x31, \
- 0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34};
- char res_nam[] = {0x30, 0x13, 0x0a, 0x01, 0x02, 0x30, 0x0e, 0x04, 0x06, 0x44, \
-@@ -614,6 +642,7 @@ void test_decode(void **state)
- int main(int argc, const char *argv[])
- {
- const struct CMUnitTest tests[] = {
-+ cmocka_unit_test(test_pack_ber_user_timeout),
- cmocka_unit_test(test_getpwnam_r_wrapper),
- cmocka_unit_test(test_getpwuid_r_wrapper),
- cmocka_unit_test(test_getgrnam_r_wrapper),
diff --git a/SOURCES/0010-Fix-automount-behavior-with-authselect_rhbz#1740167.patch b/SOURCES/0010-Fix-automount-behavior-with-authselect_rhbz#1740167.patch
deleted file mode 100644
index 60e22bb..0000000
--- a/SOURCES/0010-Fix-automount-behavior-with-authselect_rhbz#1740167.patch
+++ /dev/null
@@ -1,2004 +0,0 @@
-From abea98a9b918c0771ad10b314238b32c570f0372 Mon Sep 17 00:00:00 2001
-From: François Cami <fcami@redhat.com>
-Date: Aug 29 2019 06:45:12 +0000
-Subject: ipatests: check that ipa-client-automount restores nsswitch.conf at uninstall time
-
-
-Check that using ipa-client-install, ipa-client-automount --no-ssd, then uninstalling
-both properly restores nsswitch.conf sequentially.
-
-Related-to:: https://pagure.io/freeipa/issue/8038
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Francois Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Rob Critenden <rcritten@redhat.com>
-Reviewed-By: François Cami <fcami@redhat.com>
-
----
-
-#diff --git a/ipatests/prci_definitions/nightly_ipa-4-8.yaml b/ipatests/prci_definitions/nightly_ipa-4-8.yaml
-#index ef5d2c6..f39e4b4 100644
-#--- a/ipatests/prci_definitions/nightly_ipa-4-8.yaml
-#+++ b/ipatests/prci_definitions/nightly_ipa-4-8.yaml
-#@@ -1257,6 +1257,18 @@ jobs:
-# timeout: 9000
-# topology: *master_3client
-#
-#+ fedora-30/nfs_nsswitch_restore:
-#+ requires: [fedora-30/build]
-#+ priority: 50
-#+ job:
-#+ class: RunPytest
-#+ args:
-#+ build_url: '{fedora-30/build_url}'
-#+ test_suite: test_integration/test_nfs.py::TestIpaClientAutomountFileRestore
-#+ template: *ci-master-f30
-#+ timeout: 3600
-#+ topology: *master_3client
-#+
-# fedora-30/mask:
-# requires: [fedora-30/build]
-# priority: 50
-diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
-index adfc19f..0e1ef6a 100644
---- a/ipatests/test_integration/test_nfs.py
-+++ b/ipatests/test_integration/test_nfs.py
-@@ -15,6 +15,7 @@
-
- from __future__ import absolute_import
-
-+import pytest
- import os
- import re
- import time
-@@ -258,3 +259,74 @@ class TestNFS(IntegrationTest):
- time.sleep(WAIT_AFTER_UNINSTALL)
-
- self.cleanup()
-+
-+
-+class TestIpaClientAutomountFileRestore(IntegrationTest):
-+
-+ num_clients = 1
-+ topology = 'line'
-+
-+ @classmethod
-+ def install(cls, mh):
-+ tasks.install_master(cls.master, setup_dns=True)
-+
-+ def teardown_method(self, method):
-+ tasks.uninstall_client(self.clients[0])
-+
-+ def nsswitch_backup_restore(
-+ self,
-+ no_sssd=False,
-+ ):
-+
-+ # In order to get a more pure sum, one that ignores the Generated
-+ # header and any white space we have to do a bit of work...
-+ sha256nsswitch_cmd = \
-+ 'egrep -v "Generated|^$" /etc/nsswitch.conf | sed "s/\\s//g" ' \
-+ '| sort | sha256sum'
-+
-+ cmd = self.clients[0].run_command(sha256nsswitch_cmd)
-+ orig_sha256 = cmd.stdout_text
-+
-+ grep_automount_command = \
-+ "grep automount /etc/nsswitch.conf | cut -d: -f2"
-+
-+ tasks.install_client(self.master, self.clients[0])
-+ cmd = self.clients[0].run_command(grep_automount_command)
-+ after_ipa_client_install = cmd.stdout_text.split()
-+
-+ if no_sssd:
-+ ipa_client_automount_command = [
-+ "ipa-client-automount", "--no-sssd", "-U"
-+ ]
-+ else:
-+ ipa_client_automount_command = [
-+ "ipa-client-automount", "-U"
-+ ]
-+ self.clients[0].run_command(ipa_client_automount_command)
-+ cmd = self.clients[0].run_command(grep_automount_command)
-+ after_ipa_client_automount = cmd.stdout_text.split()
-+ if no_sssd:
-+ assert after_ipa_client_automount == ['files', 'ldap']
-+ else:
-+ assert after_ipa_client_automount == ['sss', 'files']
-+
-+ cmd = self.clients[0].run_command(grep_automount_command)
-+ assert cmd.stdout_text.split() == after_ipa_client_automount
-+
-+ self.clients[0].run_command([
-+ "ipa-client-automount", "--uninstall", "-U"
-+ ])
-+
-+ cmd = self.clients[0].run_command(grep_automount_command)
-+ assert cmd.stdout_text.split() == after_ipa_client_install
-+
-+ tasks.uninstall_client(self.clients[0])
-+ cmd = self.clients[0].run_command(sha256nsswitch_cmd)
-+ assert cmd.stdout_text == orig_sha256
-+
-+ @pytest.mark.xfail(reason='freeipa ticket 8054', strict=True)
-+ def test_nsswitch_backup_restore_sssd(self):
-+ self.nsswitch_backup_restore()
-+
-+ def test_nsswitch_backup_restore_no_sssd(self):
-+ self.nsswitch_backup_restore(no_sssd=True)
-
-From 2f0afeda6e66fcca5c184a4036112fcd315f2f6e Mon Sep 17 00:00:00 2001
-From: François Cami <fcami@redhat.com>
-Date: Aug 29 2019 06:45:12 +0000
-Subject: ipa-client-automount: always restore nsswitch.conf at uninstall time
-
-
-ipa-client-automount used to only restore nsswitch.conf when sssd was not
-used. However authselect's default profile is now sssd so always restore
-nsswitch.conf's automount configuration to 'files sssd'.
-Note that the behavior seen before commit:
-a0e846f56c8de3b549d1d284087131da13135e34
-would always restore nsswitch.conf to the previous state which in some cases
-was wrong.
-
-Fixes: https://pagure.io/freeipa/issue/8038
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Francois Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Rob Critenden <rcritten@redhat.com>
-Reviewed-By: François Cami <fcami@redhat.com>
-
----
-
-diff --git a/ipaclient/install/ipa_client_automount.py b/ipaclient/install/ipa_client_automount.py
-index fa07598..a1dc2a1 100644
---- a/ipaclient/install/ipa_client_automount.py
-+++ b/ipaclient/install/ipa_client_automount.py
-@@ -177,18 +177,30 @@ def configure_xml(fstore):
- print("Configured %s" % authconf)
-
-
--def configure_nsswitch(fstore, options):
-+def configure_nsswitch(statestore, options):
- """
-- Point automount to ldap in nsswitch.conf. This function is for non-SSSD
-- setups only
-+ Point automount to ldap in nsswitch.conf.
-+ This function is for non-SSSD setups only.
- """
-- fstore.backup_file(paths.NSSWITCH_CONF)
--
- conf = ipachangeconf.IPAChangeConf("IPA Installer")
- conf.setOptionAssignment(':')
-
-- nss_value = ' files ldap'
-+ with open(paths.NSSWITCH_CONF, 'r') as f:
-+ current_opts = conf.parse(f)
-+ current_nss_value = conf.findOpts(
-+ current_opts, name='automount', type='option'
-+ )[1]
-+ if current_nss_value is None:
-+ # no automount database present
-+ current_nss_value = False # None cannot be backed up
-+ else:
-+ current_nss_value = current_nss_value['value']
-+ statestore.backup_state(
-+ 'ipa-client-automount-nsswitch', 'previous-automount',
-+ current_nss_value
-+ )
-
-+ nss_value = ' files ldap'
- opts = [
- {
- 'name': 'automount',
-@@ -198,7 +210,6 @@ def configure_nsswitch(fstore, options):
- },
- {'name': 'empty', 'type': 'empty'},
- ]
--
- conf.changeConf(paths.NSSWITCH_CONF, opts)
-
- print("Configured %s" % paths.NSSWITCH_CONF)
-@@ -322,19 +333,47 @@ def configure_autofs_common(fstore, statestore, options):
- def uninstall(fstore, statestore):
- RESTORE_FILES = [
- paths.SYSCONFIG_AUTOFS,
-- paths.NSSWITCH_CONF,
- paths.AUTOFS_LDAP_AUTH_CONF,
- paths.SYSCONFIG_NFS,
- paths.IDMAPD_CONF,
- ]
- STATES = ['autofs', 'rpcidmapd', 'rpcgssd']
-
-- # automount only touches /etc/nsswitch.conf if LDAP is
-- # used. Don't restore it otherwise.
-- if statestore.get_state('authconfig', 'sssd') or (
-- statestore.get_state('authselect', 'profile') == 'sssd'
-- ):
-- RESTORE_FILES.remove(paths.NSSWITCH_CONF)
-+ if statestore.get_state(
-+ 'ipa-client-automount-nsswitch', 'previous-automount'
-+ ) is False:
-+ # Previous nsswitch.conf had no automount database configured
-+ # so remove it.
-+ conf = ipachangeconf.IPAChangeConf("IPA automount installer")
-+ conf.setOptionAssignment(':')
-+ changes = [conf.rmOption('automount')]
-+ conf.changeConf(paths.NSSWITCH_CONF, changes)
-+ tasks.restore_context(paths.NSSWITCH_CONF)
-+ statestore.delete_state(
-+ 'ipa-client-automount-nsswitch', 'previous-automount'
-+ )
-+ elif statestore.get_state(
-+ 'ipa-client-automount-nsswitch', 'previous-automount'
-+ ) is not None:
-+ nss_value = statestore.get_state(
-+ 'ipa-client-automount-nsswitch', 'previous-automount'
-+ )
-+ opts = [
-+ {
-+ 'name': 'automount',
-+ 'type': 'option',
-+ 'action': 'set',
-+ 'value': nss_value,
-+ },
-+ {'name': 'empty', 'type': 'empty'},
-+ ]
-+ conf = ipachangeconf.IPAChangeConf("IPA automount installer")
-+ conf.setOptionAssignment(':')
-+ conf.changeConf(paths.NSSWITCH_CONF, opts)
-+ tasks.restore_context(paths.NSSWITCH_CONF)
-+ statestore.delete_state(
-+ 'ipa-client-automount-nsswitch', 'previous-automount'
-+ )
-
- if not any(fstore.has_file(f) for f in RESTORE_FILES) or not any(
- statestore.has_state(s) for s in STATES
-@@ -588,7 +627,7 @@ def configure_automount():
-
- try:
- if not options.sssd:
-- configure_nsswitch(fstore, options)
-+ configure_nsswitch(statestore, options)
- configure_nfs(fstore, statestore, options)
- if options.sssd:
- configure_autofs_sssd(fstore, statestore, autodiscover, options)
-
-From 6e92776bfc199e9ca92e11ef3315dcecad3c9307 Mon Sep 17 00:00:00 2001
-From: Rob Critenden <rcritten@redhat.com>
-Date: Aug 29 2019 06:45:12 +0000
-Subject: Move ipachangeconf from ipaclient.install to ipapython
-
-
-This will let us call it from ipaplatform.
-
-Mark the original location as deprecated.
-
-Reviewed-By: Francois Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Rob Critenden <rcritten@redhat.com>
-Reviewed-By: François Cami <fcami@redhat.com>
-
----
-
-diff --git a/install/tools/ipa-replica-conncheck.in b/install/tools/ipa-replica-conncheck.in
-index 9208076..b22db11 100644
---- a/install/tools/ipa-replica-conncheck.in
-+++ b/install/tools/ipa-replica-conncheck.in
-@@ -22,7 +22,7 @@ from __future__ import print_function
-
- import logging
-
--import ipaclient.install.ipachangeconf
-+from ipapython import ipachangeconf
- from ipapython.config import IPAOptionParser
- from ipapython.dn import DN
- from ipapython import version
-@@ -229,7 +229,7 @@ def sigterm_handler(signum, frame):
-
- def configure_krb5_conf(realm, kdc, filename):
-
-- krbconf = ipaclient.install.ipachangeconf.IPAChangeConf("IPA Installer")
-+ krbconf = ipachangeconf.IPAChangeConf("IPA Installer")
- krbconf.setOptionAssignment((" = ", " "))
- krbconf.setSectionNameDelimiters(("[","]"))
- krbconf.setSubSectionDelimiters(("{","}"))
-diff --git a/ipaclient/install/ipachangeconf.py b/ipaclient/install/ipachangeconf.py
-index a13e0ea..c51e42e 100644
---- a/ipaclient/install/ipachangeconf.py
-+++ b/ipaclient/install/ipachangeconf.py
-@@ -18,566 +18,18 @@
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
- #
-
--import fcntl
--import logging
--import os
--import shutil
-+import warnings
-+from ipapython.ipachangeconf import IPAChangeConf as realIPAChangeConf
-
--import six
-
--if six.PY3:
-- unicode = str
-+class IPAChangeConf(realIPAChangeConf):
-+ """Advertise the old name"""
-
--logger = logging.getLogger(__name__)
--
--def openLocked(filename, perms):
-- fd = -1
-- try:
-- fd = os.open(filename, os.O_RDWR | os.O_CREAT, perms)
--
-- fcntl.lockf(fd, fcntl.LOCK_EX)
-- except OSError as e:
-- if fd != -1:
-- try:
-- os.close(fd)
-- except OSError:
-- pass
-- raise IOError(e.errno, e.strerror)
-- return os.fdopen(fd, "r+")
--
--
-- #TODO: add subsection as a concept
-- # (ex. REALM.NAME = { foo = x bar = y } )
-- #TODO: put section delimiters as separating element of the list
-- # so that we can process multiple sections in one go
-- #TODO: add a comment all but provided options as a section option
--class IPAChangeConf:
- def __init__(self, name):
-- self.progname = name
-- self.indent = ("", "", "")
-- self.assign = (" = ", "=")
-- self.dassign = self.assign[0]
-- self.comment = ("#",)
-- self.dcomment = self.comment[0]
-- self.eol = ("\n",)
-- self.deol = self.eol[0]
-- self.sectnamdel = ("[", "]")
-- self.subsectdel = ("{", "}")
-- self.case_insensitive_sections = True
--
-- def setProgName(self, name):
-- self.progname = name
--
-- def setIndent(self, indent):
-- if type(indent) is tuple:
-- self.indent = indent
-- elif type(indent) is str:
-- self.indent = (indent, )
-- else:
-- raise ValueError('Indent must be a list of strings')
--
-- def setOptionAssignment(self, assign):
-- if type(assign) is tuple:
-- self.assign = assign
-- else:
-- self.assign = (assign, )
-- self.dassign = self.assign[0]
--
-- def setCommentPrefix(self, comment):
-- if type(comment) is tuple:
-- self.comment = comment
-- else:
-- self.comment = (comment, )
-- self.dcomment = self.comment[0]
--
-- def setEndLine(self, eol):
-- if type(eol) is tuple:
-- self.eol = eol
-- else:
-- self.eol = (eol, )
-- self.deol = self.eol[0]
--
-- def setSectionNameDelimiters(self, delims):
-- self.sectnamdel = delims
--
-- def setSubSectionDelimiters(self, delims):
-- self.subsectdel = delims
--
-- def matchComment(self, line):
-- for v in self.comment:
-- if line.lstrip().startswith(v):
-- return line.lstrip()[len(v):]
-- return False
--
-- def matchEmpty(self, line):
-- if line.strip() == "":
-- return True
-- return False
--
-- def matchSection(self, line):
-- cl = "".join(line.strip().split())
-- cl = cl.lower() if self.case_insensitive_sections else cl
--
-- if len(self.sectnamdel) != 2:
-- return False
-- if not cl.startswith(self.sectnamdel[0]):
-- return False
-- if not cl.endswith(self.sectnamdel[1]):
-- return False
-- return cl[len(self.sectnamdel[0]):-len(self.sectnamdel[1])]
--
-- def matchSubSection(self, line):
-- if self.matchComment(line):
-- return False
--
-- parts = line.split(self.dassign, 1)
-- if len(parts) < 2:
-- return False
--
-- if parts[1].strip() == self.subsectdel[0]:
-- return parts[0].strip()
--
-- return False
--
-- def matchSubSectionEnd(self, line):
-- if self.matchComment(line):
-- return False
--
-- if line.strip() == self.subsectdel[1]:
-- return True
--
-- return False
--
-- def getSectionLine(self, section):
-- if len(self.sectnamdel) != 2:
-- return section
-- return self._dump_line(self.sectnamdel[0],
-- section,
-- self.sectnamdel[1],
-- self.deol)
--
-- def _dump_line(self, *args):
-- return u"".join(unicode(x) for x in args)
--
-- def dump(self, options, level=0):
-- output = []
-- if level >= len(self.indent):
-- level = len(self.indent) - 1
--
-- for o in options:
-- if o['type'] == "section":
-- output.append(self._dump_line(self.sectnamdel[0],
-- o['name'],
-- self.sectnamdel[1]))
-- output.append(self.dump(o['value'], (level + 1)))
-- continue
-- if o['type'] == "subsection":
-- output.append(self._dump_line(self.indent[level],
-- o['name'],
-- self.dassign,
-- self.subsectdel[0]))
-- output.append(self.dump(o['value'], (level + 1)))
-- output.append(self._dump_line(self.indent[level],
-- self.subsectdel[1]))
-- continue
-- if o['type'] == "option":
-- delim = o.get('delim', self.dassign)
-- if delim not in self.assign:
-- raise ValueError('Unknown delim "%s" must be one of "%s"' % (delim, " ".join([d for d in self.assign])))
-- output.append(self._dump_line(self.indent[level],
-- o['name'],
-- delim,
-- o['value']))
-- continue
-- if o['type'] == "comment":
-- output.append(self._dump_line(self.dcomment, o['value']))
-- continue
-- if o['type'] == "empty":
-- output.append('')
-- continue
-- raise SyntaxError('Unknown type: [%s]' % o['type'])
--
-- # append an empty string to the output so that we add eol to the end
-- # of the file contents in a single join()
-- output.append('')
-- return self.deol.join(output)
--
-- def parseLine(self, line):
--
-- if self.matchEmpty(line):
-- return {'name': 'empty', 'type': 'empty'}
--
-- value = self.matchComment(line)
-- if value:
-- return {'name': 'comment',
-- 'type': 'comment',
-- 'value': value.rstrip()} # pylint: disable=E1103
--
-- o = dict()
-- parts = line.split(self.dassign, 1)
-- if len(parts) < 2:
-- # The default assign didn't match, try the non-default
-- for d in self.assign[1:]:
-- parts = line.split(d, 1)
-- if len(parts) >= 2:
-- o['delim'] = d
-- break
--
-- if 'delim' not in o:
-- raise SyntaxError('Syntax Error: Unknown line format')
--
-- o.update({'name':parts[0].strip(), 'type':'option', 'value':parts[1].rstrip()})
-- return o
--
-- def findOpts(self, opts, type, name, exclude_sections=False):
--
-- num = 0
-- for o in opts:
-- if o['type'] == type and o['name'] == name:
-- return (num, o)
-- if exclude_sections and (o['type'] == "section" or
-- o['type'] == "subsection"):
-- return (num, None)
-- num += 1
-- return (num, None)
--
-- def commentOpts(self, inopts, level=0):
--
-- opts = []
--
-- if level >= len(self.indent):
-- level = len(self.indent) - 1
--
-- for o in inopts:
-- if o['type'] == 'section':
-- no = self.commentOpts(o['value'], (level + 1))
-- val = self._dump_line(self.dcomment,
-- self.sectnamdel[0],
-- o['name'],
-- self.sectnamdel[1])
-- opts.append({'name': 'comment',
-- 'type': 'comment',
-- 'value': val})
-- for n in no:
-- opts.append(n)
-- continue
-- if o['type'] == 'subsection':
-- no = self.commentOpts(o['value'], (level + 1))
-- val = self._dump_line(self.indent[level],
-- o['name'],
-- self.dassign,
-- self.subsectdel[0])
-- opts.append({'name': 'comment',
-- 'type': 'comment',
-- 'value': val})
-- opts.extend(no)
-- val = self._dump_line(self.indent[level], self.subsectdel[1])
-- opts.append({'name': 'comment',
-- 'type': 'comment',
-- 'value': val})
-- continue
-- if o['type'] == 'option':
-- delim = o.get('delim', self.dassign)
-- if delim not in self.assign:
-- val = self._dump_line(self.indent[level],
-- o['name'],
-- delim,
-- o['value'])
-- opts.append({'name':'comment', 'type':'comment', 'value':val})
-- continue
-- if o['type'] == 'comment':
-- opts.append(o)
-- continue
-- if o['type'] == 'empty':
-- opts.append({'name': 'comment',
-- 'type': 'comment',
-- 'value': ''})
-- continue
-- raise SyntaxError('Unknown type: [%s]' % o['type'])
--
-- return opts
--
-- def mergeOld(self, oldopts, newopts):
--
-- opts = []
--
-- for o in oldopts:
-- if o['type'] == "section" or o['type'] == "subsection":
-- _num, no = self.findOpts(newopts, o['type'], o['name'])
-- if not no:
-- opts.append(o)
-- continue
-- if no['action'] == "set":
-- mo = self.mergeOld(o['value'], no['value'])
-- opts.append({'name': o['name'],
-- 'type': o['type'],
-- 'value': mo})
-- continue
-- if no['action'] == "comment":
-- co = self.commentOpts(o['value'])
-- for c in co:
-- opts.append(c)
-- continue
-- if no['action'] == "remove":
-- continue
-- raise SyntaxError('Unknown action: [%s]' % no['action'])
--
-- if o['type'] == "comment" or o['type'] == "empty":
-- opts.append(o)
-- continue
--
-- if o['type'] == "option":
-- _num, no = self.findOpts(newopts, 'option', o['name'], True)
-- if not no:
-- opts.append(o)
-- continue
-- if no['action'] == 'comment' or no['action'] == 'remove':
-- if (no['value'] is not None and
-- o['value'] is not no['value']):
-- opts.append(o)
-- continue
-- if no['action'] == 'comment':
-- value = self._dump_line(self.dcomment,
-- o['name'],
-- self.dassign,
-- o['value'])
-- opts.append({'name': 'comment',
-- 'type': 'comment',
-- 'value': value})
-- continue
-- if no['action'] == 'set':
-- opts.append(no)
-- continue
-- if no['action'] == 'addifnotset':
-- opts.append({
-- 'name': 'comment',
-- 'type': 'comment',
-- 'value': self._dump_line(
-- ' ', no['name'], ' modified by IPA'
-- ),
-- })
-- opts.append({'name': 'comment', 'type': 'comment',
-- 'value': self._dump_line(no['name'],
-- self.dassign,
-- no['value'],
-- )})
-- opts.append(o)
-- continue
-- raise SyntaxError('Unknown action: [%s]' % no['action'])
--
-- raise SyntaxError('Unknown type: [%s]' % o['type'])
--
-- return opts
--
-- def mergeNew(self, opts, newopts):
--
-- cline = 0
--
-- for no in newopts:
--
-- if no['type'] == "section" or no['type'] == "subsection":
-- (num, o) = self.findOpts(opts, no['type'], no['name'])
-- if not o:
-- if no['action'] == 'set':
-- opts.append(no)
-- continue
-- if no['action'] == "set":
-- self.mergeNew(o['value'], no['value'])
-- continue
-- cline = num + 1
-- continue
--
-- if no['type'] == "option":
-- (num, o) = self.findOpts(opts, no['type'], no['name'], True)
-- if not o:
-- if no['action'] == 'set' or no['action'] == 'addifnotset':
-- opts.append(no)
-- continue
-- cline = num + 1
-- continue
--
-- if no['type'] == "comment" or no['type'] == "empty":
-- opts.insert(cline, no)
-- cline += 1
-- continue
--
-- raise SyntaxError('Unknown type: [%s]' % no['type'])
--
-- def merge(self, oldopts, newopts):
-- """
-- Uses a two pass strategy:
-- First we create a new opts tree from oldopts removing/commenting
-- the options as indicated by the contents of newopts
-- Second we fill in the new opts tree with options as indicated
-- in the newopts tree (this is becaus eentire (sub)sections may
-- in the newopts tree (this is becaus entire (sub)sections may
-- exist in the newopts that do not exist in oldopts)
-- """
-- opts = self.mergeOld(oldopts, newopts)
-- self.mergeNew(opts, newopts)
-- return opts
--
-- #TODO: Make parse() recursive?
-- def parse(self, f):
--
-- opts = []
-- sectopts = []
-- section = None
-- subsectopts = []
-- subsection = None
-- curopts = opts
-- fatheropts = opts
--
-- # Read in the old file.
-- for line in f:
--
-- # It's a section start.
-- value = self.matchSection(line)
-- if value:
-- if section is not None:
-- opts.append({'name': section,
-- 'type': 'section',
-- 'value': sectopts})
-- sectopts = []
-- curopts = sectopts
-- fatheropts = sectopts
-- section = value
-- continue
--
-- # It's a subsection start.
-- value = self.matchSubSection(line)
-- if value:
-- if subsection is not None:
-- raise SyntaxError('nested subsections are not '
-- 'supported yet')
-- subsectopts = []
-- curopts = subsectopts
-- subsection = value
-- continue
--
-- value = self.matchSubSectionEnd(line)
-- if value:
-- if subsection is None:
-- raise SyntaxError('Unmatched end subsection terminator '
-- 'found')
-- fatheropts.append({'name': subsection,
-- 'type': 'subsection',
-- 'value': subsectopts})
-- subsection = None
-- curopts = fatheropts
-- continue
--
-- # Copy anything else as is.
-- try:
-- curopts.append(self.parseLine(line))
-- except SyntaxError as e:
-- raise SyntaxError('{error} in file {fname}: [{line}]'.format(
-- error=e, fname=f.name, line=line.rstrip()))
--
-- #Add last section if any
-- if len(sectopts) is not 0:
-- opts.append({'name': section,
-- 'type': 'section',
-- 'value': sectopts})
--
-- return opts
--
-- def changeConf(self, file, newopts):
-- """
-- Write settings to configuration file
-- :param file: path to the file
-- :param options: set of dictionaries in the form:
-- {'name': 'foo', 'value': 'bar', 'action': 'set/comment'}
-- :param section: section name like 'global'
-- """
-- output = ""
-- f = None
-- try:
-- # Do not catch an unexisting file error
-- # we want to fail in that case
-- shutil.copy2(file, (file + ".ipabkp"))
--
-- f = openLocked(file, 0o644)
--
-- oldopts = self.parse(f)
--
-- options = self.merge(oldopts, newopts)
--
-- output = self.dump(options)
--
-- # Write it out and close it.
-- f.seek(0)
-- f.truncate(0)
-- f.write(output)
-- finally:
-- try:
-- if f:
-- f.close()
-- except IOError:
-- pass
-- logger.debug("Updating configuration file %s", file)
-- logger.debug(output)
-- return True
--
-- def newConf(self, file, options, file_perms=0o644):
-- """"
-- Write settings to a new file, backup the old
-- :param file: path to the file
-- :param options: a set of dictionaries in the form:
-- {'name': 'foo', 'value': 'bar', 'action': 'set/comment'}
-- :param file_perms: number defining the new file's permissions
-- """
-- output = ""
-- f = None
-- try:
-- try:
-- shutil.copy2(file, (file + ".ipabkp"))
-- except IOError as err:
-- if err.errno == 2:
-- # The orign file did not exist
-- pass
--
-- f = openLocked(file, file_perms)
--
-- # Trunkate
-- f.seek(0)
-- f.truncate(0)
--
-- output = self.dump(options)
--
-- f.write(output)
-- finally:
-- try:
-- if f:
-- f.close()
-- except IOError:
-- pass
-- logger.debug("Writing configuration file %s", file)
-- logger.debug(output)
-- return True
--
-- @staticmethod
-- def setOption(name, value):
-- return {'name': name,
-- 'type': 'option',
-- 'action': 'set',
-- 'value': value}
--
-- @staticmethod
-- def rmOption(name):
-- return {'name': name,
-- 'type': 'option',
-- 'action': 'remove',
-- 'value': None}
--
-- @staticmethod
-- def setSection(name, options):
-- return {'name': name,
-- 'type': 'section',
-- 'action': 'set',
-- 'value': options}
--
-- @staticmethod
-- def emptyLine():
-- return {'name': 'empty',
-- 'type': 'empty'}
-+ """something"""
-+ warnings.warn(
-+ "Use 'ipapython.ipachangeconf.IPAChangeConfg'",
-+ DeprecationWarning,
-+ stacklevel=2
-+ )
-+ super(IPAChangeConf, self).__init__(name)
-diff --git a/ipapython/ipachangeconf.py b/ipapython/ipachangeconf.py
-new file mode 100644
-index 0000000..cfb4a6e
---- /dev/null
-+++ b/ipapython/ipachangeconf.py
-@@ -0,0 +1,590 @@
-+#
-+# ipachangeconf - configuration file manipulation classes and functions
-+# partially based on authconfig code
-+# Copyright (c) 1999-2007 Red Hat, Inc.
-+# Author: Simo Sorce <ssorce@redhat.com>
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation, either version 3 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program. If not, see <http://www.gnu.org/licenses/>.
-+#
-+
-+import fcntl
-+import logging
-+import os
-+import shutil
-+
-+import six
-+
-+if six.PY3:
-+ unicode = str
-+
-+logger = logging.getLogger(__name__)
-+
-+
-+def openLocked(filename, perms):
-+ fd = -1
-+ try:
-+ fd = os.open(filename, os.O_RDWR | os.O_CREAT, perms)
-+
-+ fcntl.lockf(fd, fcntl.LOCK_EX)
-+ except OSError as e:
-+ if fd != -1:
-+ try:
-+ os.close(fd)
-+ except OSError:
-+ pass
-+ raise IOError(e.errno, e.strerror)
-+ return os.fdopen(fd, "r+")
-+
-+ # TODO: add subsection as a concept
-+ # (ex. REALM.NAME = { foo = x bar = y } )
-+ # TODO: put section delimiters as separating element of the list
-+ # so that we can process multiple sections in one go
-+ # TODO: add a comment all but provided options as a section option
-+
-+
-+class IPAChangeConf:
-+ def __init__(self, name):
-+ self.progname = name
-+ self.indent = ("", "", "")
-+ self.assign = (" = ", "=")
-+ self.dassign = self.assign[0]
-+ self.comment = ("#",)
-+ self.dcomment = self.comment[0]
-+ self.eol = ("\n",)
-+ self.deol = self.eol[0]
-+ self.sectnamdel = ("[", "]")
-+ self.subsectdel = ("{", "}")
-+ self.case_insensitive_sections = True
-+
-+ def setProgName(self, name):
-+ self.progname = name
-+
-+ def setIndent(self, indent):
-+ if type(indent) is tuple:
-+ self.indent = indent
-+ elif type(indent) is str:
-+ self.indent = (indent, )
-+ else:
-+ raise ValueError('Indent must be a list of strings')
-+
-+ def setOptionAssignment(self, assign):
-+ if type(assign) is tuple:
-+ self.assign = assign
-+ else:
-+ self.assign = (assign, )
-+ self.dassign = self.assign[0]
-+
-+ def setCommentPrefix(self, comment):
-+ if type(comment) is tuple:
-+ self.comment = comment
-+ else:
-+ self.comment = (comment, )
-+ self.dcomment = self.comment[0]
-+
-+ def setEndLine(self, eol):
-+ if type(eol) is tuple:
-+ self.eol = eol
-+ else:
-+ self.eol = (eol, )
-+ self.deol = self.eol[0]
-+
-+ def setSectionNameDelimiters(self, delims):
-+ self.sectnamdel = delims
-+
-+ def setSubSectionDelimiters(self, delims):
-+ self.subsectdel = delims
-+
-+ def matchComment(self, line):
-+ for v in self.comment:
-+ if line.lstrip().startswith(v):
-+ return line.lstrip()[len(v):]
-+ return False
-+
-+ def matchEmpty(self, line):
-+ if line.strip() == "":
-+ return True
-+ return False
-+
-+ def matchSection(self, line):
-+ cl = "".join(line.strip().split())
-+ cl = cl.lower() if self.case_insensitive_sections else cl
-+
-+ if len(self.sectnamdel) != 2:
-+ return False
-+ if not cl.startswith(self.sectnamdel[0]):
-+ return False
-+ if not cl.endswith(self.sectnamdel[1]):
-+ return False
-+ return cl[len(self.sectnamdel[0]):-len(self.sectnamdel[1])]
-+
-+ def matchSubSection(self, line):
-+ if self.matchComment(line):
-+ return False
-+
-+ parts = line.split(self.dassign, 1)
-+ if len(parts) < 2:
-+ return False
-+
-+ if parts[1].strip() == self.subsectdel[0]:
-+ return parts[0].strip()
-+
-+ return False
-+
-+ def matchSubSectionEnd(self, line):
-+ if self.matchComment(line):
-+ return False
-+
-+ if line.strip() == self.subsectdel[1]:
-+ return True
-+
-+ return False
-+
-+ def getSectionLine(self, section):
-+ if len(self.sectnamdel) != 2:
-+ return section
-+ return self._dump_line(self.sectnamdel[0],
-+ section,
-+ self.sectnamdel[1],
-+ self.deol)
-+
-+ def _dump_line(self, *args):
-+ return u"".join(unicode(x) for x in args)
-+
-+ def dump(self, options, level=0):
-+ output = []
-+ if level >= len(self.indent):
-+ level = len(self.indent) - 1
-+
-+ for o in options:
-+ if o['type'] == "section":
-+ output.append(self._dump_line(self.sectnamdel[0],
-+ o['name'],
-+ self.sectnamdel[1]))
-+ output.append(self.dump(o['value'], (level + 1)))
-+ continue
-+ if o['type'] == "subsection":
-+ output.append(self._dump_line(self.indent[level],
-+ o['name'],
-+ self.dassign,
-+ self.subsectdel[0]))
-+ output.append(self.dump(o['value'], (level + 1)))
-+ output.append(self._dump_line(self.indent[level],
-+ self.subsectdel[1]))
-+ continue
-+ if o['type'] == "option":
-+ delim = o.get('delim', self.dassign)
-+ if delim not in self.assign:
-+ raise ValueError(
-+ 'Unknown delim "%s" must be one of "%s"' %
-+ (delim, " ".join([d for d in self.assign]))
-+ )
-+ output.append(self._dump_line(self.indent[level],
-+ o['name'],
-+ delim,
-+ o['value']))
-+ continue
-+ if o['type'] == "comment":
-+ output.append(self._dump_line(self.dcomment, o['value']))
-+ continue
-+ if o['type'] == "empty":
-+ output.append('')
-+ continue
-+ raise SyntaxError('Unknown type: [%s]' % o['type'])
-+
-+ # append an empty string to the output so that we add eol to the end
-+ # of the file contents in a single join()
-+ output.append('')
-+ return self.deol.join(output)
-+
-+ def parseLine(self, line):
-+
-+ if self.matchEmpty(line):
-+ return {'name': 'empty', 'type': 'empty'}
-+
-+ value = self.matchComment(line)
-+ if value:
-+ return {'name': 'comment',
-+ 'type': 'comment',
-+ 'value': value.rstrip()} # pylint: disable=E1103
-+
-+ o = dict()
-+ parts = line.split(self.dassign, 1)
-+ if len(parts) < 2:
-+ # The default assign didn't match, try the non-default
-+ for d in self.assign[1:]:
-+ parts = line.split(d, 1)
-+ if len(parts) >= 2:
-+ o['delim'] = d
-+ break
-+
-+ if 'delim' not in o:
-+ raise SyntaxError('Syntax Error: Unknown line format')
-+
-+ o.update({'name': parts[0].strip(), 'type': 'option',
-+ 'value': parts[1].rstrip()})
-+ return o
-+
-+ def findOpts(self, opts, type, name, exclude_sections=False):
-+
-+ num = 0
-+ for o in opts:
-+ if o['type'] == type and o['name'] == name:
-+ return (num, o)
-+ if exclude_sections and (o['type'] == "section" or
-+ o['type'] == "subsection"):
-+ return (num, None)
-+ num += 1
-+ return (num, None)
-+
-+ def commentOpts(self, inopts, level=0):
-+
-+ opts = []
-+
-+ if level >= len(self.indent):
-+ level = len(self.indent) - 1
-+
-+ for o in inopts:
-+ if o['type'] == 'section':
-+ no = self.commentOpts(o['value'], (level + 1))
-+ val = self._dump_line(self.dcomment,
-+ self.sectnamdel[0],
-+ o['name'],
-+ self.sectnamdel[1])
-+ opts.append({'name': 'comment',
-+ 'type': 'comment',
-+ 'value': val})
-+ for n in no:
-+ opts.append(n)
-+ continue
-+ if o['type'] == 'subsection':
-+ no = self.commentOpts(o['value'], (level + 1))
-+ val = self._dump_line(self.indent[level],
-+ o['name'],
-+ self.dassign,
-+ self.subsectdel[0])
-+ opts.append({'name': 'comment',
-+ 'type': 'comment',
-+ 'value': val})
-+ opts.extend(no)
-+ val = self._dump_line(self.indent[level], self.subsectdel[1])
-+ opts.append({'name': 'comment',
-+ 'type': 'comment',
-+ 'value': val})
-+ continue
-+ if o['type'] == 'option':
-+ delim = o.get('delim', self.dassign)
-+ if delim not in self.assign:
-+ val = self._dump_line(self.indent[level],
-+ o['name'],
-+ delim,
-+ o['value'])
-+ opts.append({'name': 'comment', 'type': 'comment',
-+ 'value': val})
-+ continue
-+ if o['type'] == 'comment':
-+ opts.append(o)
-+ continue
-+ if o['type'] == 'empty':
-+ opts.append({'name': 'comment',
-+ 'type': 'comment',
-+ 'value': ''})
-+ continue
-+ raise SyntaxError('Unknown type: [%s]' % o['type'])
-+
-+ return opts
-+
-+ def mergeOld(self, oldopts, newopts):
-+
-+ opts = []
-+
-+ for o in oldopts:
-+ if o['type'] == "section" or o['type'] == "subsection":
-+ _num, no = self.findOpts(newopts, o['type'], o['name'])
-+ if not no:
-+ opts.append(o)
-+ continue
-+ if no['action'] == "set":
-+ mo = self.mergeOld(o['value'], no['value'])
-+ opts.append({'name': o['name'],
-+ 'type': o['type'],
-+ 'value': mo})
-+ continue
-+ if no['action'] == "comment":
-+ co = self.commentOpts(o['value'])
-+ for c in co:
-+ opts.append(c)
-+ continue
-+ if no['action'] == "remove":
-+ continue
-+ raise SyntaxError('Unknown action: [%s]' % no['action'])
-+
-+ if o['type'] == "comment" or o['type'] == "empty":
-+ opts.append(o)
-+ continue
-+
-+ if o['type'] == "option":
-+ _num, no = self.findOpts(newopts, 'option', o['name'], True)
-+ if not no:
-+ opts.append(o)
-+ continue
-+ if no['action'] == 'comment' or no['action'] == 'remove':
-+ if (no['value'] is not None and
-+ o['value'] is not no['value']):
-+ opts.append(o)
-+ continue
-+ if no['action'] == 'comment':
-+ value = self._dump_line(self.dcomment,
-+ o['name'],
-+ self.dassign,
-+ o['value'])
-+ opts.append({'name': 'comment',
-+ 'type': 'comment',
-+ 'value': value})
-+ continue
-+ if no['action'] == 'set':
-+ opts.append(no)
-+ continue
-+ if no['action'] == 'addifnotset':
-+ opts.append({
-+ 'name': 'comment',
-+ 'type': 'comment',
-+ 'value': self._dump_line(
-+ ' ', no['name'], ' modified by IPA'
-+ ),
-+ })
-+ opts.append({'name': 'comment', 'type': 'comment',
-+ 'value': self._dump_line(no['name'],
-+ self.dassign,
-+ no['value'],
-+ )})
-+ opts.append(o)
-+ continue
-+ raise SyntaxError('Unknown action: [%s]' % no['action'])
-+
-+ raise SyntaxError('Unknown type: [%s]' % o['type'])
-+
-+ return opts
-+
-+ def mergeNew(self, opts, newopts):
-+
-+ cline = 0
-+
-+ for no in newopts:
-+
-+ if no['type'] == "section" or no['type'] == "subsection":
-+ (num, o) = self.findOpts(opts, no['type'], no['name'])
-+ if not o:
-+ if no['action'] == 'set':
-+ opts.append(no)
-+ continue
-+ if no['action'] == "set":
-+ self.mergeNew(o['value'], no['value'])
-+ continue
-+ cline = num + 1
-+ continue
-+
-+ if no['type'] == "option":
-+ (num, o) = self.findOpts(opts, no['type'], no['name'], True)
-+ if not o:
-+ if no['action'] == 'set' or no['action'] == 'addifnotset':
-+ opts.append(no)
-+ continue
-+ cline = num + 1
-+ continue
-+
-+ if no['type'] == "comment" or no['type'] == "empty":
-+ opts.insert(cline, no)
-+ cline += 1
-+ continue
-+
-+ raise SyntaxError('Unknown type: [%s]' % no['type'])
-+
-+ def merge(self, oldopts, newopts):
-+ """
-+ Uses a two pass strategy:
-+ First we create a new opts tree from oldopts removing/commenting
-+ the options as indicated by the contents of newopts
-+ Second we fill in the new opts tree with options as indicated
-+ in the newopts tree (this is becaus eentire (sub)sections may
-+ in the newopts tree (this is becaus entire (sub)sections may
-+ exist in the newopts that do not exist in oldopts)
-+ """
-+ opts = self.mergeOld(oldopts, newopts)
-+ self.mergeNew(opts, newopts)
-+ return opts
-+
-+ # TODO: Make parse() recursive?
-+ def parse(self, f):
-+
-+ opts = []
-+ sectopts = []
-+ section = None
-+ subsectopts = []
-+ subsection = None
-+ curopts = opts
-+ fatheropts = opts
-+
-+ # Read in the old file.
-+ for line in f:
-+
-+ # It's a section start.
-+ value = self.matchSection(line)
-+ if value:
-+ if section is not None:
-+ opts.append({'name': section,
-+ 'type': 'section',
-+ 'value': sectopts})
-+ sectopts = []
-+ curopts = sectopts
-+ fatheropts = sectopts
-+ section = value
-+ continue
-+
-+ # It's a subsection start.
-+ value = self.matchSubSection(line)
-+ if value:
-+ if subsection is not None:
-+ raise SyntaxError('nested subsections are not '
-+ 'supported yet')
-+ subsectopts = []
-+ curopts = subsectopts
-+ subsection = value
-+ continue
-+
-+ value = self.matchSubSectionEnd(line)
-+ if value:
-+ if subsection is None:
-+ raise SyntaxError('Unmatched end subsection terminator '
-+ 'found')
-+ fatheropts.append({'name': subsection,
-+ 'type': 'subsection',
-+ 'value': subsectopts})
-+ subsection = None
-+ curopts = fatheropts
-+ continue
-+
-+ # Copy anything else as is.
-+ try:
-+ curopts.append(self.parseLine(line))
-+ except SyntaxError as e:
-+ raise SyntaxError('{error} in file {fname}: [{line}]'.format(
-+ error=e, fname=f.name, line=line.rstrip()))
-+
-+ # Add last section if any
-+ if len(sectopts) is not 0:
-+ opts.append({'name': section,
-+ 'type': 'section',
-+ 'value': sectopts})
-+
-+ return opts
-+
-+ def changeConf(self, file, newopts):
-+ """
-+ Write settings to configuration file
-+ :param file: path to the file
-+ :param options: set of dictionaries in the form:
-+ {'name': 'foo', 'value': 'bar', 'action': 'set/comment'}
-+ :param section: section name like 'global'
-+ """
-+ output = ""
-+ f = None
-+ try:
-+ # Do not catch an unexisting file error
-+ # we want to fail in that case
-+ shutil.copy2(file, (file + ".ipabkp"))
-+
-+ f = openLocked(file, 0o644)
-+
-+ oldopts = self.parse(f)
-+
-+ options = self.merge(oldopts, newopts)
-+
-+ output = self.dump(options)
-+
-+ # Write it out and close it.
-+ f.seek(0)
-+ f.truncate(0)
-+ f.write(output)
-+ finally:
-+ try:
-+ if f:
-+ f.close()
-+ except IOError:
-+ pass
-+ logger.debug("Updating configuration file %s", file)
-+ logger.debug(output)
-+ return True
-+
-+ def newConf(self, file, options, file_perms=0o644):
-+ """"
-+ Write settings to a new file, backup the old
-+ :param file: path to the file
-+ :param options: a set of dictionaries in the form:
-+ {'name': 'foo', 'value': 'bar', 'action': 'set/comment'}
-+ :param file_perms: number defining the new file's permissions
-+ """
-+ output = ""
-+ f = None
-+ try:
-+ try:
-+ shutil.copy2(file, (file + ".ipabkp"))
-+ except IOError as err:
-+ if err.errno == 2:
-+ # The orign file did not exist
-+ pass
-+
-+ f = openLocked(file, file_perms)
-+
-+ # Trunkate
-+ f.seek(0)
-+ f.truncate(0)
-+
-+ output = self.dump(options)
-+
-+ f.write(output)
-+ finally:
-+ try:
-+ if f:
-+ f.close()
-+ except IOError:
-+ pass
-+ logger.debug("Writing configuration file %s", file)
-+ logger.debug(output)
-+ return True
-+
-+ @staticmethod
-+ def setOption(name, value):
-+ return {'name': name,
-+ 'type': 'option',
-+ 'action': 'set',
-+ 'value': value}
-+
-+ @staticmethod
-+ def rmOption(name):
-+ return {'name': name,
-+ 'type': 'option',
-+ 'action': 'remove',
-+ 'value': None}
-+
-+ @staticmethod
-+ def setSection(name, options):
-+ return {'name': name,
-+ 'type': 'section',
-+ 'action': 'set',
-+ 'value': options}
-+
-+ @staticmethod
-+ def emptyLine():
-+ return {'name': 'empty',
-+ 'type': 'empty'}
-diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
-index 7bb9431..47a5a92 100644
---- a/ipaserver/install/adtrustinstance.py
-+++ b/ipaserver/install/adtrustinstance.py
-@@ -40,11 +40,11 @@ from ipaserver.install.replication import wait_for_task
- from ipalib import errors, api
- from ipalib.util import normalize_zone
- from ipapython.dn import DN
-+from ipapython import ipachangeconf
- from ipapython import ipaldap
- from ipapython import ipautil
- import ipapython.errors
-
--import ipaclient.install.ipachangeconf
- from ipaplatform import services
- from ipaplatform.constants import constants
- from ipaplatform.paths import paths
-@@ -639,7 +639,7 @@ class ADTRUSTInstance(service.Service):
- self.print_msg("Cannot modify /etc/krb5.conf")
-
- krbconf = (
-- ipaclient.install.ipachangeconf.IPAChangeConf("IPA Installer"))
-+ ipachangeconf.IPAChangeConf("IPA Installer"))
- krbconf.setOptionAssignment((" = ", " "))
- krbconf.setSectionNameDelimiters(("[", "]"))
- krbconf.setSubSectionDelimiters(("{", "}"))
-diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
-index 02c8f4d..6a81d57 100644
---- a/ipaserver/install/server/install.py
-+++ b/ipaserver/install/server/install.py
-@@ -19,7 +19,7 @@ import six
- from ipaclient.install import timeconf
- from ipaclient.install.client import (
- check_ldap_conf, sync_time, restore_time_sync)
--from ipaclient.install.ipachangeconf import IPAChangeConf
-+from ipapython.ipachangeconf import IPAChangeConf
- from ipalib.install import certmonger, sysrestore
- from ipapython import ipautil, version
- from ipapython.ipautil import (
-diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index 6da6804..7272640 100644
---- a/ipaserver/install/server/replicainstall.py
-+++ b/ipaserver/install/server/replicainstall.py
-@@ -23,13 +23,13 @@ from pkg_resources import parse_version
- import six
-
- from ipaclient.install.client import check_ldap_conf
--from ipaclient.install.ipachangeconf import IPAChangeConf
- import ipaclient.install.timeconf
- from ipalib.install import certstore, sysrestore
- from ipalib.install.kinit import kinit_keytab
- from ipapython import ipaldap, ipautil
- from ipapython.dn import DN
- from ipapython.admintool import ScriptError
-+from ipapython.ipachangeconf import IPAChangeConf
- from ipaplatform import services
- from ipaplatform.tasks import tasks
- from ipaplatform.paths import paths
-diff --git a/ipatests/test_install/test_changeconf.py b/ipatests/test_install/test_changeconf.py
-index 2dc2b7d..40c8a1d 100644
---- a/ipatests/test_install/test_changeconf.py
-+++ b/ipatests/test_install/test_changeconf.py
-@@ -3,7 +3,7 @@
- from __future__ import absolute_import
-
- import pytest
--from ipaclient.install.ipachangeconf import IPAChangeConf
-+from ipapython.ipachangeconf import IPAChangeConf
-
-
- @pytest.fixture(scope='function')
-
-From 2da90887632c764a73866c9ad3824ebb53c0aa73 Mon Sep 17 00:00:00 2001
-From: Rob Critenden <rcritten@redhat.com>
-Date: Aug 29 2019 06:45:12 +0000
-Subject: Use tasks to configure automount nsswitch settings
-
-
-authselect doesn't allow one to directly write to
-/etc/nsswitch.conf. It will complain bitterly if it
-detects it and will refuse to work until reset.
-
-Instead it wants the user to write to
-/etc/authselect/user-nsswitch.conf and then it will handle
-merging in any differences.
-
-To complicate matters some databases are not user configurable
-like passwd, group and of course, automount. There are some
-undocumented options to allow one to override these though so
-we utilize that.
-
-tasks are used so that authselect-based installations can still
-write directly to /etc/nsswitch.conf and operate as it used to.
-
-Reviewed-By: Francois Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Rob Critenden <rcritten@redhat.com>
-Reviewed-By: François Cami <fcami@redhat.com>
-
----
-
-diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
-index 9492ca4..1e88ba1 100644
---- a/ipaclient/install/client.py
-+++ b/ipaclient/install/client.py
-@@ -66,7 +66,7 @@ from ipapython import version
-
- from . import automount, timeconf, sssd
- from ipaclient import discovery
--from .ipachangeconf import IPAChangeConf
-+from ipapython.ipachangeconf import IPAChangeConf
-
- NoneType = type(None)
-
-@@ -281,72 +281,6 @@ def is_ipa_client_installed(fstore, on_master=False):
- return installed
-
-
--def configure_nsswitch_database(fstore, database, services, preserve=True,
-- append=True, default_value=()):
-- """
-- Edits the specified nsswitch.conf database (e.g. passwd, group, sudoers)
-- to use the specified service(s).
--
-- Arguments:
-- fstore - FileStore to backup the nsswitch.conf
-- database - database configuration that should be ammended,
-- e.g. 'sudoers'
-- service - list of services that should be added, e.g. ['sss']
-- preserve - if True, the already configured services will be preserved
--
-- The next arguments modify the behaviour if preserve=True:
-- append - if True, the services will be appended, if False, prepended
-- default_value - list of services that are considered as default (if
-- the database is not mentioned in nsswitch.conf), e.g.
-- ['files']
-- """
--
-- # Backup the original version of nsswitch.conf, we're going to edit it now
-- if not fstore.has_file(paths.NSSWITCH_CONF):
-- fstore.backup_file(paths.NSSWITCH_CONF)
--
-- conf = IPAChangeConf("IPA Installer")
-- conf.setOptionAssignment(':')
--
-- if preserve:
-- # Read the existing configuration
-- with open(paths.NSSWITCH_CONF, 'r') as f:
-- opts = conf.parse(f)
-- raw_database_entry = conf.findOpts(opts, 'option', database)[1]
--
-- # Detect the list of already configured services
-- if not raw_database_entry:
-- # If there is no database entry, database is not present in
-- # the nsswitch.conf. Set the list of services to the
-- # default list, if passed.
-- configured_services = list(default_value)
-- else:
-- configured_services = raw_database_entry['value'].strip().split()
--
-- # Make sure no service is added if already mentioned in the list
-- added_services = [s for s in services
-- if s not in configured_services]
--
-- # Prepend / append the list of new services
-- if append:
-- new_value = ' ' + ' '.join(configured_services + added_services)
-- else:
-- new_value = ' ' + ' '.join(added_services + configured_services)
--
-- else:
-- # Preserve not set, let's rewrite existing configuration
-- new_value = ' ' + ' '.join(services)
--
-- # Set new services as sources for database
-- opts = [
-- conf.setOption(database, new_value),
-- conf.emptyLine(),
-- ]
--
-- conf.changeConf(paths.NSSWITCH_CONF, opts)
-- logger.info("Configured %s in %s", database, paths.NSSWITCH_CONF)
--
--
- def configure_ipa_conf(
- fstore, cli_basedn, cli_realm, cli_domain, cli_server, hostname):
- ipaconf = IPAChangeConf("IPA Installer")
-@@ -948,9 +882,7 @@ def configure_sssd_conf(
- "Unable to activate the SUDO service in SSSD config.")
-
- sssdconfig.activate_service('sudo')
-- configure_nsswitch_database(
-- fstore, 'sudoers', ['sss'],
-- default_value=['files'])
-+ tasks.enable_sssd_sudo(fstore)
-
- domain.add_provider('ipa', 'id')
-
-diff --git a/ipaclient/install/ipa_client_automount.py b/ipaclient/install/ipa_client_automount.py
-index a1dc2a1..3a0896b 100644
---- a/ipaclient/install/ipa_client_automount.py
-+++ b/ipaclient/install/ipa_client_automount.py
-@@ -41,7 +41,8 @@ from six.moves.urllib.parse import urlsplit
-
- # pylint: enable=import-error
- from optparse import OptionParser # pylint: disable=deprecated-module
--from ipaclient.install import ipachangeconf, ipadiscovery
-+from ipapython import ipachangeconf
-+from ipaclient.install import ipadiscovery
- from ipaclient.install.client import (
- CLIENT_NOT_CONFIGURED,
- CLIENT_ALREADY_CONFIGURED,
-@@ -177,44 +178,6 @@ def configure_xml(fstore):
- print("Configured %s" % authconf)
-
-
--def configure_nsswitch(statestore, options):
-- """
-- Point automount to ldap in nsswitch.conf.
-- This function is for non-SSSD setups only.
-- """
-- conf = ipachangeconf.IPAChangeConf("IPA Installer")
-- conf.setOptionAssignment(':')
--
-- with open(paths.NSSWITCH_CONF, 'r') as f:
-- current_opts = conf.parse(f)
-- current_nss_value = conf.findOpts(
-- current_opts, name='automount', type='option'
-- )[1]
-- if current_nss_value is None:
-- # no automount database present
-- current_nss_value = False # None cannot be backed up
-- else:
-- current_nss_value = current_nss_value['value']
-- statestore.backup_state(
-- 'ipa-client-automount-nsswitch', 'previous-automount',
-- current_nss_value
-- )
--
-- nss_value = ' files ldap'
-- opts = [
-- {
-- 'name': 'automount',
-- 'type': 'option',
-- 'action': 'set',
-- 'value': nss_value,
-- },
-- {'name': 'empty', 'type': 'empty'},
-- ]
-- conf.changeConf(paths.NSSWITCH_CONF, opts)
--
-- print("Configured %s" % paths.NSSWITCH_CONF)
--
--
- def configure_autofs_sssd(fstore, statestore, autodiscover, options):
- try:
- sssdconfig = SSSDConfig.SSSDConfig()
-@@ -339,41 +302,8 @@ def uninstall(fstore, statestore):
- ]
- STATES = ['autofs', 'rpcidmapd', 'rpcgssd']
-
-- if statestore.get_state(
-- 'ipa-client-automount-nsswitch', 'previous-automount'
-- ) is False:
-- # Previous nsswitch.conf had no automount database configured
-- # so remove it.
-- conf = ipachangeconf.IPAChangeConf("IPA automount installer")
-- conf.setOptionAssignment(':')
-- changes = [conf.rmOption('automount')]
-- conf.changeConf(paths.NSSWITCH_CONF, changes)
-- tasks.restore_context(paths.NSSWITCH_CONF)
-- statestore.delete_state(
-- 'ipa-client-automount-nsswitch', 'previous-automount'
-- )
-- elif statestore.get_state(
-- 'ipa-client-automount-nsswitch', 'previous-automount'
-- ) is not None:
-- nss_value = statestore.get_state(
-- 'ipa-client-automount-nsswitch', 'previous-automount'
-- )
-- opts = [
-- {
-- 'name': 'automount',
-- 'type': 'option',
-- 'action': 'set',
-- 'value': nss_value,
-- },
-- {'name': 'empty', 'type': 'empty'},
-- ]
-- conf = ipachangeconf.IPAChangeConf("IPA automount installer")
-- conf.setOptionAssignment(':')
-- conf.changeConf(paths.NSSWITCH_CONF, opts)
-- tasks.restore_context(paths.NSSWITCH_CONF)
-- statestore.delete_state(
-- 'ipa-client-automount-nsswitch', 'previous-automount'
-- )
-+ if not statestore.get_state('autofs', 'sssd'):
-+ tasks.disable_ldap_automount(statestore)
-
- if not any(fstore.has_file(f) for f in RESTORE_FILES) or not any(
- statestore.has_state(s) for s in STATES
-@@ -627,7 +557,7 @@ def configure_automount():
-
- try:
- if not options.sssd:
-- configure_nsswitch(statestore, options)
-+ tasks.enable_ldap_automount(statestore)
- configure_nfs(fstore, statestore, options)
- if options.sssd:
- configure_autofs_sssd(fstore, statestore, autodiscover, options)
-diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
-index 8aa9c5c..7fd7d57 100644
---- a/ipaplatform/base/tasks.py
-+++ b/ipaplatform/base/tasks.py
-@@ -32,6 +32,7 @@ from pkg_resources import parse_version
- from ipaplatform.constants import constants
- from ipaplatform.paths import paths
- from ipapython import ipautil
-+from ipapython.ipachangeconf import IPAChangeConf
-
- logger = logging.getLogger(__name__)
-
-@@ -337,5 +338,157 @@ class BaseTaskNamespace:
- """
- raise NotImplementedError
-
-+ def configure_nsswitch_database(self, fstore, database, services,
-+ preserve=True, append=True,
-+ default_value=()):
-+ """
-+ Edits the specified nsswitch.conf database (e.g. passwd, group,
-+ sudoers) to use the specified service(s).
-+
-+ Arguments:
-+ fstore - FileStore to backup the nsswitch.conf
-+ database - database configuration that should be ammended,
-+ e.g. 'sudoers'
-+ service - list of services that should be added, e.g. ['sss']
-+ preserve - if True, the already configured services will be
-+ preserved
-+
-+ The next arguments modify the behaviour if preserve=True:
-+ append - if True, the services will be appended, if False,
-+ prepended
-+ default_value - list of services that are considered as default (if
-+ the database is not mentioned in nsswitch.conf),
-+ e.g. ['files']
-+ """
-+
-+ # Backup the original version of nsswitch.conf, we're going to edit it
-+ # now
-+ if not fstore.has_file(paths.NSSWITCH_CONF):
-+ fstore.backup_file(paths.NSSWITCH_CONF)
-+
-+ conf = IPAChangeConf("IPA Installer")
-+ conf.setOptionAssignment(':')
-+
-+ if preserve:
-+ # Read the existing configuration
-+ with open(paths.NSSWITCH_CONF, 'r') as f:
-+ opts = conf.parse(f)
-+ raw_database_entry = conf.findOpts(opts, 'option', database)[1]
-+
-+ # Detect the list of already configured services
-+ if not raw_database_entry:
-+ # If there is no database entry, database is not present in
-+ # the nsswitch.conf. Set the list of services to the
-+ # default list, if passed.
-+ configured_services = list(default_value)
-+ else:
-+ configured_services = raw_database_entry[
-+ 'value'].strip().split()
-+
-+ # Make sure no service is added if already mentioned in the list
-+ added_services = [s for s in services
-+ if s not in configured_services]
-+
-+ # Prepend / append the list of new services
-+ if append:
-+ new_value = ' ' + ' '.join(configured_services +
-+ added_services)
-+ else:
-+ new_value = ' ' + ' '.join(added_services +
-+ configured_services)
-+
-+ else:
-+ # Preserve not set, let's rewrite existing configuration
-+ new_value = ' ' + ' '.join(services)
-+
-+ # Set new services as sources for database
-+ opts = [
-+ conf.setOption(database, new_value),
-+ conf.emptyLine(),
-+ ]
-+
-+ conf.changeConf(paths.NSSWITCH_CONF, opts)
-+ logger.info("Configured %s in %s", database, paths.NSSWITCH_CONF)
-+
-+ def enable_sssd_sudo(self, fstore):
-+ """Configure nsswitch.conf to use sssd for sudo"""
-+ self.configure_nsswitch_database(
-+ fstore, 'sudoers', ['sss'],
-+ default_value=['files'])
-+
-+ def enable_ldap_automount(self, statestore):
-+ """
-+ Point automount to ldap in nsswitch.conf.
-+ This function is for non-SSSD setups only.
-+ """
-+ conf = IPAChangeConf("IPA Installer")
-+ conf.setOptionAssignment(':')
-+
-+ with open(paths.NSSWITCH_CONF, 'r') as f:
-+ current_opts = conf.parse(f)
-+ current_nss_value = conf.findOpts(
-+ current_opts, name='automount', type='option'
-+ )[1]
-+ if current_nss_value is None:
-+ # no automount database present
-+ current_nss_value = False # None cannot be backed up
-+ else:
-+ current_nss_value = current_nss_value['value']
-+ statestore.backup_state(
-+ 'ipa-client-automount-nsswitch', 'previous-automount',
-+ current_nss_value
-+ )
-+
-+ nss_value = ' files ldap'
-+ opts = [
-+ {
-+ 'name': 'automount',
-+ 'type': 'option',
-+ 'action': 'set',
-+ 'value': nss_value,
-+ },
-+ {'name': 'empty', 'type': 'empty'},
-+ ]
-+ conf.changeConf(paths.NSSWITCH_CONF, opts)
-+
-+ logger.info("Configured %s", paths.NSSWITCH_CONF)
-+
-+ def disable_ldap_automount(self, statestore):
-+ """Disable automount using LDAP"""
-+ if statestore.get_state(
-+ 'ipa-client-automount-nsswitch', 'previous-automount'
-+ ) is False:
-+ # Previous nsswitch.conf had no automount database configured
-+ # so remove it.
-+ conf = IPAChangeConf("IPA automount installer")
-+ conf.setOptionAssignment(':')
-+ changes = [conf.rmOption('automount')]
-+ conf.changeConf(paths.NSSWITCH_CONF, changes)
-+ self.restore_context(paths.NSSWITCH_CONF)
-+ statestore.delete_state(
-+ 'ipa-client-automount-nsswitch', 'previous-automount'
-+ )
-+ elif statestore.get_state(
-+ 'ipa-client-automount-nsswitch', 'previous-automount'
-+ ) is not None:
-+ nss_value = statestore.get_state(
-+ 'ipa-client-automount-nsswitch', 'previous-automount'
-+ )
-+ opts = [
-+ {
-+ 'name': 'automount',
-+ 'type': 'option',
-+ 'action': 'set',
-+ 'value': nss_value,
-+ },
-+ {'name': 'empty', 'type': 'empty'},
-+ ]
-+ conf = IPAChangeConf("IPA automount installer")
-+ conf.setOptionAssignment(':')
-+ conf.changeConf(paths.NSSWITCH_CONF, opts)
-+ self.restore_context(paths.NSSWITCH_CONF)
-+ statestore.delete_state(
-+ 'ipa-client-automount-nsswitch', 'previous-automount'
-+ )
-
- tasks = BaseTaskNamespace()
-diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py
-index 8ccd04b..15bdef6 100644
---- a/ipaplatform/redhat/paths.py
-+++ b/ipaplatform/redhat/paths.py
-@@ -39,6 +39,7 @@ class RedHatPathNamespace(BasePathNamespace):
- AUTHCONFIG = '/usr/sbin/authconfig'
- AUTHSELECT = '/usr/bin/authselect'
- SYSCONF_NETWORK = '/etc/sysconfig/network'
-+ NSSWITCH_CONF = '/etc/authselect/user-nsswitch.conf'
-
-
- paths = RedHatPathNamespace()
-diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
-index be0b641..e18f6fa 100644
---- a/ipaplatform/redhat/tasks.py
-+++ b/ipaplatform/redhat/tasks.py
-@@ -744,4 +744,23 @@ class RedHatTaskNamespace(BaseTaskNamespace):
-
- return filenames
-
-+ def enable_ldap_automount(self, statestore):
-+ """
-+ Point automount to ldap in nsswitch.conf.
-+ This function is for non-SSSD setups only.
-+ """
-+ super(RedHatTaskNamespace, self).enable_ldap_automount(statestore)
-+
-+ authselect_cmd = [paths.AUTHSELECT, "enable-feature",
-+ "with-custom-automount"]
-+ ipautil.run(authselect_cmd)
-+
-+ def disable_ldap_automount(self, statestore):
-+ """Disable ldap-based automount"""
-+ super(RedHatTaskNamespace, self).disable_ldap_automount(statestore)
-+
-+ authselect_cmd = [paths.AUTHSELECT, "disable-feature",
-+ "with-custom-automount"]
-+ ipautil.run(authselect_cmd)
-+
- tasks = RedHatTaskNamespace()
-
diff --git a/SOURCES/0011-adtrust-avoid-using-timestamp-in-klist-output_ed1c1626-rhbz#1750242.patch b/SOURCES/0011-adtrust-avoid-using-timestamp-in-klist-output_ed1c1626-rhbz#1750242.patch
deleted file mode 100644
index eb61338..0000000
--- a/SOURCES/0011-adtrust-avoid-using-timestamp-in-klist-output_ed1c1626-rhbz#1750242.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From ed1c1626a607a5292c08836d13c32464d1b71859 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Mon, 9 Sep 2019 11:02:29 +0300
-Subject: [PATCH] adtrust: avoid using timestamp in klist output
-
-When parsing a keytab to copy keys to a different keytab, we don't need
-the timestamp, so don't ask klist to output it. In some locales (en_IN,
-for example), the timestamp is output in a single field without a space
-between date and time. In other locales it can be represented with date
-and time separated by a space.
-
-Fixes: https://pagure.io/freeipa/issue/8066
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- ipaserver/install/plugins/adtrust.py | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
-index 28932e6c52..3b2e49bc05 100644
---- a/ipaserver/install/plugins/adtrust.py
-+++ b/ipaserver/install/plugins/adtrust.py
-@@ -721,7 +721,7 @@ def execute(self, **options):
-
-
- KeyEntry = namedtuple('KeyEntry',
-- ['kvno', 'date', 'time', 'principal', 'etype', 'key'])
-+ ['kvno', 'principal', 'etype', 'key'])
-
-
- @register()
-@@ -741,7 +741,7 @@ class update_host_cifs_keytabs(Updater):
- def extract_key_refs(self, keytab):
- host_princ = self.host_princ_template.format(
- master=self.api.env.host, realm=self.api.env.realm)
-- result = ipautil.run([paths.KLIST, "-etK", "-k", keytab],
-+ result = ipautil.run([paths.KLIST, "-eK", "-k", keytab],
- capture_output=True, raiseonerr=False,
- nolog_output=True)
- if result.returncode != 0:
-@@ -752,8 +752,8 @@ def extract_key_refs(self, keytab):
- if (host_princ in l and any(e in l for e in self.valid_etypes)):
-
- els = l.split()
-- els[4] = els[4].strip('()')
-- els[5] = els[5].strip('()')
-+ els[-2] = els[-2].strip('()')
-+ els[-1] = els[-1].strip('()')
- keys_to_sync.append(KeyEntry._make(els))
-
- return keys_to_sync
diff --git a/SOURCES/0012-add-default-access-control-configuration-to-trusted-domain-objects_rhbz#1751707.patch b/SOURCES/0012-add-default-access-control-configuration-to-trusted-domain-objects_rhbz#1751707.patch
deleted file mode 100644
index beffd5d..0000000
--- a/SOURCES/0012-add-default-access-control-configuration-to-trusted-domain-objects_rhbz#1751707.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From 0deea83e93665404bb536d181ae54ad7cff45336 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sep 13 2019 07:34:35 +0000
-Subject: add default access control when migrating trust objects
-
-
-It looks like for some cases we do not have proper set up keytab
-retrieval configuration in the old trusted domain object. This mostly
-affects two-way trust cases. In such cases, create default configuration
-as ipasam would have created when trust was established.
-
-Resolves: https://pagure.io/freeipa/issue/8067
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-
----
-
-diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
-index 3b2e49b..7e6b5c3 100644
---- a/ipaserver/install/plugins/adtrust.py
-+++ b/ipaserver/install/plugins/adtrust.py
-@@ -29,6 +29,9 @@ logger = logging.getLogger(__name__)
- register = Registry()
-
- DEFAULT_ID_RANGE_SIZE = 200000
-+trust_read_keys_template = \
-+ ["cn=adtrust agents,cn=sysaccounts,cn=etc,{basedn}",
-+ "cn=trust admins,cn=groups,cn=accounts,{basedn}"]
-
-
- @register()
-@@ -576,8 +579,15 @@ class update_tdo_to_new_layout(Updater):
- 'krbprincipalkey')
- entry_data['krbextradata'] = en.single_value.get(
- 'krbextradata')
-- entry_data['ipaAllowedToPerform;read_keys'] = en.get(
-- 'ipaAllowedToPerform;read_keys', [])
-+ read_keys = en.get('ipaAllowedToPerform;read_keys', [])
-+ if not read_keys:
-+ # Old style, no ipaAllowedToPerform;read_keys in the entry,
-+ # use defaults that ipasam should have set when creating a
-+ # trust
-+ read_keys = list(map(
-+ lambda x: x.format(basedn=self.api.env.basedn),
-+ trust_read_keys_template))
-+ entry_data['ipaAllowedToPerform;read_keys'] = read_keys
-
- entry.update(entry_data)
- try:
-
-From b32510d67d2bd64e77659c6766d3f9647629acec Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sep 13 2019 07:34:35 +0000
-Subject: adtrust: add default read_keys permission for TDO objects
-
-
-If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
-attribute values, it cannot be used by SSSD to retrieve TDO keys and the
-whole communication with Active Directory domain controllers will not be
-possible.
-
-This seems to affect trusts which were created before
-ipaAllowedToPerform;read_keys permission granting was introduced
-(FreeIPA 4.2). Add back the default setting for the permissions which
-grants access to trust agents and trust admins.
-
-Resolves: https://pagure.io/freeipa/issue/8067
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-
----
-
-diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
-index f5f428d..8eb1977 100644
---- a/install/updates/90-post_upgrade_plugins.update
-+++ b/install/updates/90-post_upgrade_plugins.update
-@@ -13,6 +13,7 @@ plugin: update_default_trust_view
- plugin: update_tdo_gidnumber
- plugin: update_tdo_to_new_layout
- plugin: update_host_cifs_keytabs
-+plugin: update_tdo_default_read_keys_permissions
- plugin: update_ca_renewal_master
- plugin: update_idrange_type
- plugin: update_pacs
-diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
-index 7e6b5c3..386fe53 100644
---- a/ipaserver/install/plugins/adtrust.py
-+++ b/ipaserver/install/plugins/adtrust.py
-@@ -821,3 +821,59 @@ class update_host_cifs_keytabs(Updater):
- self.copy_key(paths.SAMBA_KEYTAB, hostkey)
-
- return False, []
-+
-+
-+@register()
-+class update_tdo_default_read_keys_permissions(Updater):
-+ trust_filter = \
-+ "(&(objectClass=krbPrincipal)(krbPrincipalName=krbtgt/{nbt}@*))"
-+
-+ def execute(self, **options):
-+ ldap = self.api.Backend.ldap2
-+
-+ # First, see if trusts are enabled on the server
-+ if not self.api.Command.adtrust_is_enabled()['result']:
-+ logger.debug('AD Trusts are not enabled on this server')
-+ return False, []
-+
-+ result = self.api.Command.trustconfig_show()['result']
-+ our_nbt_name = result.get('ipantflatname', [None])[0]
-+ if not our_nbt_name:
-+ return False, []
-+
-+ trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
-+ trust_filter = self.trust_filter.format(nbt=our_nbt_name)
-+
-+ # We might be in a situation when no trusts exist yet
-+ # In such case there is nothing to upgrade but we have to catch
-+ # an exception or it will abort the whole upgrade process
-+ try:
-+ tdos = ldap.get_entries(
-+ base_dn=trusts_dn,
-+ scope=ldap.SCOPE_SUBTREE,
-+ filter=trust_filter,
-+ attrs_list=['*'])
-+ except errors.EmptyResult:
-+ tdos = []
-+
-+ for tdo in tdos:
-+ updates = dict()
-+ oc = tdo.get('objectClass', [])
-+ if 'ipaAllowedOperations' not in oc:
-+ updates['objectClass'] = oc + ['ipaAllowedOperations']
-+
-+ read_keys = tdo.get('ipaAllowedToPerform;read_keys', [])
-+ if not read_keys:
-+ read_keys_values = list(map(
-+ lambda x: x.format(basedn=self.api.env.basedn),
-+ trust_read_keys_template))
-+ updates['ipaAllowedToPerform;read_keys'] = read_keys_values
-+
-+ tdo.update(updates)
-+ try:
-+ ldap.update_entry(tdo)
-+ except errors.EmptyModlist:
-+ logger.debug("No update was required for TDO %s",
-+ tdo.single_value.get('krbCanonicalName'))
-+
-+ return False, []
-
diff --git a/SOURCES/0013-Do-not-run-trust-upgrade-code-if-master-lacks-Samba-bindings_1854038_rhbz#1773516.patch b/SOURCES/0013-Do-not-run-trust-upgrade-code-if-master-lacks-Samba-bindings_1854038_rhbz#1773516.patch
deleted file mode 100644
index 456f839..0000000
--- a/SOURCES/0013-Do-not-run-trust-upgrade-code-if-master-lacks-Samba-bindings_1854038_rhbz#1773516.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 18540386230e295087296e58761ced2b781ae4e3 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Nov 21 2019 09:44:37 +0000
-Subject: Do not run trust upgrade code if master lacks Samba bindings
-
-
-If a replica has no Samba bindings but there are trust agreements
-configured on some trust controller, skip trust upgrade code on this
-replica.
-
-Resolves: https://pagure.io/freeipa/issue/8001
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-
----
-
-diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
-index b7bb53f..2a9b4f0 100644
---- a/ipaserver/install/plugins/adtrust.py
-+++ b/ipaserver/install/plugins/adtrust.py
-@@ -24,6 +24,8 @@ except ImportError:
- def ndr_unpack(x):
- raise NotImplementedError
-
-+ drsblobs = None
-+
- logger = logging.getLogger(__name__)
-
- register = Registry()
-@@ -633,6 +635,10 @@ class update_tdo_to_new_layout(Updater):
- logger.debug('AD Trusts are not enabled on this server')
- return False, []
-
-+ # If we have no Samba bindings, this master is not a trust controller
-+ if drsblobs is None:
-+ return False, []
-+
- ldap = self.api.Backend.ldap2
- gidNumber = get_gidNumber(ldap, self.api.env)
- if gidNumber is None:
-
diff --git a/SOURCES/0014-CVE-2019-10195-and-CVE-2019-14867.patch b/SOURCES/0014-CVE-2019-10195-and-CVE-2019-14867.patch
deleted file mode 100644
index 9b399a3..0000000
--- a/SOURCES/0014-CVE-2019-10195-and-CVE-2019-14867.patch
+++ /dev/null
@@ -1,187 +0,0 @@
-From e11e73abc101361c0b66b3b958a64c9c8f6c608b Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Mon, 16 Sep 2019 11:12:25 -0400
-Subject: [PATCH 1/2] CVE-2019-14867: Make sure to have storage space for tag
-
-ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
-by "t", if that is not provided the pointer will be store in whatever
-memory location is pointed by the stack at that time causeing a crash.
-
-It's also possible for unprivileged end users to trigger parsing of the
-krbPrincipalKey.
-
-Fixes #8071: CVE-2019-14867
-
-Reported by Todd Lipcon from Cloudera
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-(cherry picked from commit d2e0d94521893bc5f002a335a8c0b99601e1afd6)
----
- util/ipa_krb5.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
-index a27cd4a4e..c09c3daa5 100644
---- a/util/ipa_krb5.c
-+++ b/util/ipa_krb5.c
-@@ -554,7 +554,7 @@ int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno,
- retag = ber_peek_tag(be, &setlen);
- if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) {
- /* not supported yet, skip */
-- retag = ber_scanf(be, "t[x]}");
-+ retag = ber_scanf(be, "t[x]}", &tag);
- } else {
- retag = ber_scanf(be, "}");
- }
---
-2.23.0
-
-
-From 39120fa9a4a00983917659e4253446ed82839975 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Tue, 2 Jul 2019 13:44:48 -0400
-Subject: [PATCH 2/2] CVE-2019-10195: Don't log passwords embedded in commands
- in calls using batch
-
-A raw batch request was fully logged which could expose parameters
-we don't want logged, like passwords.
-
-Override _repr_iter to use the individual commands to log the
-values so that values are properly obscured.
-
-In case of errors log the full value on when the server is in
-debug mode.
-
-Reported by Jamison Bennett from Cloudera
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-by: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipaserver/plugins/batch.py | 96 ++++++++++++++++++++++++++++----------
- 1 file changed, 72 insertions(+), 24 deletions(-)
-
-diff --git a/ipaserver/plugins/batch.py b/ipaserver/plugins/batch.py
-index c9895a8f6..b95944c54 100644
---- a/ipaserver/plugins/batch.py
-+++ b/ipaserver/plugins/batch.py
-@@ -93,35 +93,82 @@ class batch(Command):
- Output('results', (list, tuple), doc='')
- )
-
-+ def _validate_request(self, request):
-+ """
-+ Check that an individual request in a batch is parseable and the
-+ commands exists.
-+ """
-+ if 'method' not in request:
-+ raise errors.RequirementError(name='method')
-+ if 'params' not in request:
-+ raise errors.RequirementError(name='params')
-+ name = request['method']
-+ if (name not in self.api.Command or
-+ isinstance(self.api.Command[name], Local)):
-+ raise errors.CommandError(name=name)
-+
-+ # If params are not formated as a tuple(list, dict)
-+ # the following lines will raise an exception
-+ # that triggers an internal server error
-+ # Raise a ConversionError instead to report the issue
-+ # to the client
-+ try:
-+ a, kw = request['params']
-+ newkw = dict((str(k), v) for k, v in kw.items())
-+ api.Command[name].args_options_2_params(*a, **newkw)
-+ except (AttributeError, ValueError, TypeError):
-+ raise errors.ConversionError(
-+ name='params',
-+ error=_(u'must contain a tuple (list, dict)'))
-+ except Exception as e:
-+ raise errors.ConversionError(
-+ name='params',
-+ error=str(e))
-+
-+ def _repr_iter(self, **params):
-+ """
-+ Iterate through the request and use the Command _repr_intr so
-+ that sensitive information (passwords) is not exposed.
-+
-+ In case of a malformatted request redact the entire thing.
-+ """
-+ exceptions = False
-+ for arg in (params.get('methods', [])):
-+ try:
-+ self._validate_request(arg)
-+ except Exception:
-+ # redact the whole request since we don't know what's in it
-+ exceptions = True
-+ yield u'********'
-+ continue
-+
-+ name = arg['method']
-+ a, kw = arg['params']
-+ newkw = dict((str(k), v) for k, v in kw.items())
-+ param = api.Command[name].args_options_2_params(
-+ *a, **newkw)
-+
-+ yield '{}({})'.format(
-+ api.Command[name].name,
-+ ', '.join(api.Command[name]._repr_iter(**param))
-+ )
-+
-+ if exceptions:
-+ logger.debug('batch: %s',
-+ ', '.join(super(batch, self)._repr_iter(**params)))
-+
- def execute(self, methods=None, **options):
- results = []
- for arg in (methods or []):
- params = dict()
- name = None
- try:
-- if 'method' not in arg:
-- raise errors.RequirementError(name='method')
-- if 'params' not in arg:
-- raise errors.RequirementError(name='params')
-+ self._validate_request(arg)
- name = arg['method']
-- if (name not in self.api.Command or
-- isinstance(self.api.Command[name], Local)):
-- raise errors.CommandError(name=name)
--
-- # If params are not formated as a tuple(list, dict)
-- # the following lines will raise an exception
-- # that triggers an internal server error
-- # Raise a ConversionError instead to report the issue
-- # to the client
-- try:
-- a, kw = arg['params']
-- newkw = dict((str(k), v) for k, v in kw.items())
-- params = api.Command[name].args_options_2_params(
-- *a, **newkw)
-- except (AttributeError, ValueError, TypeError):
-- raise errors.ConversionError(
-- name='params',
-- error=_(u'must contain a tuple (list, dict)'))
-+ a, kw = arg['params']
-+ newkw = dict((str(k), v) for k, v in kw.items())
-+ params = api.Command[name].args_options_2_params(
-+ *a, **newkw)
- newkw.setdefault('version', options['version'])
-
- result = api.Command[name](*a, **newkw)
-@@ -133,8 +180,9 @@ class batch(Command):
- )
- result['error']=None
- except Exception as e:
-- if isinstance(e, errors.RequirementError) or \
-- isinstance(e, errors.CommandError):
-+ if (isinstance(e, errors.RequirementError) or
-+ isinstance(e, errors.CommandError) or
-+ isinstance(e, errors.ConversionError)):
- logger.info(
- '%s: batch: %s',
- context.principal, # pylint: disable=no-member
---
-2.23.0
-
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
index dd6dc07..be93e35 100644
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,15 +1,15 @@
-From 63b3030e2e2f6411ad29448746b96bb9658467f8 Mon Sep 17 00:00:00 2001
+From a98b0595fce7dea121c743455ac5d44a2e282e80 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 02/72] client/man/default.conf.5: Change branding to IPA
- and Identity Management
+Subject: [PATCH 01/71] client/man/default.conf.5: Change branding to IPA and
+ Identity Management
---
client/man/default.conf.5 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/default.conf.5 b/client/man/default.conf.5
-index f21d9d5b7..d6c1e42d1 100644
+index 728fc08..6ec8616 100644
--- a/client/man/default.conf.5
+++ b/client/man/default.conf.5
@@ -16,7 +16,7 @@
@@ -22,21 +22,21 @@ index f21d9d5b7..d6c1e42d1 100644
default.conf \- IPA configuration file
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 3fe816976ea30d363ae5c6086b8daaaadaa5d7f7 Mon Sep 17 00:00:00 2001
+From 67d0b5bf5b4ce068d3d5a89a36fca44589ba7040 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 03/72] client/man/ipa-certupdate.1: Change branding to IPA
- and Identity Management
+Subject: [PATCH 02/71] client/man/ipa-certupdate.1: Change branding to IPA and
+ Identity Management
---
client/man/ipa-certupdate.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/ipa-certupdate.1 b/client/man/ipa-certupdate.1
-index d95790a36..431b395a9 100644
+index d95790a..431b395 100644
--- a/client/man/ipa-certupdate.1
+++ b/client/man/ipa-certupdate.1
@@ -16,7 +16,7 @@
@@ -49,21 +49,21 @@ index d95790a36..431b395a9 100644
ipa\-certupdate \- Update local IPA certificate databases with certificates from the server
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From eca4cf0eabb4dee96ca01c02910153147e58ec4d Mon Sep 17 00:00:00 2001
+From 84addd7681276f065e6c974997127d394133d51c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 04/72] client/man/ipa-client-automount.1: Change branding
- to IPA and Identity Management
+Subject: [PATCH 03/71] client/man/ipa-client-automount.1: Change branding to
+ IPA and Identity Management
---
client/man/ipa-client-automount.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/ipa-client-automount.1 b/client/man/ipa-client-automount.1
-index 343f64160..3f7c7d506 100644
+index 4c3caee..3f6edab 100644
--- a/client/man/ipa-client-automount.1
+++ b/client/man/ipa-client-automount.1
@@ -16,7 +16,7 @@
@@ -76,21 +76,21 @@ index 343f64160..3f7c7d506 100644
ipa\-client\-automount \- Configure automount and NFS for IPA
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From e4097608a167f41998e863dfed0e3d135c54b6a0 Mon Sep 17 00:00:00 2001
+From d63e2ce893f3fb8a3fcf0ec91893847f942380f6 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 05/72] client/man/ipa-client-install.1: Change branding to
- IPA and Identity Management
+Subject: [PATCH 04/71] client/man/ipa-client-install.1: Change branding to IPA
+ and Identity Management
---
client/man/ipa-client-install.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
-index a20bec9a1..d7347ed37 100644
+index 94b4b04..743fa6a 100644
--- a/client/man/ipa-client-install.1
+++ b/client/man/ipa-client-install.1
@@ -1,7 +1,7 @@
@@ -103,21 +103,21 @@ index a20bec9a1..d7347ed37 100644
ipa\-client\-install \- Configure an IPA client
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 3bfd21f6778e288b5094262aa481a835b49cc0f4 Mon Sep 17 00:00:00 2001
+From 959face241f87ba6c703b7ae4aa71ff9da60d175 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 06/72] client/man/ipa-getkeytab.1: Change branding to IPA
- and Identity Management
+Subject: [PATCH 05/71] client/man/ipa-getkeytab.1: Change branding to IPA and
+ Identity Management
---
client/man/ipa-getkeytab.1 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
-index 20ceee2e6..061798693 100644
+index f06fcd9..01a2618 100644
--- a/client/man/ipa-getkeytab.1
+++ b/client/man/ipa-getkeytab.1
@@ -17,7 +17,7 @@
@@ -129,7 +129,7 @@ index 20ceee2e6..061798693 100644
.SH "NAME"
ipa\-getkeytab \- Get a keytab for a Kerberos principal
.SH "SYNOPSIS"
-@@ -117,7 +117,7 @@ GSSAPI or EXTERNAL.
+@@ -118,7 +118,7 @@ GSSAPI or EXTERNAL.
\fB\-r\fR
Retrieve mode. Retrieve an existing key from the server instead of generating a
new one. This is incompatible with the \-\-password option, and will work only
@@ -139,13 +139,13 @@ index 20ceee2e6..061798693 100644
.SH "EXAMPLES"
Add and retrieve a keytab for the NFS service principal on
--
-2.17.1
+2.21.0
-From 812ccffd549367cac3e4d2896b231b7b278e0b92 Mon Sep 17 00:00:00 2001
+From f6a2e0baebd1969de46a0ea92b68bb0742459235 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 07/72] client/man/ipa-join.1: Change branding to IPA and
+Subject: [PATCH 06/71] client/man/ipa-join.1: Change branding to IPA and
Identity Management
---
@@ -153,7 +153,7 @@ Subject: [PATCH 07/72] client/man/ipa-join.1: Change branding to IPA and
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/ipa-join.1 b/client/man/ipa-join.1
-index d88160784..30b667558 100644
+index d881607..30b6675 100644
--- a/client/man/ipa-join.1
+++ b/client/man/ipa-join.1
@@ -16,7 +16,7 @@
@@ -166,21 +166,21 @@ index d88160784..30b667558 100644
ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 3cac7f131059c01306b1db34fc30345add3fcf11 Mon Sep 17 00:00:00 2001
+From fcf92b11295321a8df6eb27babcc959926a59fe3 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 08/72] client/man/ipa-rmkeytab.1: Change branding to IPA
- and Identity Management
+Subject: [PATCH 07/71] client/man/ipa-rmkeytab.1: Change branding to IPA and
+ Identity Management
---
client/man/ipa-rmkeytab.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/ipa-rmkeytab.1 b/client/man/ipa-rmkeytab.1
-index 53f775439..2c8218c94 100644
+index 53f7754..2c8218c 100644
--- a/client/man/ipa-rmkeytab.1
+++ b/client/man/ipa-rmkeytab.1
@@ -17,7 +17,7 @@
@@ -193,21 +193,21 @@ index 53f775439..2c8218c94 100644
ipa\-rmkeytab \- Remove a kerberos principal from a keytab
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 0373bb1499f50bf4c04becabf2e773dd5977060e Mon Sep 17 00:00:00 2001
+From 8978dadb62b23014d5d82547e16c07c575c7cf56 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 09/72] client/man/ipa.1: Change branding to IPA and
- Identity Management
+Subject: [PATCH 08/71] client/man/ipa.1: Change branding to IPA and Identity
+ Management
---
client/man/ipa.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/ipa.1 b/client/man/ipa.1
-index f9fae7c0d..2fb21b52d 100644
+index f9fae7c..2fb21b5 100644
--- a/client/man/ipa.1
+++ b/client/man/ipa.1
@@ -16,7 +16,7 @@
@@ -220,21 +220,21 @@ index f9fae7c0d..2fb21b52d 100644
ipa \- IPA command\-line interface
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 36b7dce706ec2b0b650c51cea24be0655fd0c096 Mon Sep 17 00:00:00 2001
+From d2a614533c0d7c1203d9251dc557871bc8962efd Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 10/72] install/html/ssbrowser.html: Change branding to IPA
- and Identity Management
+Subject: [PATCH 09/71] install/html/ssbrowser.html: Change branding to IPA and
+ Identity Management
---
install/html/ssbrowser.html | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html
-index faa7e657b..89ada7cb1 100644
+index faa7e65..89ada7c 100644
--- a/install/html/ssbrowser.html
+++ b/install/html/ssbrowser.html
@@ -2,7 +2,7 @@
@@ -256,21 +256,21 @@ index faa7e657b..89ada7cb1 100644
</nav>
--
-2.17.1
+2.21.0
-From 9273d2fdee9baef212eeaac941b7c8b497d50728 Mon Sep 17 00:00:00 2001
+From 199f34178cd8dfff0fd5edd37472787bbd3b4320 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 11/72] install/html/unauthorized.html: Change branding to
- IPA and Identity Management
+Subject: [PATCH 10/71] install/html/unauthorized.html: Change branding to IPA
+ and Identity Management
---
install/html/unauthorized.html | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/html/unauthorized.html b/install/html/unauthorized.html
-index 630982da8..b8c64d69d 100644
+index 630982d..b8c64d6 100644
--- a/install/html/unauthorized.html
+++ b/install/html/unauthorized.html
@@ -2,7 +2,7 @@
@@ -292,13 +292,13 @@ index 630982da8..b8c64d69d 100644
</nav>
--
-2.17.1
+2.21.0
-From b9d7e2a0d08d8d03f1fbaaae6268292934f894f0 Mon Sep 17 00:00:00 2001
+From 116e40f79a289aa4817cee7d8fbb4935b6346997 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 12/72] install/migration/index.html: Change branding to IPA
+Subject: [PATCH 11/71] install/migration/index.html: Change branding to IPA
and Identity Management
---
@@ -306,7 +306,7 @@ Subject: [PATCH 12/72] install/migration/index.html: Change branding to IPA
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/migration/index.html b/install/migration/index.html
-index fca517cdc..b5ac1f6df 100644
+index fca517c..b5ac1f6 100644
--- a/install/migration/index.html
+++ b/install/migration/index.html
@@ -2,7 +2,7 @@
@@ -319,21 +319,21 @@ index fca517cdc..b5ac1f6df 100644
<!--[if IE]>
<meta id="ie-detector">
--
-2.17.1
+2.21.0
-From 9a2d23539ec1d3e72f2bcfda319c78994d8c8b73 Mon Sep 17 00:00:00 2001
+From 15bcd44695d9f0920c0df57f1a32f3cfaf5a4247 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 13/72] install/share/schema.d/README: Change branding to
- IPA and Identity Management
+Subject: [PATCH 12/71] install/share/schema.d/README: Change branding to IPA
+ and Identity Management
---
install/share/schema.d/README | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/share/schema.d/README b/install/share/schema.d/README
-index 19e3e6832..2a92ec6ae 100644
+index 19e3e68..2a92ec6 100644
--- a/install/share/schema.d/README
+++ b/install/share/schema.d/README
@@ -7,8 +7,8 @@ schema files during the run of ipa-server-upgrade utility. Therefore, they are
@@ -348,21 +348,21 @@ index 19e3e6832..2a92ec6ae 100644
You may place your schema files in a subdirectory too, the code that loads
schema files processes recursively all subdirectories of schema.d.
--
-2.17.1
+2.21.0
-From 8cdc33d0bfc113d4391c75470b262c82ddf39a51 Mon Sep 17 00:00:00 2001
+From 96ab352b2c46c6387d4deed7a06649def48e2351 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 14/72] install/tools/ipa-adtrust-install.in: Change
- branding to IPA and Identity Management
+Subject: [PATCH 13/71] install/tools/ipa-adtrust-install.in: Change branding
+ to IPA and Identity Management
---
install/tools/ipa-adtrust-install.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-adtrust-install.in b/install/tools/ipa-adtrust-install.in
-index cb0b1a17a..3cc680f3a 100644
+index 1abfea9..04510a5 100644
--- a/install/tools/ipa-adtrust-install.in
+++ b/install/tools/ipa-adtrust-install.in
@@ -141,11 +141,11 @@ def main():
@@ -380,21 +380,21 @@ index cb0b1a17a..3cc680f3a 100644
# print " * Add a SID to all users and Posix groups"
print("")
--
-2.17.1
+2.21.0
-From 8eabc86504ea14b8b0c9f7dfd03e9964782a6707 Mon Sep 17 00:00:00 2001
+From d1479121c7bbb1ab74e62ffb2b5b6ccac0d82ff9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 15/72] install/tools/ipa-replica-conncheck.in: Change
- branding to IPA and Identity Management
+Subject: [PATCH 14/71] install/tools/ipa-replica-conncheck.in: Change branding
+ to IPA and Identity Management
---
install/tools/ipa-replica-conncheck.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/ipa-replica-conncheck.in b/install/tools/ipa-replica-conncheck.in
-index 82fa170c6..413d2cb66 100644
+index b22db11..b86ce45 100644
--- a/install/tools/ipa-replica-conncheck.in
+++ b/install/tools/ipa-replica-conncheck.in
@@ -290,7 +290,7 @@ class PortResponder(threading.Thread):
@@ -407,13 +407,13 @@ index 82fa170c6..413d2cb66 100644
self.ports_open_cond = threading.Condition()
--
-2.17.1
+2.21.0
-From 54fe67b68c08a617748d5ab46201141cf0d3f39a Mon Sep 17 00:00:00 2001
+From 3ea319693045808c59bb43055e0b9d511cbc1ef8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 16/72] install/tools/man/ipa-adtrust-install.1: Change
+Subject: [PATCH 15/71] install/tools/man/ipa-adtrust-install.1: Change
branding to IPA and Identity Management
---
@@ -421,7 +421,7 @@ Subject: [PATCH 16/72] install/tools/man/ipa-adtrust-install.1: Change
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
-index b11065806..f70f316f6 100644
+index b110658..f70f316 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -16,7 +16,7 @@
@@ -443,21 +443,21 @@ index b11065806..f70f316f6 100644
to the list automatically as restart of the LDAP service on each of them
is required. The host where ipa\-adtrust\-install is being run is added
--
-2.17.1
+2.21.0
-From bcedaa67083688b766a713b392cb5a3df350fe41 Mon Sep 17 00:00:00 2001
+From c12d0550c227a625a1a04ed11781a3c0ffae05f9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 17/72] install/tools/man/ipa-advise.1: Change branding to
- IPA and Identity Management
+Subject: [PATCH 16/71] install/tools/man/ipa-advise.1: Change branding to IPA
+ and Identity Management
---
install/tools/man/ipa-advise.1 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/tools/man/ipa-advise.1 b/install/tools/man/ipa-advise.1
-index 4c494aab9..515bbddbe 100644
+index 4c494aa..515bbdd 100644
--- a/install/tools/man/ipa-advise.1
+++ b/install/tools/man/ipa-advise.1
@@ -16,7 +16,7 @@
@@ -477,21 +477,21 @@ index 4c494aab9..515bbddbe 100644
\ No newline at end of file
+1 if an error occurred
--
-2.17.1
+2.21.0
-From 610ffd04d15ab82fb34abd068785cdbfa7bd094c Mon Sep 17 00:00:00 2001
+From 24b7c7cd888abd3d044b7a7c7fba8fe6f6fe2d44 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 18/72] install/tools/man/ipa-backup.1: Change branding to
- IPA and Identity Management
+Subject: [PATCH 17/71] install/tools/man/ipa-backup.1: Change branding to IPA
+ and Identity Management
---
install/tools/man/ipa-backup.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-backup.1 b/install/tools/man/ipa-backup.1
-index 77081b61d..8f3f71282 100644
+index 77081b6..8f3f712 100644
--- a/install/tools/man/ipa-backup.1
+++ b/install/tools/man/ipa-backup.1
@@ -16,7 +16,7 @@
@@ -504,21 +504,21 @@ index 77081b61d..8f3f71282 100644
ipa\-backup \- Back up an IPA master
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 1b71763bbf751b932118aa79b79c8dbd21e00ed6 Mon Sep 17 00:00:00 2001
+From 6f811a93085b8422bd75d540dd9b9a58d7b75f86 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 19/72] install/tools/man/ipa-ca-install.1: Change branding
- to IPA and Identity Management
+Subject: [PATCH 18/71] install/tools/man/ipa-ca-install.1: Change branding to
+ IPA and Identity Management
---
install/tools/man/ipa-ca-install.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
-index 5ac7e2b75..edb25be70 100644
+index 3ebe32c..8e57c00 100644
--- a/install/tools/man/ipa-ca-install.1
+++ b/install/tools/man/ipa-ca-install.1
@@ -16,7 +16,7 @@
@@ -531,21 +531,21 @@ index 5ac7e2b75..edb25be70 100644
ipa\-ca\-install \- Install a CA on a server
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 352f373c2daefa96fd46906d9fbeac0a6817c4c7 Mon Sep 17 00:00:00 2001
+From bb7f2fab05d96e97a845f074e9aeb2c2dab52f20 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 20/72] install/tools/man/ipa-cacert-manage.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 19/71] install/tools/man/ipa-cacert-manage.1: Change branding
+ to IPA and Identity Management
---
install/tools/man/ipa-cacert-manage.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1
-index bacd56b5a..ed69e8435 100644
+index 0cd34ee..84fbc1a 100644
--- a/install/tools/man/ipa-cacert-manage.1
+++ b/install/tools/man/ipa-cacert-manage.1
@@ -16,7 +16,7 @@
@@ -558,21 +558,21 @@ index bacd56b5a..ed69e8435 100644
ipa\-cacert\-manage \- Manage CA certificates in IPA
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 0f35caa7b5ffce35f85c99e0fac3fe16a92050a1 Mon Sep 17 00:00:00 2001
+From 5203f09b581b3cd385d2f022b100e854b65c71db Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 21/72] install/tools/man/ipa-compat-manage.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 20/71] install/tools/man/ipa-compat-manage.1: Change branding
+ to IPA and Identity Management
---
install/tools/man/ipa-compat-manage.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-compat-manage.1 b/install/tools/man/ipa-compat-manage.1
-index f22b1743e..26470331a 100644
+index f22b174..2647033 100644
--- a/install/tools/man/ipa-compat-manage.1
+++ b/install/tools/man/ipa-compat-manage.1
@@ -16,7 +16,7 @@
@@ -585,13 +585,13 @@ index f22b1743e..26470331a 100644
ipa\-compat\-manage \- Enables or disables the schema compatibility plugin
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 915fad2b79ca214fe311d6d44945847c751265f5 Mon Sep 17 00:00:00 2001
+From 118a4b5d5a7782fa2f98194ca940ddd68f17116c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 22/72] install/tools/man/ipa-csreplica-manage.1: Change
+Subject: [PATCH 21/71] install/tools/man/ipa-csreplica-manage.1: Change
branding to IPA and Identity Management
---
@@ -599,7 +599,7 @@ Subject: [PATCH 22/72] install/tools/man/ipa-csreplica-manage.1: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-csreplica-manage.1 b/install/tools/man/ipa-csreplica-manage.1
-index ab5bfddd8..6d039751e 100644
+index ab5bfdd..6d03975 100644
--- a/install/tools/man/ipa-csreplica-manage.1
+++ b/install/tools/man/ipa-csreplica-manage.1
@@ -16,7 +16,7 @@
@@ -612,21 +612,21 @@ index ab5bfddd8..6d039751e 100644
ipa\-csreplica\-manage \- Manage an IPA CS replica
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 82567551b768c027993dba4a3a31fa0c144dcbd1 Mon Sep 17 00:00:00 2001
+From 07aee8049471294f114d3953c0af762fd0ce7dfc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 23/72] install/tools/man/ipa-dns-install.1: Change branding
- to IPA and Identity Management
+Subject: [PATCH 22/71] install/tools/man/ipa-dns-install.1: Change branding to
+ IPA and Identity Management
---
install/tools/man/ipa-dns-install.1 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
-index 14e4cd51f..029001eca 100644
+index 14e4cd5..029001e 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -1,7 +1,7 @@
@@ -648,21 +648,21 @@ index 14e4cd51f..029001eca 100644
This command requires that an IPA server is already installed and configured.
--
-2.17.1
+2.21.0
-From 3296a366d3b1fd542af4141830796a1535df03ea Mon Sep 17 00:00:00 2001
+From fd0616fde2690c1d1e69556d0d15c711585b24e7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 24/72] install/tools/man/ipa-kra-install.1: Change branding
- to IPA and Identity Management
+Subject: [PATCH 23/71] install/tools/man/ipa-kra-install.1: Change branding to
+ IPA and Identity Management
---
install/tools/man/ipa-kra-install.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1
-index b7661f7cc..8e71e4669 100644
+index 6c8523a..5476a4e 100644
--- a/install/tools/man/ipa-kra-install.1
+++ b/install/tools/man/ipa-kra-install.1
@@ -16,7 +16,7 @@
@@ -675,21 +675,21 @@ index b7661f7cc..8e71e4669 100644
ipa\-kra\-install \- Install a KRA on a server
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 73785bf8c3c95d3118ea0d2cad2d9ea035cd0bd7 Mon Sep 17 00:00:00 2001
+From d8236fb3826f400d828cfe56c83cb8af65645071 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 25/72] install/tools/man/ipa-ldap-updater.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 24/71] install/tools/man/ipa-ldap-updater.1: Change branding
+ to IPA and Identity Management
---
install/tools/man/ipa-ldap-updater.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-ldap-updater.1 b/install/tools/man/ipa-ldap-updater.1
-index 4893802c2..7ead55bd9 100644
+index 4893802..7ead55b 100644
--- a/install/tools/man/ipa-ldap-updater.1
+++ b/install/tools/man/ipa-ldap-updater.1
@@ -16,7 +16,7 @@
@@ -702,13 +702,13 @@ index 4893802c2..7ead55bd9 100644
ipa\-ldap\-updater \- Update the IPA LDAP configuration
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 15e96eb03dad223c7dde208ec5e324c1867de484 Mon Sep 17 00:00:00 2001
+From 7164d61f04d6eb4369c3d1743e46f38d17dedc46 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 26/72] install/tools/man/ipa-managed-entries.1: Change
+Subject: [PATCH 25/71] install/tools/man/ipa-managed-entries.1: Change
branding to IPA and Identity Management
---
@@ -716,7 +716,7 @@ Subject: [PATCH 26/72] install/tools/man/ipa-managed-entries.1: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-managed-entries.1 b/install/tools/man/ipa-managed-entries.1
-index 3d5ca22b8..edaa0a90d 100644
+index 3d5ca22..edaa0a9 100644
--- a/install/tools/man/ipa-managed-entries.1
+++ b/install/tools/man/ipa-managed-entries.1
@@ -16,7 +16,7 @@
@@ -729,21 +729,21 @@ index 3d5ca22b8..edaa0a90d 100644
ipa\-managed\-entries \- Enables or disables the schema Managed Entry plugins
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From a69685a751bf537e3a696d1da592290deb95a014 Mon Sep 17 00:00:00 2001
+From bde20076f4f7b5c519313e0890fcfaf0cfea04f8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 27/72] install/tools/man/ipa-nis-manage.1: Change branding
- to IPA and Identity Management
+Subject: [PATCH 26/71] install/tools/man/ipa-nis-manage.1: Change branding to
+ IPA and Identity Management
---
install/tools/man/ipa-nis-manage.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-nis-manage.1 b/install/tools/man/ipa-nis-manage.1
-index 93278487c..1107b7790 100644
+index 9327848..1107b77 100644
--- a/install/tools/man/ipa-nis-manage.1
+++ b/install/tools/man/ipa-nis-manage.1
@@ -16,7 +16,7 @@
@@ -756,13 +756,13 @@ index 93278487c..1107b7790 100644
ipa\-nis\-manage \- Enables or disables the NIS listener plugin
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From d39335717d55d7da36eb24399c1684fdc980f747 Mon Sep 17 00:00:00 2001
+From d58f69b6c65de144e4d4413a2572f92fb32d269a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 28/72] install/tools/man/ipa-otptoken-import.1: Change
+Subject: [PATCH 27/71] install/tools/man/ipa-otptoken-import.1: Change
branding to IPA and Identity Management
---
@@ -770,7 +770,7 @@ Subject: [PATCH 28/72] install/tools/man/ipa-otptoken-import.1: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-otptoken-import.1 b/install/tools/man/ipa-otptoken-import.1
-index 920a08ca2..fe91040fa 100644
+index 920a08c..fe91040 100644
--- a/install/tools/man/ipa-otptoken-import.1
+++ b/install/tools/man/ipa-otptoken-import.1
@@ -16,7 +16,7 @@
@@ -783,21 +783,21 @@ index 920a08ca2..fe91040fa 100644
ipa\-otptoken\-import \- Imports OTP tokens from RFC 6030 XML file
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From f5614518de761b7897c156876f76e685be401127 Mon Sep 17 00:00:00 2001
+From 317f15595001171dc6c0dc9eba0b54294a1b78ce Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 29/72] install/tools/man/ipa-pkinit-manage.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 28/71] install/tools/man/ipa-pkinit-manage.1: Change branding
+ to IPA and Identity Management
---
install/tools/man/ipa-pkinit-manage.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-pkinit-manage.1 b/install/tools/man/ipa-pkinit-manage.1
-index 5018ce8aa..50d63e921 100644
+index 5018ce8..50d63e9 100644
--- a/install/tools/man/ipa-pkinit-manage.1
+++ b/install/tools/man/ipa-pkinit-manage.1
@@ -1,7 +1,7 @@
@@ -810,13 +810,13 @@ index 5018ce8aa..50d63e921 100644
ipa\-pkinit\-manage \- Enables or disables PKINIT
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 4188427191d4b736b6492a942e713d9703bc0901 Mon Sep 17 00:00:00 2001
+From fda0cc19e2575fbeec92e3f9baa53cec8a3a5837 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 30/72] install/tools/man/ipa-replica-conncheck.1: Change
+Subject: [PATCH 29/71] install/tools/man/ipa-replica-conncheck.1: Change
branding to IPA and Identity Management
---
@@ -824,7 +824,7 @@ Subject: [PATCH 30/72] install/tools/man/ipa-replica-conncheck.1: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-replica-conncheck.1 b/install/tools/man/ipa-replica-conncheck.1
-index 6451f3545..ed441e3be 100644
+index 6451f35..ed441e3 100644
--- a/install/tools/man/ipa-replica-conncheck.1
+++ b/install/tools/man/ipa-replica-conncheck.1
@@ -16,7 +16,7 @@
@@ -837,13 +837,13 @@ index 6451f3545..ed441e3be 100644
ipa\-replica\-conncheck \- Check a replica\-master network connection before installation
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 067c2df8cc7535a1863f30f3581c3018f98f5e3f Mon Sep 17 00:00:00 2001
+From 96be660cba85a4358bd90549a8c26cd10310cdf7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 31/72] install/tools/man/ipa-replica-install.1: Change
+Subject: [PATCH 30/71] install/tools/man/ipa-replica-install.1: Change
branding to IPA and Identity Management
---
@@ -851,7 +851,7 @@ Subject: [PATCH 31/72] install/tools/man/ipa-replica-install.1: Change
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
-index 7f6ca57e5..dd4cfea24 100644
+index 19d1d91..44fce10 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -1,7 +1,7 @@
@@ -870,9 +870,9 @@ index 7f6ca57e5..dd4cfea24 100644
-To create a replica, the machine only needs to be enrolled in the FreeIPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
+To create a replica, the machine only needs to be enrolled in the IPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
- If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica.
+ If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica. The NTP configuration cannot be updated during client promotion.
-@@ -226,7 +226,7 @@ ldapmodify command info the directory server.
+@@ -229,7 +229,7 @@ ldapmodify command info the directory server.
.TP
\fB\-\-add\-agents\fR
Add IPA masters to the list that allows to serve information about
@@ -882,21 +882,21 @@ index 7f6ca57e5..dd4cfea24 100644
to the list automatically as restart of the LDAP service on each of them
is required. The host where ipa\-adtrust\-install is being run is added
--
-2.17.1
+2.21.0
-From ea5e08cd996e75472a58dfd45fff06b747324817 Mon Sep 17 00:00:00 2001
+From d83e2fc2480d12404056de5a7cd4ea7ff1eb936c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 32/72] install/tools/man/ipa-replica-manage.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 31/71] install/tools/man/ipa-replica-manage.1: Change branding
+ to IPA and Identity Management
---
install/tools/man/ipa-replica-manage.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1
-index 239f1591c..2c94278ca 100644
+index 239f159..2c94278 100644
--- a/install/tools/man/ipa-replica-manage.1
+++ b/install/tools/man/ipa-replica-manage.1
@@ -16,7 +16,7 @@
@@ -909,21 +909,21 @@ index 239f1591c..2c94278ca 100644
ipa\-replica\-manage \- Manage an IPA replica
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 9202123a94ca41cb41d2cf255bffa96c776145ef Mon Sep 17 00:00:00 2001
+From 61cd4587092d982c7e9bd56ae82f59a3859e5739 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 33/72] install/tools/man/ipa-restore.1: Change branding to
- IPA and Identity Management
+Subject: [PATCH 32/71] install/tools/man/ipa-restore.1: Change branding to IPA
+ and Identity Management
---
install/tools/man/ipa-restore.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-restore.1 b/install/tools/man/ipa-restore.1
-index 5843d5546..bc0755baa 100644
+index 5843d55..bc0755b 100644
--- a/install/tools/man/ipa-restore.1
+++ b/install/tools/man/ipa-restore.1
@@ -16,7 +16,7 @@
@@ -936,13 +936,13 @@ index 5843d5546..bc0755baa 100644
ipa\-restore \- Restore an IPA master
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 953314e5afa0502a11200d54d1296425c4e51d82 Mon Sep 17 00:00:00 2001
+From 00ba3a4744ec9df96213461af3a0e72129765540 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 34/72] install/tools/man/ipa-server-certinstall.1: Change
+Subject: [PATCH 33/71] install/tools/man/ipa-server-certinstall.1: Change
branding to IPA and Identity Management
---
@@ -950,7 +950,7 @@ Subject: [PATCH 34/72] install/tools/man/ipa-server-certinstall.1: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1
-index 00fd03b6b..aa9bb7b85 100644
+index 79bd7c8..3f12a5a 100644
--- a/install/tools/man/ipa-server-certinstall.1
+++ b/install/tools/man/ipa-server-certinstall.1
@@ -16,7 +16,7 @@
@@ -963,21 +963,21 @@ index 00fd03b6b..aa9bb7b85 100644
ipa\-server\-certinstall \- Install new SSL server certificates
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 17368ed31bfee73d7cb0b93909b9cd8aca425716 Mon Sep 17 00:00:00 2001
+From 9efb599bef9a8129876d946e2d1f4e901663acd7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 35/72] install/tools/man/ipa-server-install.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 34/71] install/tools/man/ipa-server-install.1: Change branding
+ to IPA and Identity Management
---
install/tools/man/ipa-server-install.1 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
-index 019c157fa..a8aeeb26d 100644
+index 1a4d2f6..fdb0f4c 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -1,7 +1,7 @@
@@ -989,7 +989,7 @@ index 019c157fa..a8aeeb26d 100644
.SH "NAME"
ipa\-server\-install \- Configure an IPA server
.SH "SYNOPSIS"
-@@ -169,7 +169,7 @@ Install and configure a KRA on this server.
+@@ -172,7 +172,7 @@ Install and configure a KRA on this server.
.SS "DNS OPTIONS"
IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
@@ -999,21 +999,21 @@ index 019c157fa..a8aeeb26d 100644
.TP
\fB\-\-setup\-dns\fR
--
-2.17.1
+2.21.0
-From 630167ac51b80853225d4057db46a74ac416bc29 Mon Sep 17 00:00:00 2001
+From e42dae0ed616406b8c99efba2d4fb76e5f643040 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 36/72] install/tools/man/ipa-server-upgrade.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 35/71] install/tools/man/ipa-server-upgrade.1: Change branding
+ to IPA and Identity Management
---
install/tools/man/ipa-server-upgrade.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
-index cbbdc5901..3db19b0f1 100644
+index cbbdc59..3db19b0 100644
--- a/install/tools/man/ipa-server-upgrade.1
+++ b/install/tools/man/ipa-server-upgrade.1
@@ -2,7 +2,7 @@
@@ -1026,13 +1026,13 @@ index cbbdc5901..3db19b0f1 100644
ipa\-server\-upgrade \- upgrade IPA server
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 9119708871268a9401bd491b819e17292be8be15 Mon Sep 17 00:00:00 2001
+From 43b77f8ad6fc8cc931d85eeeab05c8b7ba8fa086 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 37/72] install/tools/man/ipa-winsync-migrate.1: Change
+Subject: [PATCH 36/71] install/tools/man/ipa-winsync-migrate.1: Change
branding to IPA and Identity Management
---
@@ -1040,7 +1040,7 @@ Subject: [PATCH 37/72] install/tools/man/ipa-winsync-migrate.1: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-winsync-migrate.1 b/install/tools/man/ipa-winsync-migrate.1
-index 88702bad6..1812f6348 100644
+index 88702ba..1812f63 100644
--- a/install/tools/man/ipa-winsync-migrate.1
+++ b/install/tools/man/ipa-winsync-migrate.1
@@ -16,7 +16,7 @@
@@ -1053,21 +1053,21 @@ index 88702bad6..1812f6348 100644
ipa\-winsync\-migrate \- Seamless migration of AD users created by winsync to native AD users.
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From 6149bf9ee37f3a341db2b14e8186b0e1294ad1e7 Mon Sep 17 00:00:00 2001
+From 74a61bfd749da6c4ab1b35c5d61906433b591414 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 38/72] install/tools/man/ipactl.8: Change branding to IPA
- and Identity Management
+Subject: [PATCH 37/71] install/tools/man/ipactl.8: Change branding to IPA and
+ Identity Management
---
install/tools/man/ipactl.8 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipactl.8 b/install/tools/man/ipactl.8
-index fb533aae2..d7aaaf8ed 100644
+index fb533aa..d7aaaf8 100644
--- a/install/tools/man/ipactl.8
+++ b/install/tools/man/ipactl.8
@@ -16,7 +16,7 @@
@@ -1080,21 +1080,21 @@ index fb533aae2..d7aaaf8ed 100644
ipactl \- IPA Server Control Interface
.SH "SYNOPSIS"
--
-2.17.1
+2.21.0
-From f978206e28449fa5946a76cbd79f422df0d72725 Mon Sep 17 00:00:00 2001
+From eaf3a578fc370e95dbc55365e12db238fd7feff2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 39/72] install/ui/css/patternfly.css: Change branding to
- IPA and Identity Management
+Subject: [PATCH 38/71] install/ui/css/patternfly.css: Change branding to IPA
+ and Identity Management
---
install/ui/css/patternfly.css | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/css/patternfly.css b/install/ui/css/patternfly.css
-index ee920530b..de574a84c 100644
+index ee92053..de574a8 100644
--- a/install/ui/css/patternfly.css
+++ b/install/ui/css/patternfly.css
@@ -4,4 +4,4 @@
@@ -1106,13 +1106,13 @@ index ee920530b..de574a84c 100644
+ */.bootstrap-select.btn-group,.bootstrap-select.btn-group[class*=span]{float:none;display:inline-block;margin-bottom:10px;margin-left:0}.form-horizontal .bootstrap-select.btn-group,.form-inline .bootstrap-select.btn-group,.form-search .bootstrap-select.btn-group{margin-bottom:0}.bootstrap-select.form-control{margin-bottom:0;padding:0;border:none}.bootstrap-select.btn-group.pull-right,.bootstrap-select.btn-group[class*=span].pull-right,.row-fluid .bootstrap-select.btn-group[class*=span].pull-right{float:right}.input-append .bootstrap-select.btn-group{margin-left:-1px}.input-prepend .bootstrap-select.btn-group{margin-right:-1px}.bootstrap-select:not([class*=span]):not([class*=col-]):not([class*=form-control]){width:220px}.bootstrap-select{width:220px\9}.bootstrap-select.form-control:not([class*=span]){width:100%}.bootstrap-select>.btn{width:100%}.error .bootstrap-select .btn{border:1px solid #b94a48}.dropdown-menu{z-index:2000}.bootstrap-select.show-menu-arrow.open>.btn{z-index:2051}.bootstrap-select .btn:focus{outline:thin dotted #333!important;outline:5px auto -webkit-focus-ring-color!important;outline-offset:-2px}.bootstrap-select.btn-group .btn .filter-option{overflow:hidden;position:absolute;left:12px;right:25px;text-align:left}.bootstrap-select.btn-group .btn .caret{position:absolute;top:50%;right:12px;margin-top:-2px;vertical-align:middle}.bootstrap-select.btn-group .dropdown-menu li.disabled>a,.bootstrap-select.btn-group>.disabled{cursor:not-allowed}.bootstrap-select.btn-group>.disabled:focus{outline:0!important}.bootstrap-select.btn-group[class*=span] .btn{width:100%}.bootstrap-select.btn-group .dropdown-menu{min-width:100%;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}.bootstrap-select.btn-group .dropdown-menu.inner{position:static;border:0;padding:0;margin:0;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0;-webkit-box-shadow:none;-moz-box-shadow:none;box-shadow:none}.bootstrap-select.btn-group .dropdown-menu dt{display:block;padding:3px 20px;cursor:default}.bootstrap-select.btn-group .div-contain{overflow:hidden}.bootstrap-select.btn-group .dropdown-menu li{position:relative}.bootstrap-select.btn-group .dropdown-menu li>a.opt{position:relative;padding-left:35px}.bootstrap-select.btn-group .dropdown-menu li>a{cursor:pointer}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.btn-group.show-tick .dropdown-menu li.selected a i.check-mark{display:inline-block;position:absolute;right:15px;margin-top:2.5px}.bootstrap-select.btn-group .dropdown-menu li a i.check-mark{display:none}.bootstrap-select.btn-group.show-tick .dropdown-menu li a span.text{margin-right:34px}.bootstrap-select.btn-group .dropdown-menu li small{padding-left:.5em}.bootstrap-select.btn-group .dropdown-menu li.active:not(.disabled)>a small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:hover small{color:#64b1d8;color:rgba(255,255,255,.4)}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.show-menu-arrow .dropdown-toggle:before{content:'';display:inline-block;border-left:7px solid transparent;border-right:7px solid transparent;border-bottom:7px solid #CCC;border-bottom-color:rgba(0,0,0,.2);position:absolute;bottom:-4px;left:9px;display:none}.bootstrap-select.show-menu-arrow .dropdown-toggle:after{content:'';display:inline-block;border-left:6px solid transparent;border-right:6px solid transparent;border-bottom:6px solid #fff;position:absolute;bottom:-4px;left:10px;display:none}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:before{bottom:auto;top:-3px;border-top:7px solid #ccc;border-bottom:0;border-top-color:rgba(0,0,0,.2)}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:after{bottom:auto;top:-3px;border-top:6px solid #fff;border-bottom:0}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:before{right:12px;left:auto}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:after{right:13px;left:auto}.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:after,.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:before{display:block}.bootstrap-select.btn-group .no-results{padding:3px;background:#f5f5f5;margin:0 5px}.mobile-device{position:absolute;top:0;left:0;display:block!important;width:100%;height:100%!important;opacity:0}.bootstrap-select.fit-width{width:auto!important}.bootstrap-select.btn-group.fit-width .btn .filter-option{position:static}.bootstrap-select.btn-group.fit-width .btn .caret{position:static;top:auto;margin-top:-1px}.control-group.error .bootstrap-select .dropdown-toggle{border-color:#b94a48}.bootstrap-select-searchbox{padding:4px 8px}.bootstrap-select-searchbox input{margin-bottom:0}.alert{border-width:1px;padding-left:47px;padding-right:14px;position:relative}.alert .alert-link{color:#0088ce}.alert .alert-link:hover{color:#00659c}.alert>.btn.pull-right{margin-top:-3px}.alert>.pficon{font-size:22px;position:absolute;left:13px;top:10px}.alert .close{opacity:.85;filter:alpha(opacity=85)}.alert .close:focus,.alert .close:hover{opacity:1;filter:alpha(opacity=100)}.alert .pficon-info{color:#4d5258}.alert-dismissable{padding-right:28px}.alert-dismissable .close{right:-13px;top:1px}.badge{margin-left:6px}.nav-pills>li>a>.badge{margin-left:6px}.bootstrap-select.btn-group.form-control{margin-bottom:0}.bootstrap-select.btn-group .btn{-webkit-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.bootstrap-select.btn-group .btn:hover{border-color:#7dc3e8}.bootstrap-select.btn-group .btn .caret{margin-top:-4px}.bootstrap-select.btn-group .btn:focus{border-color:#0088ce;outline:0!important;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6);box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6)}.has-error .bootstrap-select.btn-group .btn{border-color:#c00}.has-error .bootstrap-select.btn-group .btn:focus{border-color:#900;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33}.has-success .bootstrap-select.btn-group .btn{border-color:#3c763d}.has-success .bootstrap-select.btn-group .btn:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168}.has-warning .bootstrap-select.btn-group .btn{border-color:#ec7a08}.has-warning .bootstrap-select.btn-group .btn:focus{border-color:#bb6106;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60}.bootstrap-select.btn-group .dropdown-menu>.active>a,.bootstrap-select.btn-group .dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.bootstrap-select.btn-group .dropdown-menu>.active>a small,.bootstrap-select.btn-group .dropdown-menu>.active>a:active small{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.disabled>a{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu .divider{background:#ededed!important;margin:4px 1px!important}.bootstrap-select.btn-group .dropdown-menu dt{color:#8b8d8f;font-weight:400;padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li>a.opt{padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu li a:focus small,.bootstrap-select.btn-group .dropdown-menu li a:hover small{color:#9c9c9c}.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:hover small{color:#9c9c9c}.combobox-container.combobox-selected .glyphicon-remove{display:inline-block}.combobox-container .caret{margin-left:0}.combobox-container .combobox::-ms-clear{display:none}.combobox-container .dropdown-menu{margin-top:-1px;width:100%}.combobox-container .glyphicon-remove{display:none;top:auto;width:12px}.combobox-container .glyphicon-remove:before{content:"\e60b";font-family:PatternFlyIcons-webfont}.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;position:relative}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.combobox-container .input-group-addon:focus,.combobox-container .input-group-addon:hover,.open .dropdown-toggle.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.open .dropdown-toggle.combobox-container .input-group-addon{background-image:none}.combobox-container .input-group-addon.active.focus,.combobox-container .input-group-addon.active:focus,.combobox-container .input-group-addon.active:hover,.combobox-container .input-group-addon:active.focus,.combobox-container .input-group-addon:active:focus,.combobox-container .input-group-addon:active:hover,.open .dropdown-toggle.combobox-container .input-group-addon.focus,.open .dropdown-toggle.combobox-container .input-group-addon:focus,.open .dropdown-toggle.combobox-container .input-group-addon:hover{background-color:#e5e5e5;border-color:#a9a9a9}.combobox-container .input-group-addon.disabled,.combobox-container .input-group-addon.disabled.active,.combobox-container .input-group-addon.disabled:active,.combobox-container .input-group-addon.disabled:focus,.combobox-container .input-group-addon.disabled:hover,.combobox-container .input-group-addon[disabled],.combobox-container .input-group-addon[disabled].active,.combobox-container .input-group-addon[disabled]:active,.combobox-container .input-group-addon[disabled]:focus,.combobox-container .input-group-addon[disabled]:hover,fieldset[disabled] .combobox-container .input-group-addon,fieldset[disabled] .combobox-container .input-group-addon.active,fieldset[disabled] .combobox-container .input-group-addon:active,fieldset[disabled] .combobox-container .input-group-addon:focus,fieldset[disabled] .combobox-container .input-group-addon:hover{background-color:#f1f1f1;border-color:#bbb}.combobox-container .input-group-addon:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.treeview .list-group{border-top:0}.treeview .list-group-item{background:0 0;border-bottom:1px solid transparent!important;border-top:1px solid transparent!important;margin-bottom:0;padding:0 10px}.treeview .list-group-item:hover{background:#def3ff!important;border-color:#bee1f4!important}.treeview .list-group-item.node-selected{background:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.treeview span.icon{display:inline-block;font-size:13px;min-width:10px;text-align:center}.treeview span.icon>[class*=fa-angle]{font-size:15px}.treeview span.indent{margin-right:5px}.breadcrumb{padding-left:0}.breadcrumb>.active strong{font-weight:600}.breadcrumb>li{display:inline}.breadcrumb>li+li:before{color:#9c9c9c;content:"\f101";font-family:FontAwesome;font-size:11px;padding:0 9px 0 7px}.btn{-webkit-box-shadow:0 2px 3px rgba(3,3,3,.1);box-shadow:0 2px 3px rgba(3,3,3,.1)}.btn:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{background-color:#fafafa!important;background-image:none!important;border-color:#d1d1d1!important;color:#8b8d8f!important;opacity:1}.btn.disabled:active,.btn[disabled]:active,fieldset[disabled] .btn:active{-webkit-box-shadow:none;box-shadow:none}.btn.disabled.btn-link,.btn[disabled].btn-link,fieldset[disabled] .btn.btn-link{background-color:transparent!important;border:0}.btn-danger{background-color:#a30000;background-image:-webkit-linear-gradient(top,#c00 0,#a30000 100%);background-image:-o-linear-gradient(top,#c00 0,#a30000 100%);background-image:linear-gradient(to bottom,#c00 0,#a30000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffcc0000', endColorstr='#ffa30000', GradientType=0);border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.btn-danger:focus,.btn-danger:hover,.open .dropdown-toggle.btn-danger{background-color:#a30000;background-image:none;border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.open .dropdown-toggle.btn-danger{background-image:none}.btn-danger.active.focus,.btn-danger.active:focus,.btn-danger.active:hover,.btn-danger:active.focus,.btn-danger:active:focus,.btn-danger:active:hover,.open .dropdown-toggle.btn-danger.focus,.open .dropdown-toggle.btn-danger:focus,.open .dropdown-toggle.btn-danger:hover{background-color:#8a0000;border-color:#670000}.btn-danger.disabled,.btn-danger.disabled.active,.btn-danger.disabled:active,.btn-danger.disabled:focus,.btn-danger.disabled:hover,.btn-danger[disabled],.btn-danger[disabled].active,.btn-danger[disabled]:active,.btn-danger[disabled]:focus,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger,fieldset[disabled] .btn-danger.active,fieldset[disabled] .btn-danger:active,fieldset[disabled] .btn-danger:focus,fieldset[disabled] .btn-danger:hover{background-color:#a30000;border-color:#8b0000}.btn-default{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.btn-default:focus,.btn-default:hover,.open .dropdown-toggle.btn-default{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.open .dropdown-toggle.btn-default{background-image:none}.btn-default.active.focus,.btn-default.active:focus,.btn-default.active:hover,.btn-default:active.focus,.btn-default:active:focus,.btn-default:active:hover,.open .dropdown-toggle.btn-default.focus,.open .dropdown-toggle.btn-default:focus,.open .dropdown-toggle.btn-default:hover{background-color:#e5e5e5;border-color:#a9a9a9}.btn-default.disabled,.btn-default.disabled.active,.btn-default.disabled:active,.btn-default.disabled:focus,.btn-default.disabled:hover,.btn-default[disabled],.btn-default[disabled].active,.btn-default[disabled]:active,.btn-default[disabled]:focus,.btn-default[disabled]:hover,fieldset[disabled] .btn-default,fieldset[disabled] .btn-default.active,fieldset[disabled] .btn-default:active,fieldset[disabled] .btn-default:focus,fieldset[disabled] .btn-default:hover{background-color:#f1f1f1;border-color:#bbb}.btn-link,.btn-link:active{-webkit-box-shadow:none;box-shadow:none}.btn-primary{background-color:#0088ce;background-image:-webkit-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:-o-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:linear-gradient(to bottom,#39a5dc 0,#0088ce 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff39a5dc', endColorstr='#ff0088ce', GradientType=0);border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.btn-primary:focus,.btn-primary:hover,.open .dropdown-toggle.btn-primary{background-color:#0088ce;background-image:none;border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.open .dropdown-toggle.btn-primary{background-image:none}.btn-primary.active.focus,.btn-primary.active:focus,.btn-primary.active:hover,.btn-primary:active.focus,.btn-primary:active:focus,.btn-primary:active:hover,.open .dropdown-toggle.btn-primary.focus,.open .dropdown-toggle.btn-primary:focus,.open .dropdown-toggle.btn-primary:hover{background-color:#0077b5;border-color:#004e78}.btn-primary.disabled,.btn-primary.disabled.active,.btn-primary.disabled:active,.btn-primary.disabled:focus,.btn-primary.disabled:hover,.btn-primary[disabled],.btn-primary[disabled].active,.btn-primary[disabled]:active,.btn-primary[disabled]:focus,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary,fieldset[disabled] .btn-primary.active,fieldset[disabled] .btn-primary:active,fieldset[disabled] .btn-primary:focus,fieldset[disabled] .btn-primary:hover{background-color:#0088ce;border-color:#00659c}.btn-group-xs .btn,.btn-group-xs>.btn,.btn-xs{font-weight:400}.close{text-shadow:none;opacity:.6;filter:alpha(opacity=60)}.close:focus,.close:hover{opacity:.9;filter:alpha(opacity=90)}.ColVis_Button:active:focus{outline:0}.ColVis_catcher{position:absolute;z-index:999}.ColVis_collection{background-color:#fff;border:1px solid #bbb;border-radius:1px;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);background-clip:padding-box;list-style:none;margin:-1px 0 0 0;padding:5px 10px;width:150px;z-index:1000}.ColVis_collection label{font-weight:400;margin-bottom:5px;margin-top:5px;padding-left:20px}.ColVis_collectionBackground{background-color:#fff;height:100%;left:0;position:fixed;top:0;width:100%;z-index:998}.dataTables_header{background-color:#f5f5f5;border:1px solid #d1d1d1;border-bottom:none;padding:5px;position:relative;text-align:center}.dataTables_header .btn{-webkit-box-shadow:none;box-shadow:none}.dataTables_header .ColVis{position:absolute;right:5px;text-align:left;top:5px}.dataTables_header .ColVis+.dataTables_info{padding-right:30px}.dataTables_header .dataTables_filter{position:absolute}.dataTables_header .dataTables_filter input{border:1px solid #bbb;height:24px}@media (max-width:767px){.dataTables_header .dataTables_filter input{width:100px}}.dataTables_header .dataTables_info{padding:2px 0}@media (max-width:480px){.dataTables_header .dataTables_info{text-align:right}}.dataTables_header .dataTables_info b{font-weight:700}.dataTables_footer{background-color:#fff;border:1px solid #d1d1d1;border-top:none;overflow:hidden}.dataTables_paginate{background:#fafafa;float:right;margin:0}.dataTables_paginate .pagination{float:left;margin:0}.dataTables_paginate .pagination>li>span{border-color:#fff #d1d1d1 #f5f5f5;border-width:0 1px;font-size:16px;font-weight:400;padding:0;text-align:center;width:31px}.dataTables_paginate .pagination>li>span:focus,.dataTables_paginate .pagination>li>span:hover{filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination>li.last>span{border-right:none}.dataTables_paginate .pagination>li.disabled>span{background:#f5f5f5;border-left-color:#ededed;border-right-color:#ededed;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination-input{float:left;font-size:12px;line-height:1em;padding:4px 15px 0;text-align:right}.dataTables_paginate .pagination-input .paginate_input{border:1px solid #d1d1d1;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075);box-shadow:inset 0 1px 1px rgba(3,3,3,.075);font-size:12px;font-weight:600;height:19px;margin-right:8px;padding-right:3px;text-align:right;width:30px}.dataTables_paginate .pagination-input .paginate_of{position:relative}.dataTables_paginate .pagination-input .paginate_of b{margin-left:3px}.dataTables_wrapper{margin:20px 0}@media (max-width:767px){.dataTables_wrapper .table-responsive{margin-bottom:0}}.DTCR_clonedTable{background-color:rgba(255,255,255,.7);z-index:202}.DTCR_pointer{background-color:#0088ce;width:1px;z-index:201}table.datatable{margin-bottom:0;max-width:none!important}table.datatable thead .sorting,table.datatable thead .sorting_asc,table.datatable thead .sorting_asc_disabled,table.datatable thead .sorting_desc,table.datatable thead .sorting_desc_disabled{cursor:pointer}table.datatable thead .sorting_asc,table.datatable thead .sorting_desc{color:#0088ce!important;position:relative}table.datatable thead .sorting_asc:after,table.datatable thead .sorting_desc:after{content:"\f107";font-family:FontAwesome;font-size:10px;font-weight:400;height:9px;left:7px;line-height:12px;position:relative;top:2px;vertical-align:baseline;width:12px}table.datatable thead .sorting_asc:before,table.datatable thead .sorting_desc:before{background:#0088ce;content:'';height:2px;position:absolute;left:0;top:0;width:100%}table.datatable thead .sorting_asc:after{content:"\f106";top:-3px}table.datatable th:active{outline:0}.caret{font-family:FontAwesome;font-weight:400;height:9px;position:relative;vertical-align:baseline;width:12px}.caret:before{bottom:0;content:"\f107";left:0;line-height:12px;position:absolute;text-align:center;top:-1px;right:0}.dropup .caret:before{content:"\f106"}.dropdown-menu .divider{background-color:#ededed;height:1px;margin:4px 1px;overflow:hidden}.dropdown-menu>li>a{border-color:transparent;border-style:solid;border-width:1px 0;padding:1px 10px}.dropdown-menu>li>a:focus,.dropdown-menu>li>a:hover{border-color:#bee1f4;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>li>a:active{background-color:#0088ce;border-color:#0088ce;color:#fff!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.active>a,.dropdown-menu>.active>a:focus,.dropdown-menu>.active>a:hover{background-color:#0088ce!important;border-color:#0088ce!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-header{padding-left:10px;padding-right:10px;text-transform:uppercase}.btn-group>.dropdown-menu,.dropdown>.dropdown-menu,.input-group-btn>.dropdown-menu{margin-top:-1px}.dropup .dropdown-menu{margin-bottom:-1px}.dropdown-submenu{position:relative}.dropdown-submenu:hover>a{background-color:#def3ff;border-color:#bee1f4}.dropdown-submenu:hover>.dropdown-menu{display:block}.dropdown-submenu.pull-left{float:none!important}.dropdown-submenu.pull-left>.dropdown-menu{left:auto;margin-left:10px;right:100%}.dropdown-submenu>a{padding-right:20px!important}.dropdown-submenu>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:2px}.dropdown-submenu>.dropdown-menu{left:100%;margin-top:0;top:-6px}.dropup .dropdown-submenu>.dropdown-menu{bottom:-5px;top:auto}.open .dropdown-submenu.active>.dropdown-menu{display:block}.dropdown-kebab-pf .btn-link{color:#252525;font-size:16px;line-height:1;padding:4px 0}.dropdown-kebab-pf .btn-link:active,.dropdown-kebab-pf .btn-link:focus,.dropdown-kebab-pf .btn-link:hover{color:#0088ce}.dropdown-kebab-pf .dropdown-menu{left:-15px;margin-top:11px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right{left:auto;right:-15px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:after,.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:before{left:auto;right:6px}.dropdown-kebab-pf .dropdown-menu:after,.dropdown-kebab-pf .dropdown-menu:before{border-bottom-color:#bbb;border-bottom-style:solid;border-bottom-width:10px;border-left:10px solid transparent;border-right:10px solid transparent;content:"";display:inline-block;left:6px;position:absolute;top:-11px}.dropdown-kebab-pf .dropdown-menu:after{border-bottom-color:#fff;top:-10px}.dropdown-kebab-pf.dropup .dropdown-menu{margin-bottom:11px;margin-top:0}.dropdown-kebab-pf.dropup .dropdown-menu:after,.dropdown-kebab-pf.dropup .dropdown-menu:before{border-bottom:none;border-top-color:#bbb;border-top-style:solid;border-top-width:10px;bottom:-11px;top:auto}.dropdown-kebab-pf.dropup .dropdown-menu:after{border-top-color:#fff;bottom:-10px}@font-face{font-family:'Open Sans';font-style:normal;font-weight:400;src:local('Open Sans'),local('OpenSans'),url(../fonts/open-sans/OpenSans-Regular.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:300;src:local('OpenSans-Light'),local('Open Sans Light'),url(../fonts/open-sans/OpenSans-Light.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:600;src:local('Open Sans Semibold'),local('OpenSans-Semibold'),url(../fonts/open-sans/OpenSans-Semibold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:700;src:local('Open Sans Bold'),local('OpenSans-Bold'),url(../fonts/open-sans/OpenSans-Bold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:800;src:local('Open Sans Extrabold'),local('OpenSans-Extrabold'),url(../fonts/open-sans/OpenSans-ExtraBold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:300;src:local('Open Sans Light Italic'),local('OpenSansLight-Italic'),url(../fonts/open-sans/OpenSans-LightItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:400;src:local('Open Sans Italic'),local('OpenSans-Italic'),url(../fonts/open-sans/OpenSans-Italic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:600;src:local('Open Sans Semibold Italic'),local('OpenSans-SemiboldItalic'),url(../fonts/open-sans/OpenSans-SemiboldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:700;src:local('Open Sans Bold Italic'),local('OpenSans-BoldItalic'),url(../fonts/open-sans/OpenSans-BoldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:800;src:local('Open Sans Extrabold Italic'),local('OpenSans-ExtraboldItalic'),url(../fonts/open-sans/OpenSans-ExtraBoldItalic.ttf) format('truetype')}.chars-remaining-pf span{font-weight:600;padding-right:5px}.chars-warn-remaining-pf{color:#c00}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f}.form-control[disabled]:hover,.form-control[readonly]:hover,fieldset[disabled] .form-control:hover{border-color:#bbb}.form-control:hover{border-color:#7dc3e8}.has-error .form-control:hover{border-color:#900}.has-success .form-control:hover{border-color:#2b542c}.has-warning .form-control:hover{border-color:#bb6106}.has-error .checkbox,.has-error .checkbox-inline,.has-error .control-label,.has-error .radio,.has-error .radio-inline,.has-error.checkbox label,.has-error.checkbox-inline label,.has-error.radio label,.has-error.radio-inline label,.has-success .checkbox,.has-success .checkbox-inline,.has-success .control-label,.has-success .radio,.has-success .radio-inline,.has-success.checkbox label,.has-success.checkbox-inline label,.has-success.radio label,.has-success.radio-inline label,.has-warning .checkbox,.has-warning .checkbox-inline,.has-warning .control-label,.has-warning .radio,.has-warning .radio-inline,.has-warning.checkbox label,.has-warning.checkbox-inline label,.has-warning.radio label,.has-warning.radio-inline label{color:#363636}.help-block{margin-bottom:0}.input-group .input-group-btn .btn{-webkit-box-shadow:none;box-shadow:none}label{font-weight:600}.navbar-nav>li>.dropdown-menu.infotip{border-top-width:1px!important;margin-top:10px}@media (max-width:767px){.navbar-pf .navbar-nav .open .dropdown-menu.infotip{background-color:#fff!important;margin-top:0}}.infotip{min-width:235px;padding:0}.infotip .list-group{border-top:0;margin:0;padding:8px 0}.infotip .list-group .list-group-item{border:none;margin:0 15px 0 34px;padding:5px 0}.infotip .list-group .list-group-item>.i{color:#4d5258;font-size:13px;left:-20px;position:absolute;top:8px}.infotip .list-group .list-group-item>a{color:#4d5258;line-height:13px}.infotip .list-group .list-group-item>.close{float:right}.infotip .footer{background-color:#f5f5f5;padding:6px 15px}.infotip .footer a:hover{color:#0088ce}.infotip .arrow,.infotip .arrow:after{border-color:transparent;border-style:solid;display:block;height:0;position:absolute;width:0}.infotip .arrow{border-width:11px}.infotip .arrow:after{border-width:10px;content:""}.infotip.bottom .arrow,.infotip.bottom-left .arrow,.infotip.bottom-right .arrow{border-bottom-color:#999;border-bottom-color:#bbb;border-top-width:0;left:50%;margin-left:-11px;top:-11px}.infotip.bottom .arrow:after,.infotip.bottom-left .arrow:after,.infotip.bottom-right .arrow:after{border-top-width:0;border-bottom-color:#fff;content:" ";margin-left:-10px;top:1px}.infotip.bottom-left .arrow{left:20%}.infotip.bottom-right .arrow{left:80%}.infotip.top .arrow{border-bottom-width:0;border-top-color:#999;border-top-color:#bbb;bottom:-11px;left:50%;margin-left:-11px}.infotip.top .arrow:after{border-bottom-width:0;border-top-color:#f5f5f5;bottom:1px;content:" ";margin-left:-10px}.infotip.right .arrow{border-left-width:0;border-right-color:#999;border-right-color:#bbb;left:-11px;margin-top:-11px;top:50%}.infotip.right .arrow:after{bottom:-10px;border-left-width:0;border-right-color:#fff;content:" ";left:1px}.infotip.left .arrow{border-left-color:#999;border-left-color:#bbb;border-right-width:0;margin-top:-11px;right:-11px;top:50%}.infotip.left .arrow:after{border-left-color:#fff;border-right-width:0;bottom:-10px;content:" ";right:1px}.label{border-radius:0;font-size:100%;font-weight:600}h1 .label,h2 .label,h3 .label,h4 .label,h5 .label,h6 .label{font-size:75%}.list-group{border-top:1px solid #ededed}.list-group .list-group-item:first-child{border-top:0}.list-group-item{border-top:0;border-left:0;border-right:0;margin-bottom:0}.list-group-item-heading{font-weight:600}.list-group-item.active,.list-group-item.active:focus,.list-group-item.active:hover{border-top:solid 1px #39a5dc;margin-top:-1px;z-index:auto}.list-group-item.active:first-child{border-top:1px solid #39a5dc!important;margin-top:-1px}.login-pf{height:100%}.login-pf #brand{position:relative;top:-70px}.login-pf #brand img{display:block;height:18px;margin:0 auto;max-width:100%}@media (min-width:768px){.login-pf #brand img{margin:0;text-align:left}}.login-pf #badge{display:block;margin:20px auto 70px;position:relative;text-align:center}@media (min-width:768px){.login-pf #badge{float:right;margin-right:64px;margin-top:50px}}.login-pf body{background:#1a1a1a url(../img/bg-login.jpg) repeat-x 50% 0;background-size:auto}@media (min-width:768px){.login-pf body{background-size:100% auto}}.login-pf .container{background-color:transparent;clear:right;color:#fff;padding-bottom:40px;padding-top:20px;width:auto}@media (min-width:768px){.login-pf .container{bottom:13%;padding-left:80px;position:absolute;width:100%}}.login-pf .container [class^=alert]{background:0 0;color:#fff}.login-pf .container .details p:first-child{border-top:1px solid rgba(255,255,255,.3);padding-top:25px;margin-top:25px}@media (min-width:768px){.login-pf .container .details{border-left:1px solid rgba(255,255,255,.3);padding-left:40px}.login-pf .container .details p:first-child{border-top:0;padding-top:0;margin-top:0}}.login-pf .container .details p{margin-bottom:2px}.login-pf .container .form-horizontal .control-label{font-size:13px;font-weight:400;text-align:left}.login-pf .container .form-horizontal .form-group:last-child,.login-pf .container .form-horizontal .form-group:last-child .help-block:last-child{margin-bottom:0}.login-pf .container .help-block{color:#fff}@media (min-width:768px){.login-pf .container .login{padding-right:40px}}.login-pf .container .submit{text-align:right}.modal-header{background-color:#f5f5f5;border-bottom:none;padding:10px 18px}.modal-header .close{margin-top:2px}.modal-title{font-size:13px;font-weight:700}.modal-footer{border-top:none;margin-top:15px;padding:14px 15px 15px}.modal-footer>.btn{padding-left:10px;padding-right:10px}.modal-footer>.btn>.fa-angle-left{margin-right:5px}.modal-footer>.btn>.fa-angle-right{margin-left:5px}.navbar-pf{background:#393F45;border:0;border-radius:0;border-top:3px solid #c00;margin-bottom:0;min-height:0}.navbar-pf .navbar-brand{color:#fff;height:auto;padding:12px 0;margin:0 0 0 20px}.navbar-pf .navbar-brand img{display:block}.navbar-pf .navbar-collapse{border-top:0;-webkit-box-shadow:none;box-shadow:none;padding:0}.navbar-pf .navbar-header{border-bottom:1px solid #53565b;float:none}.navbar-pf .navbar-nav{margin:0}.navbar-pf .navbar-nav>.active>a,.navbar-pf .navbar-nav>.active>a:focus,.navbar-pf .navbar-nav>.active>a:hover{background-color:#454C53;color:#fff}.navbar-pf .navbar-nav>li>a{color:#dbdada;line-height:1;padding:10px 20px;text-shadow:none}.navbar-pf .navbar-nav>li>a:focus,.navbar-pf .navbar-nav>li>a:hover{color:#fff}.navbar-pf .navbar-nav>.open>a,.navbar-pf .navbar-nav>.open>a:focus,.navbar-pf .navbar-nav>.open>a:hover{background-color:#454C53;color:#fff}@media (max-width:767px){.navbar-pf .navbar-nav .active .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent,.navbar-pf .navbar-nav .open .dropdown-menu{background-color:#3c434a!important;margin-left:0;padding-bottom:0;padding-top:0}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:hover{background-color:#424950!important;color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent>li>a,.navbar-pf .navbar-nav .open .dropdown-menu>li>a{background-color:transparent;border:0;color:#dbdada;outline:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu>li>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>li>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>li>a:hover{color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu .divider,.navbar-pf .navbar-nav .active .navbar-persistent .divider,.navbar-pf .navbar-nav .open .dropdown-menu .divider{background-color:#53565b;margin:0 1px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-header{padding-bottom:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open .dropdown-toggle{color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.pull-left{float:none!important}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu>a:after,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu>a:after{display:none}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-header{padding-left:45px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu{border:0;bottom:auto;-webkit-box-shadow:none;box-shadow:none;display:block;float:none;margin:0;min-width:0;padding:0;position:relative;left:auto;right:auto;top:auto}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu>li>a{padding:5px 15px 5px 45px;line-height:20px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a{padding-left:60px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-menu{display:block}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after{display:inline-block!important;position:relative;right:auto;top:1px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu{display:none}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-submenu>a:after{display:none!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu{background-color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active small{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.disabled>a{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li>a.opt{border-bottom:1px solid transparent;border-top:1px solid transparent;color:#363636;padding-left:10px;padding-right:10px}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:focus small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:hover small{color:#9c9c9c}.navbar-pf .navbar-nav .context-bootstrap-select>.open>.dropdown-menu{padding-bottom:5px;padding-top:5px}}.navbar-pf .navbar-persistent{display:none}.navbar-pf .active>.navbar-persistent{display:block}.navbar-pf .navbar-primary{float:none}.navbar-pf .navbar-primary .context{border-bottom:1px solid #53565b}.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group,.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group[class*=span]{margin:8px 20px 9px;width:auto}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a{position:relative}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{content:"\f107";display:inline-block;font-family:FontAwesome;font-weight:400}@media (max-width:767px){.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{height:10px;margin-left:4px;vertical-align:baseline}}.navbar-pf .navbar-toggle{border:0;margin:0;padding:10px 20px}.navbar-pf .navbar-toggle:focus,.navbar-pf .navbar-toggle:hover{background-color:transparent;outline:0}.navbar-pf .navbar-toggle:focus .icon-bar,.navbar-pf .navbar-toggle:hover .icon-bar{-webkit-box-shadow:0 0 3px #fff;box-shadow:0 0 3px #fff}.navbar-pf .navbar-toggle .icon-bar{background-color:#fff}.navbar-pf .navbar-utility{border-bottom:1px solid #53565b}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:36px;position:relative}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:20px;position:absolute;top:10px}@media (max-width:767px){.navbar-pf .navbar-utility>li+li{border-top:1px solid #53565b}}@media (min-width:768px){.navbar-pf .navbar-brand{padding:7px 0 8px}.navbar-pf .navbar-nav>li>a{padding-bottom:14px;padding-top:14px}.navbar-pf .navbar-persistent{font-size:14px}.navbar-pf .navbar-primary{font-size:14px;background-image:-webkit-linear-gradient(top,#474c50 0,#383f43 100%);background-image:-o-linear-gradient(top,#474c50 0,#383f43 100%);background-image:linear-gradient(to bottom,#474c50 0,#383f43 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff474c50', endColorstr='#ff383f43', GradientType=0)}.navbar-pf .navbar-primary.persistent-secondary .context .dropdown-menu{top:auto}.navbar-pf .navbar-primary.persistent-secondary .dropup .dropdown-menu{bottom:-5px;top:auto}.navbar-pf .navbar-primary.persistent-secondary>li{position:static}.navbar-pf .navbar-primary.persistent-secondary>li.active{margin-bottom:32px}.navbar-pf .navbar-primary.persistent-secondary>li.active>.navbar-persistent{display:block;left:0;position:absolute}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent{background:#f6f6f6;border-bottom:1px solid #cecdcd;padding:0;width:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent a{text-decoration:none!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a:hover{color:#0088ce!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active .active>a{color:#fff}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu:hover>.dropdown-menu{display:none}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-menu{display:block;left:20px;margin-top:1px;top:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle{padding-right:35px!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle:after{position:absolute;right:20px;top:10px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a:after,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a{background-color:transparent;display:block;line-height:1;padding:9px 20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle{padding-right:35px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle:after{font-size:15px;position:absolute;right:20px;top:9px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a:hover{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li a{color:#4d5258}.navbar-pf .navbar-primary>li>a{border-bottom:1px solid transparent;border-top:1px solid transparent;position:relative;margin:-1px 0 0}.navbar-pf .navbar-primary>li>a:hover{background-color:#4b5053;border-top-color:#949699;color:#dbdada;background-image:-webkit-linear-gradient(top,#5c6165 0,#4b5053 100%);background-image:-o-linear-gradient(top,#5c6165 0,#4b5053 100%);background-image:linear-gradient(to bottom,#5c6165 0,#4b5053 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5c6165', endColorstr='#ff4b5053', GradientType=0)}.navbar-pf .navbar-primary>.active>a,.navbar-pf .navbar-primary>.active>a:focus,.navbar-pf .navbar-primary>.active>a:hover,.navbar-pf .navbar-primary>.open>a,.navbar-pf .navbar-primary>.open>a:focus,.navbar-pf .navbar-primary>.open>a:hover{background-color:#64686c;border-bottom-color:#64686c;border-top-color:#949699;-webkit-box-shadow:none;box-shadow:none;color:#fff;background-image:-webkit-linear-gradient(top,#72757a 0,#64686c 100%);background-image:-o-linear-gradient(top,#72757a 0,#64686c 100%);background-image:linear-gradient(to bottom,#72757a 0,#64686c 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff72757a', endColorstr='#ff64686c', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select .filter-option{max-width:160px;text-overflow:ellipsis}.navbar-pf .navbar-primary li.context.dropdown{border-bottom:0}.navbar-pf .navbar-primary li.context.context-bootstrap-select,.navbar-pf .navbar-primary li.context>a{background-color:#505458;border-bottom-color:#65696d;border-right:1px solid #65696d;border-top-color:#64696d;font-weight:600;background-image:-webkit-linear-gradient(top,#585d61 0,#505458 100%);background-image:-o-linear-gradient(top,#585d61 0,#505458 100%);background-image:linear-gradient(to bottom,#585d61 0,#505458 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff585d61', endColorstr='#ff505458', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select:hover,.navbar-pf .navbar-primary li.context>a:hover{background-color:#5a5e62;border-bottom-color:#6e7276;border-right-color:#6e7276;border-top-color:#6c7276;background-image:-webkit-linear-gradient(top,#62676b 0,#5a5e62 100%);background-image:-o-linear-gradient(top,#62676b 0,#5a5e62 100%);background-image:linear-gradient(to bottom,#62676b 0,#5a5e62 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff62676b', endColorstr='#ff5a5e62', GradientType=0)}.navbar-pf .navbar-primary li.context.open>a{background-color:#65696d;border-bottom-color:#6e7276;border-right-color:#777a7e;border-top-color:#767a7e;background-image:-webkit-linear-gradient(top,#6b7175 0,#65696d 100%);background-image:-o-linear-gradient(top,#6b7175 0,#65696d 100%);background-image:linear-gradient(to bottom,#6b7175 0,#65696d 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff6b7175', endColorstr='#ff65696d', GradientType=0)}.navbar-pf .navbar-utility{border-bottom:0;font-size:11px;position:absolute;right:0;top:0}.navbar-pf .navbar-utility>.active>a,.navbar-pf .navbar-utility>.active>a:focus,.navbar-pf .navbar-utility>.active>a:hover,.navbar-pf .navbar-utility>.open>a,.navbar-pf .navbar-utility>.open>a:focus,.navbar-pf .navbar-utility>.open>a:hover{background:#5b6165;color:#fff}.navbar-pf .navbar-utility>li>a{border-left:1px solid #53565b;color:#fff!important;padding:7px 10px}.navbar-pf .navbar-utility>li>a:hover{background:#4a5053;border-left-color:#636466}.navbar-pf .navbar-utility>li.open>a{border-left-color:#6c6e70;color:#fff!important}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:26px}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:10px;top:7px}.navbar-pf .navbar-utility .open .dropdown-menu{left:auto;right:0}.navbar-pf .navbar-utility .open .dropdown-menu .dropdown-menu{left:auto;right:100%}.navbar-pf .navbar-utility .open .dropdown-menu{border-top-width:0}.navbar-pf .open .dropdown-submenu>.dropdown-menu,.navbar-pf .open.bootstrap-select .dropdown-menu{border-top-width:1px!important}}@media (max-width:360px){.navbar-pf .navbar-brand{margin-left:10px;width:75%}.navbar-pf .navbar-brand img{height:auto;max-width:100%}.navbar-pf .navbar-toggle{padding-left:0}}.drawer-pf{background-color:#fafafa;border:1px solid #d1d1d1;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);overflow-y:auto;position:absolute;right:0;width:320px;z-index:2}.drawer-pf .panel{border-bottom:none;border-left:none;border-right:none}.drawer-pf .panel-group .panel-heading+.panel-collapse .panel-body{border-top:none;border-bottom:1px solid #d1d1d1;padding:0}.drawer-pf .panel-counter{display:block;font-style:italic;line-height:1.2;padding-left:18px;padding-top:5px}.drawer-pf .panel-heading{border-bottom:1px solid #d1d1d1}.drawer-pf .panel-group{bottom:0;margin-bottom:0;position:absolute;top:25px;width:100%}.drawer-pf .panel-title a{cursor:pointer;display:block}.drawer-pf.drawer-pf-expanded{left:270px;width:inherit}.drawer-pf.drawer-pf-expanded .drawer-pf-toggle-expand:before{content:"\f101"}.drawer-pf-toggle-expand{color:inherit;cursor:pointer;left:0;padding:2px 5px;position:absolute}.drawer-pf-toggle-expand:before{content:"\f100";font-family:FontAwesome}.drawer-pf-toggle-expand:focus,.drawer-pf-toggle-expand:hover{color:inherit;text-decoration:none}.drawer-pf-action .btn-link{color:#0088ce;padding:10px 0}.drawer-pf-action .btn-link:hover{color:#00659c}.drawer-pf-loading{color:#4d5258;font-size:14px;padding:20px 15px}.drawer-pf-notification{border-bottom:1px solid #d1d1d1;padding:15px}.drawer-pf-notification .date{border-right:1px solid #aaa;display:inline-block;line-height:1;margin-right:5px;padding-right:9px}.drawer-pf-notification .pficon{font-size:14px;margin-top:3px}.drawer-pf-notification:last-of-type{border-bottom:none}.drawer-pf-notification:hover{background-color:#def3ff}.drawer-pf-notification.unread .drawer-pf-notification-message{font-weight:700}.drawer-pf-notification.expanded-notification .date{border-right:none;padding-right:0}.drawer-pf-notification-info,.drawer-pf-notification-message{display:block;padding-left:27px;padding-right:19px}.expanded-notification .drawer-pf-notification-info,.expanded-notification .drawer-pf-notification-message{display:inline-block}.drawer-pf-notifications-non-clickable .drawer-pf-notification:hover{background-color:#fff}.drawer-pf-title{background-color:#fafafa;border-bottom:1px solid #d1d1d1;position:absolute;width:318px}.drawer-pf-title h3{font-size:12px;margin:0;padding:6px 15px}.navbar-pf-vertical .drawer-pf{height:calc(100vh - 80px);top:58px}.navbar-pf-vertical .nav .drawer-pf-trigger .drawer-pf-trigger-icon{border-left:1px solid #53565b;border-right:1px solid #53565b;padding-left:15px;padding-right:15px}.navbar-pf-vertical .nav .drawer-pf-trigger.open .drawer-pf-trigger-icon{background-color:#4a5053}.navbar-pf .drawer-pf{height:calc(100vh - 46px);top:26px}.navbar-pf .drawer-pf-trigger-icon{cursor:pointer}.pager li>a,.pager li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;font-weight:600;line-height:22px;padding:2px 14px}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>a:focus,.pager li>a:hover,.pager li>span.active,.pager li>span:active,.pager li>span:focus,.pager li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>span.active,.pager li>span:active{background-image:none}.open .dropdown-toggle.pager li>a.focus,.open .dropdown-toggle.pager li>a:focus,.open .dropdown-toggle.pager li>a:hover,.open .dropdown-toggle.pager li>span.focus,.open .dropdown-toggle.pager li>span:focus,.open .dropdown-toggle.pager li>span:hover,.pager li>a.active.focus,.pager li>a.active:focus,.pager li>a.active:hover,.pager li>a:active.focus,.pager li>a:active:focus,.pager li>a:active:hover,.pager li>span.active.focus,.pager li>span.active:focus,.pager li>span.active:hover,.pager li>span:active.focus,.pager li>span:active:focus,.pager li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pager li>a.disabled,.pager li>a.disabled.active,.pager li>a.disabled:active,.pager li>a.disabled:focus,.pager li>a.disabled:hover,.pager li>a[disabled],.pager li>a[disabled].active,.pager li>a[disabled]:active,.pager li>a[disabled]:focus,.pager li>a[disabled]:hover,.pager li>span.disabled,.pager li>span.disabled.active,.pager li>span.disabled:active,.pager li>span.disabled:focus,.pager li>span.disabled:hover,.pager li>span[disabled],.pager li>span[disabled].active,.pager li>span[disabled]:active,.pager li>span[disabled]:focus,.pager li>span[disabled]:hover,fieldset[disabled] .pager li>a,fieldset[disabled] .pager li>a.active,fieldset[disabled] .pager li>a:active,fieldset[disabled] .pager li>a:focus,fieldset[disabled] .pager li>a:hover,fieldset[disabled] .pager li>span,fieldset[disabled] .pager li>span.active,fieldset[disabled] .pager li>span:active,fieldset[disabled] .pager li>span:focus,fieldset[disabled] .pager li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pager li>a>.i,.pager li>span>.i{font-size:18px;vertical-align:top;margin:2px 0}.pager li>a:hover>a:focus{color:#4d5258}.pager li a:active{background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(3,3,3,.125);box-shadow:inset 0 3px 5px rgba(3,3,3,.125);outline:0}.pager .disabled>a,.pager .disabled>a:active,.pager .disabled>a:focus,.pager .disabled>a:hover,.pager .disabled>span{background:#f5f5f5;-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f;cursor:default}.pager .next>a>.i,.pager .next>span>.i{margin-left:5px}.pager .previous>a>.i,.pager .previous>span>.i{margin-right:5px}.pager-sm li>a,.pager-sm li>span{font-weight:400;line-height:16px;padding:1px 10px}.pager-sm li>a>.i,.pager-sm li>span>.i{font-size:12px}.pagination>li>a,.pagination>li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;cursor:default;font-weight:600;padding:2px 10px}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>a:focus,.pagination>li>a:hover,.pagination>li>span.active,.pagination>li>span:active,.pagination>li>span:focus,.pagination>li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>span.active,.pagination>li>span:active{background-image:none}.open .dropdown-toggle.pagination>li>a.focus,.open .dropdown-toggle.pagination>li>a:focus,.open .dropdown-toggle.pagination>li>a:hover,.open .dropdown-toggle.pagination>li>span.focus,.open .dropdown-toggle.pagination>li>span:focus,.open .dropdown-toggle.pagination>li>span:hover,.pagination>li>a.active.focus,.pagination>li>a.active:focus,.pagination>li>a.active:hover,.pagination>li>a:active.focus,.pagination>li>a:active:focus,.pagination>li>a:active:hover,.pagination>li>span.active.focus,.pagination>li>span.active:focus,.pagination>li>span.active:hover,.pagination>li>span:active.focus,.pagination>li>span:active:focus,.pagination>li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pagination>li>a.disabled,.pagination>li>a.disabled.active,.pagination>li>a.disabled:active,.pagination>li>a.disabled:focus,.pagination>li>a.disabled:hover,.pagination>li>a[disabled],.pagination>li>a[disabled].active,.pagination>li>a[disabled]:active,.pagination>li>a[disabled]:focus,.pagination>li>a[disabled]:hover,.pagination>li>span.disabled,.pagination>li>span.disabled.active,.pagination>li>span.disabled:active,.pagination>li>span.disabled:focus,.pagination>li>span.disabled:hover,.pagination>li>span[disabled],.pagination>li>span[disabled].active,.pagination>li>span[disabled]:active,.pagination>li>span[disabled]:focus,.pagination>li>span[disabled]:hover,fieldset[disabled] .pagination>li>a,fieldset[disabled] .pagination>li>a.active,fieldset[disabled] .pagination>li>a:active,fieldset[disabled] .pagination>li>a:focus,fieldset[disabled] .pagination>li>a:hover,fieldset[disabled] .pagination>li>span,fieldset[disabled] .pagination>li>span.active,fieldset[disabled] .pagination>li>span:active,fieldset[disabled] .pagination>li>span:focus,fieldset[disabled] .pagination>li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pagination>li>a>.i,.pagination>li>span>.i{font-size:15px;vertical-align:top;margin:2px 0}.pagination>li>a:active,.pagination>li>span:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.pagination>.active>a,.pagination>.active>a:focus,.pagination>.active>a:hover,.pagination>.active>span,.pagination>.active>span:focus,.pagination>.active>span:hover{background-color:#f1f1f1;border-color:#bbb;-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2);color:#4d5258;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination>.disabled>a,.pagination>.disabled>a:focus,.pagination>.disabled>a:hover,.pagination>.disabled>span,.pagination>.disabled>span:focus,.pagination>.disabled>span:hover{-webkit-box-shadow:none;box-shadow:none;cursor:default;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination-sm>li>a,.pagination-sm>li>span{padding:2px 6px;font-size:11px;line-height:1.5}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:1px;border-top-left-radius:1px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-bottom-right-radius:1px;border-top-right-radius:1px}.pagination-sm>li>a,.pagination-sm>li>span{font-weight:400}.pagination-sm>li>a>.i,.pagination-sm>li>span>.i{font-size:12px;margin-top:2px}.panel-title{font-weight:700}.panel-group .panel{color:#4d5258}.panel-group .panel+.panel{margin-top:-1px}.panel-group .panel-default{border-color:#bbb;border-top-color:#bbb}.panel-group .panel-heading{background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.panel-group .panel-heading+.panel-collapse .panel-body{border-top:1px solid #d1d1d1}.panel-group .panel-title{font-weight:500;line-height:1}.panel-group .panel-title>a{color:#4d5258;font-weight:600}.panel-group .panel-title>a:before{content:"\f107";display:inline-block;font-family:FontAwesome;font-size:13px;margin-right:5px;text-align:center;vertical-align:0;width:8px}.panel-group .panel-title>a:focus{outline:0;text-decoration:none}.panel-group .panel-title>a:hover{text-decoration:none}.panel-group .panel-title>a.collapsed:before{content:"\f105"}.popover{-webkit-box-shadow:0 2px 2px rgba(3,3,3,.08);box-shadow:0 2px 2px rgba(3,3,3,.08);padding:0}.popover-content{color:#4d5258;line-height:18px;padding:10px 14px}.popover-title{border-bottom:none;border-radius:0;color:#4d5258;font-size:13px;font-weight:700;min-height:34px}.popover-title .close{height:22px;position:absolute;right:8px;top:6px}.popover-title.closable{padding-right:30px}@-webkit-keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}@keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}.progress{-webkit-box-shadow:inset 0 0 1px rgba(3,3,3,.25);box-shadow:inset 0 0 1px rgba(3,3,3,.25)}.progress.progress-label-left,.progress.progress-label-top-right{overflow:visible;position:relative}.progress.progress-label-left{margin-left:40px}.progress.progress-sm{height:14px;margin-bottom:14px}.progress.progress-xs{height:6px;margin-bottom:6px}td>.progress:first-child:last-child{margin-bottom:0;margin-top:3px}.progress-bar{box-shadow:none}.progress-label-left .progress-bar span,.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{color:#363636;position:absolute;text-align:right}.progress-label-left .progress-bar span{font-size:14px;left:-40px;top:0;width:35px}.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{font-size:11px;overflow:hidden;right:0;text-overflow:ellipsis;white-space:nowrap}.progress-label-right .progress-bar span strong,.progress-label-top-right .progress-bar span strong{font-weight:600}.progress-label-right .progress-bar span{max-width:85px;top:0}.progress-label-top-right .progress-bar span{max-width:47%;top:-30px}.progress-label-left.progress-sm .progress-bar span,.progress-label-top-right.progress-sm .progress-bar span{font-size:12px}.progress-sm .progress-bar{line-height:14px}.progress-xs .progress-bar{line-height:6px}.progress-bar-remaining{background:0 0}.progress-container{position:relative}.progress-container.progress-description-left{padding-left:90px}.progress-container.progress-label-right{padding-right:90px}.progress-description{margin-bottom:10px;max-width:52%;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.progress-description .count{font-size:20px;font-weight:300;line-height:1;margin-right:5px}.progress-description .fa,.progress-description .pficon{font-size:14px;margin-right:3px}.progress-description-left .progress-description{left:0;margin-bottom:0;max-width:85px;position:absolute;top:0}.progress-description .tooltip{white-space:normal}.search-pf.has-button{border-collapse:separate;display:table}.search-pf.has-button .form-group{display:table-cell;width:100%}.search-pf.has-button .form-group .btn{-webkit-box-shadow:none;box-shadow:none;float:left;margin-left:-1px}.search-pf.has-button .form-group .btn.btn-lg{font-size:14.5px}.search-pf.has-button .form-group .btn.btn-sm{font-size:10.7px}.search-pf.has-button .form-group .form-control{float:left}.search-pf .has-clear .clear{background:0 0;background:rgba(255,255,255,0);border:0;height:25px;line-height:1;padding:0;position:absolute;right:1px;top:1px;width:28px}.search-pf .has-clear .clear:focus{outline:0}.search-pf .has-clear .form-control{padding-right:30px}.search-pf .has-clear .form-control::-ms-clear{display:none}.search-pf .has-clear .input-lg+.clear{height:31px;width:28px}.search-pf .has-clear .input-sm+.clear{height:20px;width:28px}.search-pf .has-clear .input-sm+.clear span{font-size:10px}.search-pf .has-clear .search-pf-input-group{position:relative}.sidebar-header{border-bottom:1px solid #ececec;padding-bottom:11px;margin:50px 0 20px}.sidebar-header .actions{margin-top:-2px}.sidebar-pf .sidebar-header+.list-group{border-top:0;margin-top:-10px}.sidebar-pf .sidebar-header+.list-group .list-group-item{background:0 0;border-color:#ececec;padding-left:0}.sidebar-pf .sidebar-header+.list-group .list-group-item-heading{font-size:12px}.sidebar-pf .nav-category h2{color:#9c9c9c;font-size:12px;font-weight:400;line-height:21px;margin:0;padding:8px 0}.sidebar-pf .nav-category+.nav-category{margin-top:10px}.sidebar-pf .nav-pills>li.active>a{background:#0088ce!important;border-color:#0088ce!important;color:#fff}@media (min-width:768px){.sidebar-pf .nav-pills>li.active>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}.sidebar-pf .nav-pills>li.active>a .fa{color:#fff}.sidebar-pf .nav-pills>li>a{border-bottom:1px solid transparent;border-radius:0;border-top:1px solid transparent;color:#363636;font-size:13px;line-height:21px;padding:1px 20px}.sidebar-pf .nav-pills>li>a:hover{background:#def3ff;border-color:#bee1f4}.sidebar-pf .nav-pills>li>a .fa{color:#6a7079;font-size:15px;margin-right:10px;text-align:center;vertical-align:middle;width:15px}.sidebar-pf .nav-stacked{margin-left:-20px;margin-right:-20px}.sidebar-pf .nav-stacked li+li{margin-top:0}.sidebar-pf .panel{background:0 0}.sidebar-pf .panel-body{padding:6px 20px}.sidebar-pf .panel-body .nav-pills>li>a{padding-left:37px}.sidebar-pf .panel-heading{padding:9px 20px}.sidebar-pf .panel-title{font-size:12px}.sidebar-pf .panel-title>a:before{display:inline-block;margin-left:1px;margin-right:4px;width:9px}.sidebar-pf .panel-title>a.collapsed:before{margin-left:3px;margin-right:2px}@media (min-width:767px){.sidebar-header-bleed-left{margin-left:-20px}.sidebar-header-bleed-left>h2{margin-left:20px}.sidebar-header-bleed-right{margin-right:-20px}.sidebar-header-bleed-right .actions{margin-right:20px}.sidebar-header-bleed-right>h2{margin-right:20px}.sidebar-header-bleed-right+.list-group{margin-right:-20px}.sidebar-pf .panel-group .panel-default,.sidebar-pf .treeview{border-left:0;border-right:0;margin-left:-20px;margin-right:-20px}.sidebar-pf .treeview{margin-top:5px}.sidebar-pf .treeview .list-group-item{padding-left:20px;padding-right:20px}.sidebar-pf .treeview .list-group-item.node-selected:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}@media (min-width:768px){.sidebar-pf{background:#fafafa}.sidebar-pf.sidebar-pf-left{border-right:1px solid #d1d1d1}.sidebar-pf.sidebar-pf-right{border-left:1px solid #d1d1d1}.sidebar-pf>.nav-category,.sidebar-pf>.nav-stacked{margin-top:5px}}@-webkit-keyframes rotation{from{-webkit-transform:rotate(0)}to{-webkit-transform:rotate(359deg)}}@keyframes rotation{from{transform:rotate(0)}to{transform:rotate(359deg)}}.spinner{-webkit-animation:rotation .6s infinite linear;animation:rotation .6s infinite linear;border-bottom:4px solid rgba(3,3,3,.25);border-left:4px solid rgba(3,3,3,.25);border-right:4px solid rgba(3,3,3,.25);border-radius:100%;border-top:4px solid rgba(3,3,3,.75);height:24px;margin:0 auto;position:relative;width:24px}.spinner.spinner-inline{display:inline-block;margin-right:3px}.spinner.spinner-lg{border-width:5px;height:30px;width:30px}.spinner.spinner-sm{border-width:3px;height:18px;width:18px}.spinner.spinner-xs{border-width:2px;height:12px;width:12px}.spinner.spinner-inverse{border-bottom-color:rgba(255,255,255,.25);border-left-color:rgba(255,255,255,.25);border-right-color:rgba(255,255,255,.25);border-top-color:rgba(255,255,255,.75)}.ie9 .spinner{background:url(../img/spinner.gif) no-repeat;border:0}.ie9 .spinner.spinner-inverse{background-image:url(../img/spinner-inverse.gif)}.ie9 .spinner.spinner-inverse-lg{background-image:url(../img/spinner-inverse-lg.gif)}.ie9 .spinner.spinner-inverse-sm{background-image:url(../img/spinner-inverse-sm.gif)}.ie9 .spinner.spinner-inverse-xs{background-image:url(../img/spinner-inverse-xs.gif)}.ie9 .spinner.spinner-lg{background-image:url(../img/spinner-lg.gif)}.ie9 .spinner.spinner-sm{background-image:url(../img/spinner-sm.gif)}.ie9 .spinner.spinner-xs{background-image:url(../img/spinner-xs.gif)}.prettyprint .atn,.prettyprint .com,.prettyprint .fun,.prettyprint .var{color:#3f9c35}.prettyprint .atv,.prettyprint .str{color:#a30000}.prettyprint .clo,.prettyprint .dec,.prettyprint .kwd,.prettyprint .opn,.prettyprint .pln,.prettyprint .pun{color:#363636}.prettyprint .lit,.prettyprint .tag,.prettyprint .typ{color:#00659c}.prettyprint ol.linenums{margin-bottom:0}.table>tbody>tr>td,.table>tbody>tr>th,.table>tfoot>tr>td,.table>tfoot>tr>th,.table>thead>tr>td,.table>thead>tr>th{padding:2px 10px 3px}.table>tbody>tr>td>a:hover,.table>tbody>tr>th>a:hover,.table>tfoot>tr>td>a:hover,.table>tfoot>tr>th>a:hover,.table>thead>tr>td>a:hover,.table>thead>tr>th>a:hover{text-decoration:none}.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>th{font-family:'Open Sans';font-style:normal;font-weight:600}.table>thead{background-clip:padding-box;background-color:#f5f5f5;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.table-bordered{border:1px solid #d1d1d1}.table-bordered>tbody>tr>td,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>td,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border:1px solid #d1d1d1}.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border-bottom-width:1px}.table-striped>tbody>tr:nth-of-type(even){background-color:#f5f5f5}.table-striped>tbody>tr:nth-of-type(odd){background-color:transparent}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#def3ff;border-bottom-color:#7dc3e8}.table-treegrid span.indent{margin-left:10px;margin-right:10px}.table-treegrid span.icon{display:inline-block;font-size:13px;margin-right:5px;min-width:10px;text-align:center}.table-treegrid span.collapse-icon,.table-treegrid span.expand-icon{cursor:pointer}.table-treegrid>tbody>tr.odd{background-color:#f5f5f5}.nav-tabs{font-size:14px}.nav-tabs>li>a{color:#4d5258;margin-right:-1px;padding-bottom:5px;padding-top:5px}.nav-tabs>li>a:active,.nav-tabs>li>a:focus,.nav-tabs>li>a:hover{background:0 0;border-color:#ededed;color:#252525}.nav-tabs>li>.dropdown-menu{border-top:0;border-color:#ededed}.nav-tabs>li>.dropdown-menu.pull-right{right:-1px}.nav-tabs+.nav-tabs-pf{font-size:12px}.nav-tabs+.nav-tabs-pf>li:first-child>a{padding-left:15px}.nav-tabs+.nav-tabs-pf>li:first-child>a:before{left:15px!important}.nav-tabs .open>a,.nav-tabs .open>a:focus,.nav-tabs .open>a:hover{background-color:transparent;border-color:#ededed}@media (min-width:768px){.nav-tabs-pf.nav-justified{border-bottom:1px solid #ededed}}.nav-tabs-pf.nav-justified>li:first-child>a{padding-left:15px}.nav-tabs-pf.nav-justified>li>a{border-bottom:0}.nav-tabs-pf.nav-justified>li>a:before{left:0!important;right:0!important}.nav-tabs-pf>li{margin-bottom:0}.nav-tabs-pf>li.active>a:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li.active>a,.nav-tabs-pf>li.active>a:active,.nav-tabs-pf>li.active>a:focus,.nav-tabs-pf>li.active>a:hover{background-color:transparent;border:0!important;color:#0088ce}.nav-tabs-pf>li.active>a:active:before,.nav-tabs-pf>li.active>a:before,.nav-tabs-pf>li.active>a:focus:before,.nav-tabs-pf>li.active>a:hover:before{background:#0088ce}.nav-tabs-pf>li:first-child>a{padding-left:0}.nav-tabs-pf>li:first-child>a:before{left:0!important}.nav-tabs-pf>li>a{border:0;line-height:1;margin-right:0;padding-bottom:10px;padding-top:10px}.nav-tabs-pf>li>a:active:before,.nav-tabs-pf>li>a:focus:before,.nav-tabs-pf>li>a:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li>.dropdown-menu{left:15px;margin-top:1px}.nav-tabs-pf>li>.dropdown-menu.pull-right{left:auto;right:15px}.nav-tabs-pf .open>a,.nav-tabs-pf .open>a:focus,.nav-tabs-pf .open>a:hover{background-color:transparent}.tooltip{font-size:12px;line-height:1.4}.tooltip-inner{padding:7px 12px;text-align:left}.h1,.h2,h1,h2{font-weight:300}.page-header .actions{margin-top:8px}.page-header .actions a>.pficon{margin-right:4px}@media (min-width:767px){.page-header-bleed-left{margin-left:-20px}.page-header-bleed-right{margin-right:-20px}.page-header-bleed-right .actions{margin-right:20px}}
\ No newline at end of file
--
-2.17.1
+2.21.0
-From 9a69911b0024aebad69a1317532e77afe6427576 Mon Sep 17 00:00:00 2001
+From 6b3de20bbf50a2ca035793bf0625103a58b2d705 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 40/72] install/ui/index.html: Change branding to IPA and
+Subject: [PATCH 39/71] install/ui/index.html: Change branding to IPA and
Identity Management
---
@@ -1120,7 +1120,7 @@ Subject: [PATCH 40/72] install/ui/index.html: Change branding to IPA and
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/index.html b/install/ui/index.html
-index bc0f0cd1e..d1eacaf53 100644
+index bc0f0cd..d1eacaf 100644
--- a/install/ui/index.html
+++ b/install/ui/index.html
@@ -2,7 +2,7 @@
@@ -1133,21 +1133,21 @@ index bc0f0cd1e..d1eacaf53 100644
<!--[if IE]>
<meta id="ie-detector">
--
-2.17.1
+2.21.0
-From 206d1889cd8a9225f1d637e228aba54836cc3adf Mon Sep 17 00:00:00 2001
+From 9d19e7d9bb2ebd3d130ed0e3718c1be32a3a119b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 41/72] install/ui/less/brand.less: Change branding to IPA
- and Identity Management
+Subject: [PATCH 40/71] install/ui/less/brand.less: Change branding to IPA and
+ Identity Management
---
install/ui/less/brand.less | 103 ++++++++++++++++++-------------------
1 file changed, 50 insertions(+), 53 deletions(-)
diff --git a/install/ui/less/brand.less b/install/ui/less/brand.less
-index c9030bb0b..7488eaf91 100644
+index c9030bb..7488eaf 100644
--- a/install/ui/less/brand.less
+++ b/install/ui/less/brand.less
@@ -20,58 +20,55 @@
@@ -1261,21 +1261,21 @@ index c9030bb0b..7488eaf91 100644
}
\ No newline at end of file
--
-2.17.1
+2.21.0
-From d9b08ebc53dca899cffb75e413b5472f35c107b8 Mon Sep 17 00:00:00 2001
+From 78cc2843205bcadcfd27a0e9d8d4a03a2e14d29d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 42/72] install/ui/less/patternfly.less: Change branding to
- IPA and Identity Management
+Subject: [PATCH 41/71] install/ui/less/patternfly.less: Change branding to IPA
+ and Identity Management
---
install/ui/less/patternfly.less | 48 +++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/install/ui/less/patternfly.less b/install/ui/less/patternfly.less
-index a2e30c85b..97a8d5c26 100644
+index a2e30c8..97a8d5c 100644
--- a/install/ui/less/patternfly.less
+++ b/install/ui/less/patternfly.less
@@ -129,3 +129,51 @@
@@ -1331,21 +1331,21 @@ index a2e30c85b..97a8d5c26 100644
+@navbar-pf-navbar-utility-open-bg-color: #5b6165;
+@navbar-pf-navbar-utility-open-border-color: #6c6e70;
--
-2.17.1
+2.21.0
-From 1b1455e451ed00fd1f3ecfd3d807ca5935e6c272 Mon Sep 17 00:00:00 2001
+From 996fe9454f57fb4adc4ab72345511f2d207f7d46 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 43/72] install/ui/reset_password.html: Change branding to
- IPA and Identity Management
+Subject: [PATCH 42/71] install/ui/reset_password.html: Change branding to IPA
+ and Identity Management
---
install/ui/reset_password.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/reset_password.html b/install/ui/reset_password.html
-index e5700c964..a4ea1ce0e 100644
+index e5700c9..a4ea1ce 100644
--- a/install/ui/reset_password.html
+++ b/install/ui/reset_password.html
@@ -2,7 +2,7 @@
@@ -1358,21 +1358,21 @@ index e5700c964..a4ea1ce0e 100644
<!--[if IE]>
<meta id="ie-detector">
--
-2.17.1
+2.21.0
-From 217b850ac3437e4d285adafbc5d4afb5fffbf6bf Mon Sep 17 00:00:00 2001
+From 2bdd0bcb746361b391aa6e53aaa1e1d6e57dbfe6 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 44/72] install/ui/src/freeipa/widgets/App.js: Change
- branding to IPA and Identity Management
+Subject: [PATCH 43/71] install/ui/src/freeipa/widgets/App.js: Change branding
+ to IPA and Identity Management
---
install/ui/src/freeipa/widgets/App.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/widgets/App.js b/install/ui/src/freeipa/widgets/App.js
-index 3a139555a..b0f75885d 100644
+index 3a13955..b0f7588 100644
--- a/install/ui/src/freeipa/widgets/App.js
+++ b/install/ui/src/freeipa/widgets/App.js
@@ -187,7 +187,7 @@ define(['dojo/_base/declare',
@@ -1385,13 +1385,13 @@ index 3a139555a..b0f75885d 100644
return this.brand_node;
--
-2.17.1
+2.21.0
-From adacee4e1fe7239049adc2eeeee088311d6f2bb2 Mon Sep 17 00:00:00 2001
+From 01f8e875fd670d71d3ff8e6c0929a304c451bfaa Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 45/72] install/ui/sync_otp.html: Change branding to IPA and
+Subject: [PATCH 44/71] install/ui/sync_otp.html: Change branding to IPA and
Identity Management
---
@@ -1399,7 +1399,7 @@ Subject: [PATCH 45/72] install/ui/sync_otp.html: Change branding to IPA and
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/sync_otp.html b/install/ui/sync_otp.html
-index 5814b6c57..36a51ca62 100644
+index 5814b6c..36a51ca 100644
--- a/install/ui/sync_otp.html
+++ b/install/ui/sync_otp.html
@@ -2,7 +2,7 @@
@@ -1412,13 +1412,13 @@ index 5814b6c57..36a51ca62 100644
<!--[if IE]>
<meta id="ie-detector">
--
-2.17.1
+2.21.0
-From 188e41152183e7e0e1c6936df600330981553bdc Mon Sep 17 00:00:00 2001
+From ab6ee26de48cffbf3916dd8a2e15f18527b5f8f6 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 46/72] install/ui/test/data/ipa_init_commands.json: Change
+Subject: [PATCH 45/71] install/ui/test/data/ipa_init_commands.json: Change
branding to IPA and Identity Management
---
@@ -1426,7 +1426,7 @@ Subject: [PATCH 46/72] install/ui/test/data/ipa_init_commands.json: Change
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
-index c35946b34..6d3667473 100644
+index c35946b..6d36674 100644
--- a/install/ui/test/data/ipa_init_commands.json
+++ b/install/ui/test/data/ipa_init_commands.json
@@ -8689,7 +8689,7 @@
@@ -1448,13 +1448,13 @@ index c35946b34..6d3667473 100644
"no_update"
],
--
-2.17.1
+2.21.0
-From 3d6a1fa157e3da072ef1cf557788ad536e6c88d6 Mon Sep 17 00:00:00 2001
+From 8a439a32134ed2b8a4ab11c6637e7379be4bb4cc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 47/72] install/ui/test/data/ipa_init_objects.json: Change
+Subject: [PATCH 46/71] install/ui/test/data/ipa_init_objects.json: Change
branding to IPA and Identity Management
---
@@ -1462,7 +1462,7 @@ Subject: [PATCH 47/72] install/ui/test/data/ipa_init_objects.json: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json
-index 6f9b13e92..08aaafd61 100644
+index 6f9b13e..08aaafd 100644
--- a/install/ui/test/data/ipa_init_objects.json
+++ b/install/ui/test/data/ipa_init_objects.json
@@ -21190,7 +21190,7 @@
@@ -1475,24 +1475,24 @@ index 6f9b13e92..08aaafd61 100644
"cli_metavar" : "INT",
"default" : 0,
--
-2.17.1
+2.21.0
-From 9a629a06c87b1b3436d92937035de6ce66ca6d69 Mon Sep 17 00:00:00 2001
+From 84fac58baf86da0536afb6e01f33cff5007bb4e7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 48/72] ipaclient/install/client.py: Change branding to IPA
- and Identity Management
+Subject: [PATCH 47/71] ipaclient/install/client.py: Change branding to IPA and
+ Identity Management
---
ipaclient/install/client.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
-index 5787d03cf..cc3916648 100644
+index cc830f1..070b14d 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
-@@ -2022,7 +2022,7 @@ def install_check(options):
+@@ -2034,7 +2034,7 @@ def install_check(options):
global client_domain
global cli_basedn
@@ -1502,13 +1502,13 @@ index 5787d03cf..cc3916648 100644
print("")
--
-2.17.1
+2.21.0
-From 86ae50ed5e3466bae9481a516c5c2486161ac10d Mon Sep 17 00:00:00 2001
+From f72a60a224057254d9b213b9b6b451d8e4a408a5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 49/72] ipaclient/remote_plugins/2_114/otptoken.py: Change
+Subject: [PATCH 48/71] ipaclient/remote_plugins/2_114/otptoken.py: Change
branding to IPA and Identity Management
---
@@ -1516,7 +1516,7 @@ Subject: [PATCH 49/72] ipaclient/remote_plugins/2_114/otptoken.py: Change
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipaclient/remote_plugins/2_114/otptoken.py b/ipaclient/remote_plugins/2_114/otptoken.py
-index 632c97ea2..d3edb589d 100644
+index 632c97e..d3edb58 100644
--- a/ipaclient/remote_plugins/2_114/otptoken.py
+++ b/ipaclient/remote_plugins/2_114/otptoken.py
@@ -132,7 +132,7 @@ class otptoken(Object):
@@ -1547,13 +1547,13 @@ index 632c97ea2..d3edb589d 100644
),
parameters.Int(
--
-2.17.1
+2.21.0
-From 1aee68b9138cbf57571494ac84a078ebff942be2 Mon Sep 17 00:00:00 2001
+From ef8b9e9e9028202d0018ac6d36e5110cfc64763f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 50/72] ipaclient/remote_plugins/2_156/otptoken.py: Change
+Subject: [PATCH 49/71] ipaclient/remote_plugins/2_156/otptoken.py: Change
branding to IPA and Identity Management
---
@@ -1561,7 +1561,7 @@ Subject: [PATCH 50/72] ipaclient/remote_plugins/2_156/otptoken.py: Change
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipaclient/remote_plugins/2_156/otptoken.py b/ipaclient/remote_plugins/2_156/otptoken.py
-index 0b2b54c6e..e674d465d 100644
+index 0b2b54c..e674d46 100644
--- a/ipaclient/remote_plugins/2_156/otptoken.py
+++ b/ipaclient/remote_plugins/2_156/otptoken.py
@@ -132,7 +132,7 @@ class otptoken(Object):
@@ -1592,13 +1592,13 @@ index 0b2b54c6e..e674d465d 100644
),
parameters.Int(
--
-2.17.1
+2.21.0
-From 14aa8dc4b66e09e4bf344ec79732eff96c952df0 Mon Sep 17 00:00:00 2001
+From bc987f5b22040e2941e4a6f146929f53d20c54d2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 51/72] ipaclient/remote_plugins/2_164/otptoken.py: Change
+Subject: [PATCH 50/71] ipaclient/remote_plugins/2_164/otptoken.py: Change
branding to IPA and Identity Management
---
@@ -1606,7 +1606,7 @@ Subject: [PATCH 51/72] ipaclient/remote_plugins/2_164/otptoken.py: Change
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipaclient/remote_plugins/2_164/otptoken.py b/ipaclient/remote_plugins/2_164/otptoken.py
-index 0b2b54c6e..e674d465d 100644
+index 0b2b54c..e674d46 100644
--- a/ipaclient/remote_plugins/2_164/otptoken.py
+++ b/ipaclient/remote_plugins/2_164/otptoken.py
@@ -132,7 +132,7 @@ class otptoken(Object):
@@ -1637,21 +1637,21 @@ index 0b2b54c6e..e674d465d 100644
),
parameters.Int(
--
-2.17.1
+2.21.0
-From 5be234c16ddcf8684c3d41c985f98ff6485c89db Mon Sep 17 00:00:00 2001
+From 5b4bebe15eb2604e63a02c90258423560e47791e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 52/72] ipalib/pkcs10.py: Change branding to IPA and
- Identity Management
+Subject: [PATCH 51/71] ipalib/pkcs10.py: Change branding to IPA and Identity
+ Management
---
ipalib/pkcs10.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py
-index 2756c8568..590ce0757 100644
+index 2756c85..590ce07 100644
--- a/ipalib/pkcs10.py
+++ b/ipalib/pkcs10.py
@@ -2,7 +2,7 @@ from __future__ import print_function
@@ -1664,13 +1664,13 @@ index 2756c8568..590ce0757 100644
file=sys.stderr
)
--
-2.17.1
+2.21.0
-From cd983cb830b66bfd35c353cda8eb8c83053847eb Mon Sep 17 00:00:00 2001
+From 4157915ff75752341ddca82bef5f2eefbf4b1d24 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 53/72] ipalib/rpc.py: Change branding to IPA and Identity
+Subject: [PATCH 52/71] ipalib/rpc.py: Change branding to IPA and Identity
Management
---
@@ -1678,7 +1678,7 @@ Subject: [PATCH 53/72] ipalib/rpc.py: Change branding to IPA and Identity
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
-index b27f3cef9..f2a697199 100644
+index 1ef0f5e..f1be905 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -284,7 +284,7 @@ class _JSONPrimer(dict):
@@ -1691,13 +1691,13 @@ index b27f3cef9..f2a697199 100644
The primer uses a couple of tricks to archive maximum performance:
--
-2.17.1
+2.21.0
-From 8b5459b80408929c1593895e00f37a011aa09723 Mon Sep 17 00:00:00 2001
+From 6f853361b23d986c0048d9e7e60460732484dbd0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 54/72] ipalib/util.py: Change branding to IPA and Identity
+Subject: [PATCH 53/71] ipalib/util.py: Change branding to IPA and Identity
Management
---
@@ -1705,10 +1705,10 @@ Subject: [PATCH 54/72] ipalib/util.py: Change branding to IPA and Identity
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/util.py b/ipalib/util.py
-index 3e8fab49d..0aac1c799 100644
+index fd08d89..62577d7 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
-@@ -234,7 +234,7 @@ def normalize_zone(zone):
+@@ -236,7 +236,7 @@ def normalize_zone(zone):
def get_proper_tls_version_span(tls_version_min, tls_version_max):
"""
This function checks whether the given TLS versions are known in
@@ -1718,13 +1718,13 @@ index 3e8fab49d..0aac1c799 100644
`ipalib.constants: TLS_VERSIONS, TLS_VERSION_MINIMAL`).
--
-2.17.1
+2.21.0
-From 0fd0f26cbb7ff344f24acfedda97d11f46717b78 Mon Sep 17 00:00:00 2001
+From 61578b07480f2ba73e5c5e73b270ba69115319e9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 55/72] ipalib/x509.py: Change branding to IPA and Identity
+Subject: [PATCH 54/71] ipalib/x509.py: Change branding to IPA and Identity
Management
---
@@ -1732,11 +1732,11 @@ Subject: [PATCH 55/72] ipalib/x509.py: Change branding to IPA and Identity
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/x509.py b/ipalib/x509.py
-index bc78a8058..57a7e18df 100644
+index 1f612a3..dfe66e1 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
-@@ -86,7 +86,7 @@ SAN_KRB5PRINCIPALNAME = '1.3.6.1.5.2.2'
- class IPACertificate(object):
+@@ -88,7 +88,7 @@ SAN_KRB5PRINCIPALNAME = '1.3.6.1.5.2.2'
+ class IPACertificate:
"""
A proxy class wrapping a python-cryptography certificate representation for
- FreeIPA purposes
@@ -1745,13 +1745,13 @@ index bc78a8058..57a7e18df 100644
def __init__(self, cert, backend=None):
"""
--
-2.17.1
+2.21.0
-From 08aaff17e615d159da73a4a254ca8d43cc05b82d Mon Sep 17 00:00:00 2001
+From cf108de27c35652d0678c6f3fbc8967be6a083d8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 56/72] ipaserver/advise/plugins/legacy_clients.py: Change
+Subject: [PATCH 55/71] ipaserver/advise/plugins/legacy_clients.py: Change
branding to IPA and Identity Management
---
@@ -1759,10 +1759,10 @@ Subject: [PATCH 56/72] ipaserver/advise/plugins/legacy_clients.py: Change
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py
-index 7916965dd..c0d6c73f4 100644
+index 2a56922..0e322fe 100644
--- a/ipaserver/advise/plugins/legacy_clients.py
+++ b/ipaserver/advise/plugins/legacy_clients.py
-@@ -92,7 +92,7 @@ class config_redhat_sssd_before_1_9(config_base_legacy_client):
+@@ -94,7 +94,7 @@ class config_redhat_sssd_before_1_9(config_base_legacy_client):
Legacy client configuration for Red Hat based systems, using SSSD.
"""
description = ('Instructions for configuring a system with an old version '
@@ -1771,7 +1771,7 @@ index 7916965dd..c0d6c73f4 100644
'instructions is targeted for platforms that include '
'the authconfig utility, which are all Red Hat based '
'platforms.')
-@@ -127,7 +127,7 @@ class config_generic_linux_sssd_before_1_9(config_base_legacy_client):
+@@ -129,7 +129,7 @@ class config_generic_linux_sssd_before_1_9(config_base_legacy_client):
using SSSD.
"""
description = ('Instructions for configuring a system with an old version '
@@ -1780,7 +1780,7 @@ index 7916965dd..c0d6c73f4 100644
'instructions is targeted for linux systems that do not '
'include the authconfig utility.')
-@@ -182,7 +182,7 @@ class config_redhat_nss_pam_ldapd(config_base_legacy_client):
+@@ -184,7 +184,7 @@ class config_redhat_nss_pam_ldapd(config_base_legacy_client):
using nss-pam-ldapd.
"""
description = ('Instructions for configuring a system with nss-pam-ldapd '
@@ -1789,7 +1789,7 @@ index 7916965dd..c0d6c73f4 100644
'for platforms that include the authconfig utility, which '
'are all Red Hat based platforms.')
-@@ -350,7 +350,7 @@ class config_redhat_nss_ldap(config_base_legacy_client):
+@@ -352,7 +352,7 @@ class config_redhat_nss_ldap(config_base_legacy_client):
using nss-ldap.
"""
description = ('Instructions for configuring a system with nss-ldap '
@@ -1799,13 +1799,13 @@ index 7916965dd..c0d6c73f4 100644
'are all Red Hat based platforms.')
--
-2.17.1
+2.21.0
-From c4c9d5687b29ee387356899151c7a64d9100f0e2 Mon Sep 17 00:00:00 2001
+From a8736b1b82bba093c72eb4a142c860c547a0e4b0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 57/72] ipaserver/advise/plugins/smart_card_auth.py: Change
+Subject: [PATCH 56/71] ipaserver/advise/plugins/smart_card_auth.py: Change
branding to IPA and Identity Management
---
@@ -1813,10 +1813,10 @@ Subject: [PATCH 57/72] ipaserver/advise/plugins/smart_card_auth.py: Change
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
-index 2f2e7aec9..5795f0f75 100644
+index c43c74e..ce50cec 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
-@@ -95,7 +95,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
+@@ -97,7 +97,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
"""
description = ("Instructions for enabling Smart Card authentication on "
@@ -1825,7 +1825,7 @@ index 2f2e7aec9..5795f0f75 100644
"enabling PKINIT on KDC and configuring WebUI to accept "
"Smart Card auth requests. To enable the feature in the "
"whole topology you have to run the script on each master")
-@@ -222,11 +222,11 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
+@@ -244,11 +244,11 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
@register()
class config_client_for_smart_card_auth(common_smart_card_auth_config):
"""
@@ -1840,13 +1840,13 @@ index 2f2e7aec9..5795f0f75 100644
"allow smart card logins to desktop")
--
-2.17.1
+2.21.0
-From 382d2f94b43410a6caefa7e8bec4f41455d7cc2b Mon Sep 17 00:00:00 2001
+From 2f35de8549d671caa36cccdf037bcc1c6382c812 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 58/72] ipaserver/install/dns.py: Change branding to IPA and
+Subject: [PATCH 57/71] ipaserver/install/dns.py: Change branding to IPA and
Identity Management
---
@@ -1854,7 +1854,7 @@ Subject: [PATCH 58/72] ipaserver/install/dns.py: Change branding to IPA and
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
-index 80e81bbe0..c0ce42ab0 100644
+index 40688dc..2a130ab 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -149,7 +149,7 @@ def install_check(standalone, api, replica, options, hostname):
@@ -1867,24 +1867,24 @@ index 80e81bbe0..c0ce42ab0 100644
print("This includes:")
print(" * Configure DNS (bind)")
--
-2.17.1
+2.21.0
-From 2091272e23144e854045eec4c090311231ae6de7 Mon Sep 17 00:00:00 2001
+From a45b1e44bb8307dba6bbf32e677f7b7424205830 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 59/72] ipaserver/install/ipa_kra_install.py: Change
- branding to IPA and Identity Management
+Subject: [PATCH 58/71] ipaserver/install/ipa_kra_install.py: Change branding
+ to IPA and Identity Management
---
ipaserver/install/ipa_kra_install.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
-index 45a3b09f0..9f28bb0d1 100644
+index 2d6e4bf..076c206 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
-@@ -87,7 +87,7 @@ class KRAInstall(admintool.AdminTool):
+@@ -93,7 +93,7 @@ class KRAInstall(admintool.AdminTool):
if options.uninstall:
sys.exit(
'ERROR: Standalone KRA uninstallation was removed in '
@@ -1893,7 +1893,7 @@ index 45a3b09f0..9f28bb0d1 100644
'issues.')
else:
return KRAInstaller
-@@ -98,7 +98,7 @@ class KRAInstaller(KRAInstall):
+@@ -104,7 +104,7 @@ class KRAInstaller(KRAInstall):
INSTALLER_START_MESSAGE = '''
===================================================================
@@ -1903,13 +1903,13 @@ index 45a3b09f0..9f28bb0d1 100644
'''
--
-2.17.1
+2.21.0
-From 574f21b25242c0dd32683443eaea24a3a88529ce Mon Sep 17 00:00:00 2001
+From 29661374a56cc16c3d707aca0c3fbe01d7ad7dee Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 60/72] ipaserver/install/plugins/dns.py: Change branding to
+Subject: [PATCH 59/71] ipaserver/install/plugins/dns.py: Change branding to
IPA and Identity Management
---
@@ -1917,7 +1917,7 @@ Subject: [PATCH 60/72] ipaserver/install/plugins/dns.py: Change branding to
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
-index baa19c38e..a7a1748d9 100644
+index baa19c3..a7a1748 100644
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -161,11 +161,11 @@ class update_ipaconfigstring_dnsversion_to_ipadnsversion(Updater):
@@ -1962,13 +1962,13 @@ index baa19c38e..a7a1748d9 100644
"""
backup_filename = u'dns-forwarding-empty-zones-%Y-%m-%d-%H-%M-%S.ldif'
--
-2.17.1
+2.21.0
-From 7d7cbc6f104a837678ee56bd6a66c12c80a4100e Mon Sep 17 00:00:00 2001
+From ed41c0d8c9d782e4610837f9dbacb9d64fbecc65 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 61/72] ipaserver/install/replication.py: Change branding to
+Subject: [PATCH 60/71] ipaserver/install/replication.py: Change branding to
IPA and Identity Management
---
@@ -1976,10 +1976,10 @@ Subject: [PATCH 61/72] ipaserver/install/replication.py: Change branding to
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
-index 92a99cd94..d77193092 100644
+index 1fefe3e..87794b7 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
-@@ -1693,7 +1693,7 @@ class ReplicationManager(object):
+@@ -1760,7 +1760,7 @@ class ReplicationManager:
Ensure that the 'cn=replication managers,cn=sysaccounts' group exists
and contains the principals for master and remote replica
@@ -1989,24 +1989,24 @@ index 92a99cd94..d77193092 100644
"""
my_dn = DN(
--
-2.17.1
+2.21.0
-From 3c2401a5414090a8deb7e6e2d439a4094dc66eb4 Mon Sep 17 00:00:00 2001
+From 9289815fa14bfa2ff3ff0a57031b4c7588c6a2f2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 62/72] ipaserver/install/server/install.py: Change branding
- to IPA and Identity Management
+Subject: [PATCH 61/71] ipaserver/install/server/install.py: Change branding to
+ IPA and Identity Management
---
ipaserver/install/server/install.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
-index efccca77b..0a2774a6a 100644
+index 7cdf2a5..f7e9f88 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
-@@ -381,7 +381,7 @@ def install_check(installer):
+@@ -393,7 +393,7 @@ def install_check(installer):
print("======================================="
"=======================================")
@@ -2016,13 +2016,13 @@ index efccca77b..0a2774a6a 100644
print("")
print("This includes:")
--
-2.17.1
+2.21.0
-From 6bf9c6a5db6526e2126c352c6bb8e9d117a14c1a Mon Sep 17 00:00:00 2001
+From 8c6d244de87c7c3bcfc4660921738efcdeaf17de Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 63/72] ipaserver/install/server/replicainstall.py: Change
+Subject: [PATCH 62/71] ipaserver/install/server/replicainstall.py: Change
branding to IPA and Identity Management
---
@@ -2030,10 +2030,10 @@ Subject: [PATCH 63/72] ipaserver/install/server/replicainstall.py: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index aaa1943f9..878c01e99 100644
+index 536f0db..3fb8b3f 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
-@@ -612,7 +612,7 @@ def check_domain_level_is_supported(current):
+@@ -619,7 +619,7 @@ def check_domain_level_is_supported(current):
above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
if under_lower_bound or above_upper_bound:
@@ -2043,13 +2043,13 @@ index aaa1943f9..878c01e99 100644
"this domain. The Domain Level needs to be "
"raised before installing a replica with "
--
-2.17.1
+2.21.0
-From 5502cd648cb527fba8c32e9cb92b6d821fcb5cb0 Mon Sep 17 00:00:00 2001
+From a328d3c6e5ed88d6a5461448952672c4fb0d6956 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 64/72] ipaserver/plugins/certmap.py: Change branding to IPA
+Subject: [PATCH 63/71] ipaserver/plugins/certmap.py: Change branding to IPA
and Identity Management
---
@@ -2057,10 +2057,10 @@ Subject: [PATCH 64/72] ipaserver/plugins/certmap.py: Change branding to IPA
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/certmap.py b/ipaserver/plugins/certmap.py
-index 8705e4290..558c3987e 100644
+index ee8f0c1..cdbc38f 100644
--- a/ipaserver/plugins/certmap.py
+++ b/ipaserver/plugins/certmap.py
-@@ -541,7 +541,7 @@ class certmap_match(Search):
+@@ -614,7 +614,7 @@ class certmap_match(Search):
The search is performed using SSSD's DBus interface
Users.ListByCertificate.
SSSD does the lookup based on certificate mapping rules, using
@@ -2070,21 +2070,21 @@ index 8705e4290..558c3987e 100644
"""
sssd = _sssd()
--
-2.17.1
+2.21.0
-From f0176f97e82a727ee0a057838478ee8789c116c4 Mon Sep 17 00:00:00 2001
+From 278276fed26cf350ffa81aea4abb46dc6c26b781 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 65/72] ipaserver/plugins/otptoken.py: Change branding to
- IPA and Identity Management
+Subject: [PATCH 64/71] ipaserver/plugins/otptoken.py: Change branding to IPA
+ and Identity Management
---
ipaserver/plugins/otptoken.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
-index 17b32094d..cf5de1cca 100644
+index 72ed539..46e4d5e 100644
--- a/ipaserver/plugins/otptoken.py
+++ b/ipaserver/plugins/otptoken.py
@@ -245,7 +245,7 @@ class otptoken(LDAPObject):
@@ -2097,21 +2097,21 @@ index 17b32094d..cf5de1cca 100644
autofill=True,
flags=('no_update'),
--
-2.17.1
+2.21.0
-From 3f01ae64c482a63d06bb8114943f41585a605ec5 Mon Sep 17 00:00:00 2001
+From a172851e990fee8b6749c7edbf8bc56be425b492 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 66/72] ipaserver/plugins/sudorule.py: Change branding to
- IPA and Identity Management
+Subject: [PATCH 65/71] ipaserver/plugins/sudorule.py: Change branding to IPA
+ and Identity Management
---
ipaserver/plugins/sudorule.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/sudorule.py b/ipaserver/plugins/sudorule.py
-index 643215985..68baa0174 100644
+index 6432159..68baa01 100644
--- a/ipaserver/plugins/sudorule.py
+++ b/ipaserver/plugins/sudorule.py
@@ -47,7 +47,7 @@ give certain users (or groups of users) the ability to run some (or all)
@@ -2133,13 +2133,13 @@ index 643215985..68baa0174 100644
""") + _("""
To enable the binddn run the following command to set the password:
--
-2.17.1
+2.21.0
-From bb3d8b2541764a92a580f7333c5fe2e966b5b07d Mon Sep 17 00:00:00 2001
+From b6c8cfacbb786cd91dd025545cb142fb409e8d34 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 67/72] po/de.po: Change branding to IPA and Identity
+Subject: [PATCH 66/71] po/de.po: Change branding to IPA and Identity
Management
---
@@ -2147,10 +2147,10 @@ Subject: [PATCH 67/72] po/de.po: Change branding to IPA and Identity
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/po/de.po b/po/de.po
-index bc1c822c6..7a928f3ba 100644
+index 78b7cb6..5146ca4 100644
--- a/po/de.po
+++ b/po/de.po
-@@ -3677,7 +3677,7 @@ msgstr "TOTP Sychnronisierungsfenster"
+@@ -3672,7 +3672,7 @@ msgstr "TOTP Sychnronisierungsfenster"
msgid "TOTP authentication Window"
msgstr "TOTP Authentifizierungsfenster"
@@ -2160,24 +2160,24 @@ index bc1c822c6..7a928f3ba 100644
msgid "Target"
--
-2.17.1
+2.21.0
-From 5f8baa253864020ca013288470e19ac0f720eda4 Mon Sep 17 00:00:00 2001
+From aa73ce7826017703a4b1737bd0b445d011827a8e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 68/72] po/es.po: Change branding to IPA and Identity
+Subject: [PATCH 67/71] po/es.po: Change branding to IPA and Identity
Management
---
- po/es.po | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
+ po/es.po | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/po/es.po b/po/es.po
-index 46404dac9..a4aa0fed3 100644
+index bd7aa1f..31437e7 100644
--- a/po/es.po
+++ b/po/es.po
-@@ -1152,7 +1152,7 @@ msgid ""
+@@ -3363,7 +3363,7 @@ msgid ""
"The profile configuration format is the raw property-list format\n"
"used by Dogtag Certificate System. The XML format is not supported.\n"
"\n"
@@ -2186,7 +2186,7 @@ index 46404dac9..a4aa0fed3 100644
"\n"
"- When importing a profile the \"profileId\" field, if present, must\n"
" match the ID given on the command line.\n"
-@@ -1210,7 +1210,7 @@ msgstr ""
+@@ -3421,7 +3421,7 @@ msgstr ""
"propiedad\n"
"usado por Dogtag Certificate System. No está soportado el formato XML.\n"
"\n"
@@ -2195,7 +2195,7 @@ index 46404dac9..a4aa0fed3 100644
"restricciones:\n"
"\n"
"- Cuando se importa un perfil el campo \"profileId\", si está presente, debe "
-@@ -1964,7 +1964,7 @@ msgid ""
+@@ -4988,7 +4988,7 @@ msgid ""
"commands as root or another user while providing an audit trail of the\n"
"commands and their arguments.\n"
"\n"
@@ -2204,7 +2204,7 @@ index 46404dac9..a4aa0fed3 100644
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
"Sudo.\n"
-@@ -1979,7 +1979,7 @@ msgid ""
+@@ -5003,7 +5003,7 @@ msgid ""
"are evaluated (if the client supports it). This order is an integer and\n"
"must be unique.\n"
"\n"
@@ -2213,7 +2213,7 @@ index 46404dac9..a4aa0fed3 100644
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
"To enable the binddn run the following command to set the password:\n"
-@@ -1987,7 +1987,7 @@ msgid ""
+@@ -5011,7 +5011,7 @@ msgid ""
"ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
"dc=com\n"
"\n"
@@ -2222,7 +2222,7 @@ index 46404dac9..a4aa0fed3 100644
msgstr ""
"\n"
"Reglas Sudo\n"
-@@ -2000,7 +2000,7 @@ msgstr ""
+@@ -5024,7 +5024,7 @@ msgstr ""
"auditoria de\n"
" los comandos y sus argumentos.\n"
"\n"
@@ -2231,7 +2231,7 @@ index 46404dac9..a4aa0fed3 100644
" Users: Los usuario(s)/grupos(s) que tienen permitido llamar a Sudo.\n"
" Hosts: Loshost(s)/grupo(s) de host a los que el usuario permite llamar a "
"Sudo.\n"
-@@ -2018,7 +2018,7 @@ msgstr ""
+@@ -5042,7 +5042,7 @@ msgstr ""
"será evaluada\n"
"(si el cliente lo soporta). Este orden es un entero y debe ser único.\n"
"\n"
@@ -2240,7 +2240,7 @@ index 46404dac9..a4aa0fed3 100644
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
"Para habilitar el binddn ejecute el siguiente comando para fijar la "
-@@ -2027,7 +2027,7 @@ msgstr ""
+@@ -5051,7 +5051,7 @@ msgstr ""
"ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
"dc=com\n"
"\n"
@@ -2249,14 +2249,25 @@ index 46404dac9..a4aa0fed3 100644
msgid ""
"\n"
+@@ -12345,8 +12345,8 @@ msgstr "Variación del tiempo de autenticación TOTP (segundos)"
+ msgid "TOTP synchronization time variance (seconds)"
+ msgstr "Variación del tiempo de sincronización TOTP (segundos)"
+
+-msgid "TOTP token / FreeIPA server time difference"
+-msgstr "Ficha TOTP / Diferencia de hora del servidor FreeIPA"
++msgid "TOTP token / IPA server time difference"
++msgstr "Ficha TOTP / Diferencia de hora del servidor IPA"
+
+ msgid "Take a revoked certificate off hold."
+ msgstr "Tomar un certificado revocado de espera."
--
-2.17.1
+2.21.0
-From df92542ae86b04a6f9d03eb93e41105a4cf7ea34 Mon Sep 17 00:00:00 2001
+From b61cae363c082c6ef850c00753cc2475b71093c0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 69/72] po/fr.po: Change branding to IPA and Identity
+Subject: [PATCH 68/71] po/fr.po: Change branding to IPA and Identity
Management
---
@@ -2264,7 +2275,7 @@ Subject: [PATCH 69/72] po/fr.po: Change branding to IPA and Identity
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/po/fr.po b/po/fr.po
-index 42cd3d25f..cd2ea9f9b 100644
+index 1a4389b..e124a64 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -2575,17 +2575,17 @@ msgstr ""
@@ -2315,7 +2326,7 @@ index 42cd3d25f..cd2ea9f9b 100644
"\n"
"- Lors de l'import d'un profil, le champ « profileId » s'il est présent "
"doit\n"
-@@ -15762,8 +15762,8 @@ msgstr "Durée de la fenêtre d'authentification TOTP (secondes)"
+@@ -15663,8 +15663,8 @@ msgstr "Durée de la fenêtre d'authentification TOTP (secondes)"
msgid "TOTP synchronization time variance (seconds)"
msgstr "Variance temporelle de synchronisation TOTP (secondes)"
@@ -2327,13 +2338,13 @@ index 42cd3d25f..cd2ea9f9b 100644
msgid "TSIG record"
msgstr "Enregistrement TSIG"
--
-2.17.1
+2.21.0
-From 60393752d8623d9b059c4133eb22499743826654 Mon Sep 17 00:00:00 2001
+From 1954de803b6616d885ef0f37530b78b8e6e5b490 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 70/72] po/ru.po: Change branding to IPA and Identity
+Subject: [PATCH 69/71] po/ru.po: Change branding to IPA and Identity
Management
---
@@ -2341,10 +2352,10 @@ Subject: [PATCH 70/72] po/ru.po: Change branding to IPA and Identity
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/po/ru.po b/po/ru.po
-index e97f2fb8a..8026b0c73 100644
+index 4bb68b8..560ead0 100644
--- a/po/ru.po
+++ b/po/ru.po
-@@ -5283,17 +5283,17 @@ msgstr ""
+@@ -5310,17 +5310,17 @@ msgstr ""
msgid ""
"\n"
@@ -2365,7 +2376,7 @@ index e97f2fb8a..8026b0c73 100644
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
"Sudo.\n"
-@@ -5305,7 +5305,7 @@ msgid ""
+@@ -5332,7 +5332,7 @@ msgid ""
" Options: The various Sudoers Options that can modify Sudo's behavior.\n"
msgstr ""
"\n"
@@ -2374,7 +2385,7 @@ index e97f2fb8a..8026b0c73 100644
" Users: пользователь (пользователи) или группа (группы), которые могут "
"вызывать Sudo.\n"
" Hosts: узел (узлы) или группа (группы) узлов, пользователи которых могут "
-@@ -8936,7 +8936,7 @@ msgid ""
+@@ -8770,7 +8770,7 @@ msgid ""
"The profile configuration format is the raw property-list format\n"
"used by Dogtag Certificate System. The XML format is not supported.\n"
"\n"
@@ -2383,7 +2394,7 @@ index e97f2fb8a..8026b0c73 100644
"\n"
"- When importing a profile the \"profileId\" field, if present, must\n"
" match the ID given on the command line.\n"
-@@ -8990,7 +8990,7 @@ msgstr ""
+@@ -8824,7 +8824,7 @@ msgstr ""
"свойств, который используется системой сертификации Dogtag Certificate "
"System. Поддержка формата XML не предусмотрена.\n"
"\n"
@@ -2392,7 +2403,7 @@ index e97f2fb8a..8026b0c73 100644
"\n"
"- При импорте профиля значение поля \"profileId\", если это поле имеется, "
"должно совпадать с идентификатором, указанным в командной строке.\n"
-@@ -9046,7 +9046,7 @@ msgid ""
+@@ -8880,7 +8880,7 @@ msgid ""
"The profile configuration format is the raw property-list format\n"
"used by Dogtag Certificate System. The XML format is not supported.\n"
"\n"
@@ -2401,7 +2412,7 @@ index e97f2fb8a..8026b0c73 100644
"\n"
"- When importing a profile the \"profileId\" field, if present, must\n"
" match the ID given on the command line.\n"
-@@ -9102,7 +9102,7 @@ msgstr ""
+@@ -8936,7 +8936,7 @@ msgstr ""
"свойств, который используется системой сертификации Dogtag Certificate "
"System. Поддержка формата XML не предусмотрена.\n"
"\n"
@@ -2410,7 +2421,7 @@ index e97f2fb8a..8026b0c73 100644
"\n"
"- При импорте профиля значение поля \"profileId\", если это поле имеется, "
"должно совпадать с идентификатором, указанным в командной строке.\n"
-@@ -14373,7 +14373,7 @@ msgid ""
+@@ -14207,7 +14207,7 @@ msgid ""
"commands as root or another user while providing an audit trail of the\n"
"commands and their arguments.\n"
"\n"
@@ -2419,7 +2430,7 @@ index e97f2fb8a..8026b0c73 100644
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
"Sudo.\n"
-@@ -14388,7 +14388,7 @@ msgid ""
+@@ -14222,7 +14222,7 @@ msgid ""
"are evaluated (if the client supports it). This order is an integer and\n"
"must be unique.\n"
"\n"
@@ -2428,7 +2439,7 @@ index e97f2fb8a..8026b0c73 100644
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
"To enable the binddn run the following command to set the password:\n"
-@@ -14426,7 +14426,7 @@ msgstr ""
+@@ -14260,7 +14260,7 @@ msgstr ""
"пользователя \"root\" или другого пользователя, вместе с тем предоставляя "
"журнал аудита команд и их аргументов.\n"
"\n"
@@ -2437,7 +2448,7 @@ index e97f2fb8a..8026b0c73 100644
" Users: пользователь (пользователи) или группа (группы), которые могут "
"вызывать Sudo.\n"
" Hosts: узел (узлы) или группа (группы) узлов, пользователи которых могут "
-@@ -14447,7 +14447,7 @@ msgstr ""
+@@ -14281,7 +14281,7 @@ msgstr ""
"Порядок определяется числовым индексом (целое число), который не должен "
"повторяться.\n"
"\n"
@@ -2446,7 +2457,7 @@ index e97f2fb8a..8026b0c73 100644
"Sudo:\n"
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
-@@ -14488,7 +14488,7 @@ msgid ""
+@@ -14322,7 +14322,7 @@ msgid ""
"commands as root or another user while providing an audit trail of the\n"
"commands and their arguments.\n"
"\n"
@@ -2455,7 +2466,7 @@ index e97f2fb8a..8026b0c73 100644
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
"Sudo.\n"
-@@ -14503,7 +14503,7 @@ msgid ""
+@@ -14337,7 +14337,7 @@ msgid ""
"are evaluated (if the client supports it). This order is an integer and\n"
"must be unique.\n"
"\n"
@@ -2464,7 +2475,7 @@ index e97f2fb8a..8026b0c73 100644
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
"To enable the binddn run the following command to set the password:\n"
-@@ -14511,7 +14511,7 @@ msgid ""
+@@ -14345,7 +14345,7 @@ msgid ""
"ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
"dc=com\n"
"\n"
@@ -2473,7 +2484,7 @@ index e97f2fb8a..8026b0c73 100644
msgstr ""
"\n"
"Правила Sudo\n"
-@@ -14522,7 +14522,7 @@ msgstr ""
+@@ -14356,7 +14356,7 @@ msgstr ""
"пользователя \"root\" или другого пользователя, вместе с тем предоставляя "
"журнал аудита команд и их аргументов.\n"
"\n"
@@ -2482,7 +2493,7 @@ index e97f2fb8a..8026b0c73 100644
" Users: пользователь (пользователи) или группа (группы), которые могут "
"вызывать Sudo.\n"
" Hosts: узел (узлы) или группа (группы) узлов, пользователи которых могут "
-@@ -14543,7 +14543,7 @@ msgstr ""
+@@ -14377,7 +14377,7 @@ msgstr ""
"Порядок определяется числовым индексом (целое число), который не должен "
"повторяться.\n"
"\n"
@@ -2491,7 +2502,7 @@ index e97f2fb8a..8026b0c73 100644
"Sudo:\n"
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
-@@ -14552,7 +14552,7 @@ msgstr ""
+@@ -14386,7 +14386,7 @@ msgstr ""
"ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
"dc=com\n"
"\n"
@@ -2500,7 +2511,7 @@ index e97f2fb8a..8026b0c73 100644
msgid ""
"\n"
-@@ -27537,8 +27537,8 @@ msgstr "Отклонение по времени TOTP-аутентификаци
+@@ -27661,8 +27661,8 @@ msgstr "Отклонение по времени TOTP-аутентификаци
msgid "TOTP synchronization time variance (seconds)"
msgstr "Отклонение по времени TOTP-синхронизации (в секундах)"
@@ -2512,13 +2523,13 @@ index e97f2fb8a..8026b0c73 100644
msgid "TSIG record"
msgstr "Запись TSIG"
--
-2.17.1
+2.21.0
-From 3525520540f22c3a20077bdc65355dbd381fe69c Mon Sep 17 00:00:00 2001
+From ef68c0facb2efbef9a40d02ebb4d9bdc141d16db Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 71/72] po/uk.po: Change branding to IPA and Identity
+Subject: [PATCH 70/71] po/uk.po: Change branding to IPA and Identity
Management
---
@@ -2526,10 +2537,10 @@ Subject: [PATCH 71/72] po/uk.po: Change branding to IPA and Identity
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/po/uk.po b/po/uk.po
-index b24c0a7de..2cf7c0dc2 100644
+index 9845500..a1e7ce4 100644
--- a/po/uk.po
+++ b/po/uk.po
-@@ -5377,17 +5377,17 @@ msgstr ""
+@@ -5403,17 +5403,17 @@ msgstr ""
msgid ""
"\n"
@@ -2550,7 +2561,7 @@ index b24c0a7de..2cf7c0dc2 100644
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
"Sudo.\n"
-@@ -5399,7 +5399,7 @@ msgid ""
+@@ -5425,7 +5425,7 @@ msgid ""
" Options: The various Sudoers Options that can modify Sudo's behavior.\n"
msgstr ""
"\n"
@@ -2559,7 +2570,7 @@ index b24c0a7de..2cf7c0dc2 100644
" Users: користувачі або групи, які можуть викликати sudo.\n"
" Hosts: вузли або групи вузлів, користувачі якого можуть викликати sudo.\n"
" Allow Command: специфічні команди, які можна виконувати за допомогою "
-@@ -9084,7 +9084,7 @@ msgid ""
+@@ -8915,7 +8915,7 @@ msgid ""
"The profile configuration format is the raw property-list format\n"
"used by Dogtag Certificate System. The XML format is not supported.\n"
"\n"
@@ -2568,7 +2579,7 @@ index b24c0a7de..2cf7c0dc2 100644
"\n"
"- When importing a profile the \"profileId\" field, if present, must\n"
" match the ID given on the command line.\n"
-@@ -9138,7 +9138,7 @@ msgstr ""
+@@ -8969,7 +8969,7 @@ msgstr ""
"властивостей, що використовується системою сертифікації Dogtag.\n"
"Підтримки формату XML не передбачено.\n"
"\n"
@@ -2577,7 +2588,7 @@ index b24c0a7de..2cf7c0dc2 100644
"\n"
"- Під час імпортування профілю поле «profileId», якщо таке є, має\n"
" містити значення, що збігається з ідентифікатором, вказаним у рядку "
-@@ -9195,7 +9195,7 @@ msgid ""
+@@ -9026,7 +9026,7 @@ msgid ""
"The profile configuration format is the raw property-list format\n"
"used by Dogtag Certificate System. The XML format is not supported.\n"
"\n"
@@ -2586,7 +2597,7 @@ index b24c0a7de..2cf7c0dc2 100644
"\n"
"- When importing a profile the \"profileId\" field, if present, must\n"
" match the ID given on the command line.\n"
-@@ -9250,7 +9250,7 @@ msgstr ""
+@@ -9081,7 +9081,7 @@ msgstr ""
"властивостей, що використовується системою сертифікації Dogtag.\n"
"Підтримки формату XML не передбачено.\n"
"\n"
@@ -2595,7 +2606,7 @@ index b24c0a7de..2cf7c0dc2 100644
"\n"
"- Під час імпортування профілю поле «profileId», якщо таке є, має\n"
" містити значення, що збігається з ідентифікатором, вказаним у рядку "
-@@ -14520,7 +14520,7 @@ msgid ""
+@@ -14469,7 +14469,7 @@ msgid ""
"commands as root or another user while providing an audit trail of the\n"
"commands and their arguments.\n"
"\n"
@@ -2604,7 +2615,7 @@ index b24c0a7de..2cf7c0dc2 100644
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
"Sudo.\n"
-@@ -14535,7 +14535,7 @@ msgid ""
+@@ -14484,7 +14484,7 @@ msgid ""
"are evaluated (if the client supports it). This order is an integer and\n"
"must be unique.\n"
"\n"
@@ -2613,7 +2624,7 @@ index b24c0a7de..2cf7c0dc2 100644
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
"To enable the binddn run the following command to set the password:\n"
-@@ -14573,7 +14573,7 @@ msgstr ""
+@@ -14522,7 +14522,7 @@ msgstr ""
"користувача, зберігаючи водночас журнал виконання команд та\n"
"аргументів.\n"
"\n"
@@ -2622,7 +2633,7 @@ index b24c0a7de..2cf7c0dc2 100644
" Users: користувачі або групи, які можуть викликати sudo.\n"
" Hosts: вузли або групи вузлів, користувачі якого можуть викликати sudo.\n"
" Allow Command: специфічні команди, які можна виконувати за допомогою "
-@@ -14591,7 +14591,7 @@ msgstr ""
+@@ -14540,7 +14540,7 @@ msgstr ""
"обробки записів (якщо такий порядок передбачено на клієнтському боці).\n"
"Порядок визначається числовим індексом, який не повинен повторюватися.\n"
"\n"
@@ -2631,7 +2642,7 @@ index b24c0a7de..2cf7c0dc2 100644
"розташовано у\n"
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
-@@ -14631,7 +14631,7 @@ msgid ""
+@@ -14580,7 +14580,7 @@ msgid ""
"commands as root or another user while providing an audit trail of the\n"
"commands and their arguments.\n"
"\n"
@@ -2640,7 +2651,7 @@ index b24c0a7de..2cf7c0dc2 100644
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
"Sudo.\n"
-@@ -14646,7 +14646,7 @@ msgid ""
+@@ -14595,7 +14595,7 @@ msgid ""
"are evaluated (if the client supports it). This order is an integer and\n"
"must be unique.\n"
"\n"
@@ -2649,7 +2660,7 @@ index b24c0a7de..2cf7c0dc2 100644
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
"To enable the binddn run the following command to set the password:\n"
-@@ -14654,7 +14654,7 @@ msgid ""
+@@ -14603,7 +14603,7 @@ msgid ""
"ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
"dc=com\n"
"\n"
@@ -2658,7 +2669,7 @@ index b24c0a7de..2cf7c0dc2 100644
msgstr ""
"\n"
"Правила sudo\n"
-@@ -14665,7 +14665,7 @@ msgstr ""
+@@ -14614,7 +14614,7 @@ msgstr ""
"користувача, зберігаючи водночас журнал виконання команд та\n"
"аргументів.\n"
"\n"
@@ -2667,7 +2678,7 @@ index b24c0a7de..2cf7c0dc2 100644
" Users: користувачі або групи, які можуть викликати sudo.\n"
" Hosts: вузли або групи вузлів, користувачі якого можуть викликати sudo.\n"
" Allow Command: специфічні команди, які можна виконувати за допомогою "
-@@ -14683,7 +14683,7 @@ msgstr ""
+@@ -14632,7 +14632,7 @@ msgstr ""
"обробки записів (якщо такий порядок передбачено на клієнтському боці).\n"
"Порядок визначається числовим індексом, який не повинен повторюватися.\n"
"\n"
@@ -2676,7 +2687,7 @@ index b24c0a7de..2cf7c0dc2 100644
"розташовано у\n"
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
-@@ -14692,7 +14692,7 @@ msgstr ""
+@@ -14641,7 +14641,7 @@ msgstr ""
"ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
"dc=com\n"
"\n"
@@ -2685,7 +2696,7 @@ index b24c0a7de..2cf7c0dc2 100644
msgid ""
"\n"
-@@ -27454,8 +27454,8 @@ msgstr "Відхилення часу розпізнавання TOTP (у сек
+@@ -27982,8 +27982,8 @@ msgstr "Відхилення часу розпізнавання TOTP (у сек
msgid "TOTP synchronization time variance (seconds)"
msgstr "Відхилення часу синхронізації TOTP (у секундах)"
@@ -2697,13 +2708,13 @@ index b24c0a7de..2cf7c0dc2 100644
msgid "TSIG record"
msgstr "Запис TSIG"
--
-2.17.1
+2.21.0
-From 4531df1333dc43484f2fab5ef0d601b2fe656cbb Mon Sep 17 00:00:00 2001
+From a1cb6d13c461f4d67c1efe7f1927e47de5619097 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 72/72] po/zh_CN.po: Change branding to IPA and Identity
+Subject: [PATCH 71/71] po/zh_CN.po: Change branding to IPA and Identity
Management
---
@@ -2711,7 +2722,7 @@ Subject: [PATCH 72/72] po/zh_CN.po: Change branding to IPA and Identity
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/po/zh_CN.po b/po/zh_CN.po
-index 594e52a77..18dcbb390 100644
+index 30e707d..e9eabce 100644
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@@ -298,7 +298,7 @@ msgstr ""
@@ -2732,7 +2743,7 @@ index 594e52a77..18dcbb390 100644
" 用户:用户/用户组允许调用Sudo。\n"
" 主机:主机/主机组上的用户允许调用Sudo。\n"
" 允许的命令:指定命令允许通过Sudo来运行。\n"
-@@ -10019,8 +10019,8 @@ msgstr "TOTP认证时间差异(秒)"
+@@ -9928,8 +9928,8 @@ msgstr "TOTP认证时间差异(秒)"
msgid "TOTP synchronization time variance (seconds)"
msgstr "TOTP同步时间差异(秒)"
@@ -2744,5 +2755,5 @@ index 594e52a77..18dcbb390 100644
msgid "TSIG record"
msgstr "TSIG记录"
--
-2.17.1
+2.21.0
diff --git a/SOURCES/9001-Update-ipa.css.patch b/SOURCES/9001-Update-ipa.css.patch
deleted file mode 100644
index 8bd3498..0000000
--- a/SOURCES/9001-Update-ipa.css.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From a82e5eb637463755642f88fe94badff85d6e50e5 Mon Sep 17 00:00:00 2001
-From: Alain Reguera Delgado <areguera@centosproject.org>
-Date: Sat, 23 Nov 2019 18:42:41 -0300
-Subject: [PATCH 9001/9003] Update ipa.css
-
-- Previously, the CentOS logos doesn't look the same width than CentOS
- logos in cockpit ui. So, when you change between them, a visual
- difference affects calls the attention (are we using two different
- branding?). In order to make these visual transition from one app to
- another consistent, changed the logo width to look the same both in
- cockpit and ipa ui.
----
- install/ui/ipa.css | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/install/ui/ipa.css b/install/ui/ipa.css
-index 2921f43..e56caeb 100644
---- a/install/ui/ipa.css
-+++ b/install/ui/ipa.css
-@@ -559,3 +559,8 @@ table.scrollable tbody {
- font-weight: bold;
- font-size: 1.1em;
- }
-+
-+/* --- CentOS Logo on the top-right corner --- */
-+#badge img {
-+ width: 225px;
-+}
---
-2.23.0
-
diff --git a/SOURCES/9002-Update-login.less.patch b/SOURCES/9002-Update-login.less.patch
deleted file mode 100644
index 3c8c3fd..0000000
--- a/SOURCES/9002-Update-login.less.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 25aecc3b5de468ac3c9d1cf80681f2b6625eb50b Mon Sep 17 00:00:00 2001
-From: Alain Reguera Delgado <areguera@centosproject.org>
-Date: Sat, 23 Nov 2019 18:46:38 -0300
-Subject: [PATCH 9002/9003] Update login.less
-
----
- install/ui/less/login.less | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/install/ui/less/login.less b/install/ui/less/login.less
-index 8996560..4c39bec 100644
---- a/install/ui/less/login.less
-+++ b/install/ui/less/login.less
-@@ -26,7 +26,7 @@
-
- .login-pf-body {
- height: 100%;
-- background: @login-bg-color url("@{img-path}/@{img-bg-login}") repeat-x 50% 0;
-+ background: @login-bg-color url("@{img-path}/@{img-bg-login}") no-repeat 100% 0;
- background-size: auto;
- color: #fff;
-
-@@ -50,10 +50,10 @@
- // 768px = @screen-sm-min)
- @media (min-width: 768px) {
- .login-pf-body {
-- background-size: 100% auto;
-+ background-size: auto;
- }
- }
-
- @media (max-height: 300px) {
- .reset-login-pf-height;
--}
-\ No newline at end of file
-+}
---
-2.23.0
-
diff --git a/SOURCES/9003-Update-variables.less.patch b/SOURCES/9003-Update-variables.less.patch
deleted file mode 100644
index 795cd01..0000000
--- a/SOURCES/9003-Update-variables.less.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 8e4746d4b697302b9573dd6f8b2e28f12ca6669b Mon Sep 17 00:00:00 2001
-From: Alain Reguera Delgado <areguera@centosproject.org>
-Date: Sat, 23 Nov 2019 18:46:47 -0300
-Subject: [PATCH 9003/9003] Update variables.less
-
----
- install/ui/less/variables.less | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/install/ui/less/variables.less b/install/ui/less/variables.less
-index 5a7a3ea..ca63d0c 100644
---- a/install/ui/less/variables.less
-+++ b/install/ui/less/variables.less
-@@ -1,5 +1,5 @@
- // FreeIPA Less Variables
-
- @img-path: '../images';
--@img-bg-login: 'login-screen-background.jpg';
--@login-bg-color: #25292d;
-\ No newline at end of file
-+@img-bg-login: 'login-screen-background.png';
-+@login-bg-color: #101010;
---
-2.23.0
-
diff --git a/SOURCES/freeipa-4.8.0.tar.gz.asc b/SOURCES/freeipa-4.8.0.tar.gz.asc
deleted file mode 100644
index 06b7f8e..0000000
--- a/SOURCES/freeipa-4.8.0.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl0cTrUACgkQRxniuKu/
-YhoehQ//YuCG+Rq2wbkSDiooP8/0K5HvO/atz4Ke8iaKsOKS8gdmaJTyMnsOOoTc
-hlx925TIOc4/Xp1+qeIn7T8xZp3rYtGcMcxIyKlUrHCU1Jxc07zf+ZlSwCZTCjLU
-YGAh9ReC9+//1oJqnr/C+Rp3veZbYn3DIG261GMqOlHCUfF91hF78XctzklcZNpV
-D38a+gfXdWivejezA/GWyiY3foIcLI98zpBd2v0PXEzaKO2BqrVlOl2nDC7BGapS
-PvpB4GPwuwo8qxASFbu8I6uxyp2oDZtrM/Tb1HM31cuslieH5p/XRwJ8zoewHvgo
-jSKXfcBHmRvjMjSL07R3b7JjZ+1jmj/C5VNXQcPfp2qdhDhmywDArfC3uIBJ2otx
-oxKbtAhAzeGIaoyfgjrxk0ZOubnIbmk/M8nan2F9ChJV/NoKVjDVAfUDDM2h6wXg
-IRBg6uIOkJAKuOr7i0zaxBkBi/8NpUE214JvJnNfWa1gpoYu1S5tzuja6dSeteRM
-JTPPzpkKD2sgK/laRmZQo2si1qFOGEYnLTO0dWJV4/ScZCCy9+rCQ0C6NwKYC7xy
-8c1Juu/YqJF/14VbYAWQIABIK/0z0TiVI0r0v75rzSFpMiThrgC6wXo1zFEADiK0
-GSoYwkcygn0ne21jQxLizGAPRYvdQ5RkpiE2/J4nVSTyuSM/cM4=
-=Q29c
------END PGP SIGNATURE-----
diff --git a/SOURCES/freeipa-4.8.4.tar.gz.asc b/SOURCES/freeipa-4.8.4.tar.gz.asc
new file mode 100644
index 0000000..6160d78
--- /dev/null
+++ b/SOURCES/freeipa-4.8.4.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl302dsACgkQRxniuKu/
+Yhrd0RAAvUv30O5rSlww30kxqV3oQb5CIJYSGb/jpWMAhj1Nr+1Ye1P3rCyJLP4R
++fVu23bgIywv8qkWPZdQxohkYCuiTZa8ogl3gXWJDRCp5f5oKWALzwU+Zlu8HlVj
+z8UAOFXEO1fYwvwpOPdr+gGiTS5pLq39EIBZSVjvuviXR0adwVcVvw0R2YXYmiLE
+x5uaM289YQ4hKY/V0rgqNn0nYiogFcFvSlhkM9oi4+JiKypocPqKTjM4n8EcdXv4
+rSJ6Zv6FgnyoREBITCZjKaTn8OTkhqhhzMOgMzWr8QSmNl44UKA9aq5ZIEJgEnMR
+N3vW6Br1f4TDJ3JyWeMoizQcNeTFyuoxN9HhGpvDotx+6g+j2yNfAK7ZZAtjULhm
+m13zb1svCbGtvRxB8QfIQe62l3drooimWRf5o9fgPVU0MIxgL7x7AulxrZekik6J
+NdwXiz75SKfbFZZWVdf9FjJkaBZ3CpJMJnDQiQyCs+xBWOpXYGYkz9a1NRoFgCdC
+y8bY9ErfzhLdcgjbZ3EE24FkWMBeUdW+BC4AYSChZlqUZ9CMTQIdyqPVSG/u5sc9
+2Rn1YasAfu0P3DJgRCI0BUcxkxFet5M8hfB0iuLE4OJTKnyhmmOUKmO2wUSw0QIr
+ogzzN9DF84wwXD1P4X6WFEzOOthCdLPUHyDo3u5fVIy4QWZZDlQ=
+=TTzs
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/system-logo-icon.png b/SOURCES/system-logo-icon.png
deleted file mode 100644
index 6961083..0000000
Binary files a/SOURCES/system-logo-icon.png and /dev/null differ
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 93466ef..c06210a 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -55,19 +55,20 @@
%if 0%{?rhel}
%global package_name ipa
%global alt_name freeipa
-%global krb5_version 1.17-7
+%global krb5_version 1.17-12
%global krb5_kdb_version 7.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
-%global python_netaddr_version 0.7.16
+%global python_netaddr_version 0.7.19
# Require 4.7.0 which brings Python 3 bindings
-%global samba_version 4.7.0
-%global selinux_policy_version 3.14.1-14
+%global samba_version 4.11.2-11
+# Require 3.14.3-24 - Allow ipa_ods_exporter_t domain to read krb5_keytab files
+%global selinux_policy_version 3.14.3-24
%global slapi_nis_version 0.56.1-4
%global python_ldap_version 3.1.0-1
# python3-lib389
# Fix for "Installation fails: Replica Busy"
# https://pagure.io/389-ds-base/issue/49818
-%global ds_version 1.4.0.16
+%global ds_version 1.4.2.4-6
%else
# Fedora
@@ -101,7 +102,7 @@
# 10.6.7 fixes UpdateNumberRange clone installation issue
# https://pagure.io/freeipa/issue/7654 and empty token issue
# and https://pagure.io/dogtagpki/issue/3073
-%global pki_version 10.7.1-2
+%global pki_version 10.8.0
# https://pagure.io/certmonger/issue/90
%global certmonger_version 0.79.7-3
@@ -111,10 +112,10 @@
%if 0%{?fedora} == 28
%global nss_version 3.41.0-3
%else
-%global nss_version 3.41.0-1
+%global nss_version 3.44.0-4
%endif
-%global sssd_version 2.2.0-1
+%global sssd_version 2.2.3-11
%global kdcproxy_version 0.4-3
@@ -126,16 +127,16 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.8.0
+%define IPA_VERSION 4.8.4
%define AT_SIGN @
# redefine IPA_VERSION only if its value matches the Autoconf placeholder
%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
- %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
+ %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
%endif
Name: %{package_name}
Version: %{IPA_VERSION}
-Release: 13%{?dist}
+Release: 7%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@@ -150,31 +151,18 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as
# RHEL spec file only: END: Change branding to IPA and Identity Management
# RHEL spec file only: START
-Patch0001: 0001-No-need-to-call-rhel-specific-domainname-service.patch
-Patch0002: 0002-Fix-test_webui.test_selinuxusermap.patch
-Patch0003: 0003-Remove-posixAccount-from-service_find-search-filter-2f9cbff_rhbz#1731437.patch
-Patch0004: 0004-Repeated-uninstallation-of-ipa-client-samba-crashes_rhbz#1732529.patch
-Patch0005: 0005-WebUI-Add-PKINIT-status-field-to-Configuration-page-a46383f_rhbz#1518153.patch
-Patch0006: 0006-external-ca-profile-fix_rhbz#1731813.patch
-Patch0007: 0007-Allow-insecure-binds-for-migration-8e207fd3_rhbz#1731963.patch
-Patch0008: 0008-install-Add-missing-scripts-to-app_DATA_rhbz#1741170.patch
-Patch0009: 0009-extdom-unify-error-code-handling-especially-LDAP_NO_SUCH_OBJECT_rhbz#1741530.patch
-Patch0010: 0010-Fix-automount-behavior-with-authselect_rhbz#1740167.patch
-Patch0011: 0011-adtrust-avoid-using-timestamp-in-klist-output_ed1c1626-rhbz#1750242.patch
-Patch0012: 0012-add-default-access-control-configuration-to-trusted-domain-objects_rhbz#1751707.patch
-Patch0013: 0013-Do-not-run-trust-upgrade-code-if-master-lacks-Samba-bindings_1854038_rhbz#1773516.patch
-Patch0014: 0014-CVE-2019-10195-and-CVE-2019-14867.patch
+Patch0001: 0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch
+Patch0002: 0002-krbtktpolicy-reset.patch
+Patch0003: 0003-adtrust-print-DNS-records-for-external-DNS-case-after-role-is-enabled_936e27f_rhbz#1665051.patch
+Patch0004: 0004-AD-user-without-override-receive-InternalServerError-with-API_4db18be_rhbz#1782572.patch
+Patch0005: 0005-ipa-client-automount-fails-after-repeated-installation-uninstallation_rhbz#1790886.patch
+Patch0006: 0006-install-updates-move-external-members-past-schema-compat-update_14dbf04_rhbz#1803165.patch
+Patch0007: 0007-kdb-make-sure-audit_as_req-callback-signature-change-is-preserved_rhbz#1803786.patch
+Patch0008: 0008-Allow-an-empty-cookie-in-dogtag-ipa-ca-renew-agent-submit_3d7d58d_rhbz#1790663.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-4.8.0-Remove-csrgen.patch
# RHEL spec file only: END
-# CentOS spec file only: START
-Source9001: system-logo-icon.png
-Patch9001: 9001-Update-ipa.css.patch
-Patch9002: 9002-Update-login.less.patch
-Patch9003: 9003-Update-variables.less.patch
-# CentOS spec file only: END
-
# For the timestamp trick in patch application
BuildRequires: diffstat
@@ -183,7 +171,7 @@ BuildRequires: openldap-devel
# will cause the build to fail due to unsatisfied dependencies.
# DAL version change may cause code crash or memory leaks, it is better to fail early.
BuildRequires: krb5-kdb-version = %{krb5_kdb_version}
-BuildRequires: krb5-devel >= %{krb5_version}
+BuildRequires: krb5-kdb-devel-version = %{krb5_kdb_version}
# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
BuildRequires: xmlrpc-c-devel >= 1.27.4
BuildRequires: popt-devel
@@ -328,7 +316,7 @@ Requires: %{name}-common = %{version}-%{release}
Requires: python3-ipaserver = %{version}-%{release}
Requires: python3-ldap >= %{python_ldap_version}
Requires: 389-ds-base >= %{ds_version}
-Requires: openldap-clients > 2.4.35-4
+Requires: openldap-clients >= 2.4.46-11
Requires: nss >= %{nss_version}
Requires: nss-tools >= %{nss_version}
Requires(post): krb5-server >= %{krb5_version}
@@ -462,7 +450,7 @@ If you are installing an IPA server, you need to install this package.
Summary: IPA integrated DNS server with support for automatic DNSSEC signing
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 11.0-2
+Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= 9.11.0-6.P2
Requires: bind-utils >= 9.11.0-6.P2
Requires: bind-pkcs11 >= 9.11.0-6.P2
@@ -801,8 +789,7 @@ export PYTHON=%{__python3}
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
# run build in default dir
# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
@@ -1026,11 +1013,17 @@ if [ $1 -gt 1 ] ; then
cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
fi
+
+ %{python} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
fi
if [ $restore -ge 2 ]; then
%{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
fi
+
+ if [ $restore -ge 2 ]; then
+ sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config
+ fi
fi
@@ -1189,6 +1182,7 @@ fi
%{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.template
+%{_usr}/share/ipa/bind.ipa-ext.conf
%dir %{_usr}/share/ipa/advise
%dir %{_usr}/share/ipa/advise/legacy
%{_usr}/share/ipa/advise/legacy/*.template
@@ -1235,6 +1229,7 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
+%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
@@ -1403,24 +1398,92 @@ fi
%changelog
-* Tue Dec 17 2019 CentOS Sources <bugs@centos.org> - 4.8.0-13.el8.centos
-- Apply debranding changes
-
-* Tue Nov 26 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.0-13
+* Wed Mar 18 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.4-7
+- Update dependencies for openldap-client
+ Resolves: RHBZ#1781799
+
+* Mon Feb 17 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.4-6
+- Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit
+ Resolves: RHBZ#1790663
+
+* Mon Feb 17 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.4-5
+- Fixed weekday in 4.8.4-2 changelog date
+ Related: RHBZ#1784003
+- adtrust: print DNS records for external DNS case after role is enabled
+ Resolves: RHBZ#1665051
+- AD user without override receive InternalServerError with API
+ Resolves: RHBZ#1782572
+- ipa-client-automount fails after repeated installation/uninstallation
+ Resolves: RHBZ#1790886
+- install/updates: move external members past schema compat update
+ Resolves: RHBZ#1803165
+- kdb: make sure audit_as_req callback signature change is preserved
+ Resolves: RHBZ#1803786
+
+* Wed Jan 29 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.4-4
+- Update dependencies for samba, 389-ds and sssd
+ Resolves: RHBZ#1792848
+
+* Fri Jan 17 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-3
+- Depend on krb5-kdb-version-devel for BuildRequires
+- Update nss dependency to 3.44.0-4
+- Reset per-indicator Kebreros policy
+ Resolves: RHBZ#1784761
+
+* Sat Dec 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.4-2
+- DNS install check: Fix overlapping DNS zone from the master itself
+ Resolves: RHBZ#1784003
+
+* Sat Dec 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.4-1
+- Rebase to upstream release 4.8.4
+ - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3
+ Resolves: RHBZ#1782658
+ Resolves: RHBZ#1782169
+ Resolves: RHBZ#1783046
+ Related: RHBZ#1748987
+
+* Mon Dec 2 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.3-3
+- Fix otptoken_sync plugin
+ Resolves: RHBZ#1777811
+
+* Mon Dec 2 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.3-2
+- Use default crypto policy for TLS and enable TLS 1.3 support
+ Resolves: RHBZ#1777809
+- Covscan fixes
+ Resolves: RHBZ#1777920
+- Change pki_version to 10.8.0
+ Related: RHBZ#1748987
+
+* Thu Nov 28 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.3-1
+- Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195)
+ Resolves: RHBZ#1767304
+ Resolves: RHBZ#1776939
+- Support KDC ticket policies for authentication indicators
+ Resolves: RHBZ#1777564
+
+* Tue Nov 26 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.2-4
- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf()
- Resolves: RHBZ#1767303
+ Resolves: RHBZ#1767304
- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
- Resolves: RHBZ#1728125
+ Resolves: RHBZ#1776939
-* Thu Nov 21 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-12
+* Fri Nov 22 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-3
+- Use default ssh host key algorithms
+ Resolves: RHBZ#1756432
- Do not run trust upgrade code if master lacks Samba bindings
- Resolves: RHBZ#1773516
-
-* Mon Sep 23 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-11
-- Adtrust: avoid using timestamp in klist output
- Resolves: RHBZ#1750242
-- Add default access control configuration to trusted domain objects
- Resolves: RHBZ#1751707
+ Resolves: RHBZ#1757064
+- Finish group membership management UI
+ Resolves: RHBZ#1773528
+
+* Mon Nov 18 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-2
+- Update dependency for bind-dndb-ldap to 11.2-2
+ Related: RHBZ#1762813
+
+* Thu Nov 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-1
+- Rebase to upstream release 4.8.2
+ - Removed upstream patches 0001 to 0010 that are part of version 4.8.2
+ - Updated branding patch
+ Resolves: RHBZ#1748987
* Thu Aug 29 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-10
- Fix automount behavior with authselect