diff --git a/SOURCES/0181-ipa-kdb-map_groups-consider-all-results.patch b/SOURCES/0181-ipa-kdb-map_groups-consider-all-results.patch
new file mode 100644
index 0000000..2402c56
--- /dev/null
+++ b/SOURCES/0181-ipa-kdb-map_groups-consider-all-results.patch
@@ -0,0 +1,145 @@
+From d9d27cae99fe6f71daf250bfff71ee406fa3d23c Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 16 Dec 2015 12:38:16 +0100
+Subject: [PATCH] ipa-kdb: map_groups() consider all results
+
+Resolves https://fedorahosted.org/freeipa/ticket/5573
+
+Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 108 +++++++++++++++++++++-------------------
+ 1 file changed, 56 insertions(+), 52 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 3c0dca839314273ae309b3b65ec7cf103e9c6da7..de40a145210c36ea0d35e0cc491fe9d3d76efea0 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -1082,68 +1082,72 @@ static int map_groups(TALLOC_CTX *memctx, krb5_context kcontext,
+ continue;
+ }
+
+- ldap_derefresponse_free(deref_results);
+- ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
+- switch (ret) {
+- case ENOENT:
+- /* No entry found, try next SID */
+- break;
+- case 0:
+- if (deref_results == NULL) {
+- krb5_klog_syslog(LOG_ERR, "No results.");
++ do {
++ ldap_derefresponse_free(deref_results);
++ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
++ switch (ret) {
++ case ENOENT:
++ /* No entry found, try next SID */
+ break;
+- }
++ case 0:
++ if (deref_results == NULL) {
++ krb5_klog_syslog(LOG_ERR, "No results.");
++ break;
++ }
+
+- for (dres = deref_results; dres; dres = dres->next) {
+- count++;
+- }
++ for (dres = deref_results; dres; dres = dres->next) {
++ count++;
++ }
+
+- sids = talloc_realloc(memctx, sids, struct dom_sid, count);
+- if (sids == NULL) {
+- krb5_klog_syslog(LOG_ERR, "talloc_realloc failed.");
+- kerr = ENOMEM;
+- goto done;
+- }
++ sids = talloc_realloc(memctx, sids, struct dom_sid, count);
++ if (sids == NULL) {
++ krb5_klog_syslog(LOG_ERR, "talloc_realloc failed.");
++ kerr = ENOMEM;
++ goto done;
++ }
+
+- for (dres = deref_results; dres; dres = dres->next) {
+- gid = 0;
+- memset(&sid, '\0', sizeof(struct dom_sid));
+- for (dval = dres->attrVals; dval; dval = dval->next) {
+- if (strcasecmp(dval->type, "gidNumber") == 0) {
+- errno = 0;
+- gid = strtoul((char *)dval->vals[0].bv_val,
+- &endptr,10);
+- if (gid == 0 || gid >= UINT32_MAX || errno != 0 ||
+- *endptr != '\0') {
+- continue;
++ for (dres = deref_results; dres; dres = dres->next) {
++ gid = 0;
++ memset(&sid, '\0', sizeof(struct dom_sid));
++ for (dval = dres->attrVals; dval; dval = dval->next) {
++ if (strcasecmp(dval->type, "gidNumber") == 0) {
++ errno = 0;
++ gid = strtoul((char *)dval->vals[0].bv_val,
++ &endptr,10);
++ if (gid == 0 || gid >= UINT32_MAX || errno != 0 ||
++ *endptr != '\0') {
++ continue;
++ }
+ }
+- }
+- if (strcasecmp(dval->type,
+- "ipaNTSecurityIdentifier") == 0) {
+- kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid);
+- if (kerr != 0) {
+- continue;
++ if (strcasecmp(dval->type,
++ "ipaNTSecurityIdentifier") == 0) {
++ kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid);
++ if (kerr != 0) {
++ continue;
++ }
+ }
+ }
+- }
+- if (gid != 0 && sid.sid_rev_num != 0) {
+- /* TODO: check if gid maps to sid */
+- if (sid_index >= count) {
+- krb5_klog_syslog(LOG_ERR, "Index larger than "
+- "array, this shoould "
+- "never happen.");
+- kerr = EFAULT;
+- goto done;
++ if (gid != 0 && sid.sid_rev_num != 0) {
++ /* TODO: check if gid maps to sid */
++ if (sid_index >= count) {
++ krb5_klog_syslog(LOG_ERR, "Index larger than "
++ "array, this shoould "
++ "never happen.");
++ kerr = EFAULT;
++ goto done;
++ }
++ memcpy(&sids[sid_index], &sid, sizeof(struct dom_sid));
++ sid_index++;
+ }
+- memcpy(&sids[sid_index], &sid, sizeof(struct dom_sid));
+- sid_index++;
+ }
+- }
+
+- break;
+- default:
+- goto done;
+- }
++ break;
++ default:
++ goto done;
++ }
++
++ lentry = ldap_next_entry(ipactx->lcontext, lentry);
++ } while (lentry != NULL);
+ }
+
+ *_ipa_group_sids_count = sid_index;
+--
+2.7.1
+
diff --git a/SOURCES/0182-ipa-ca-install-print-more-specific-errors-when-CA-is.patch b/SOURCES/0182-ipa-ca-install-print-more-specific-errors-when-CA-is.patch
new file mode 100644
index 0000000..9941c4a
--- /dev/null
+++ b/SOURCES/0182-ipa-ca-install-print-more-specific-errors-when-CA-is.patch
@@ -0,0 +1,44 @@
+From 3d13e08deee3586635e583c1d5ac8c722530ac2f Mon Sep 17 00:00:00 2001
+From: Martin Babinsky <mbabinsk@redhat.com>
+Date: Wed, 15 Jul 2015 14:15:49 +0200
+Subject: [PATCH] ipa-ca-install: print more specific errors when CA is already
+ installed
+
+This patch implements a more thorough checking for already installed CAs
+during standalone CA installation using ipa-ca-install. The installer now
+differentiates between CA that is already installed locally and CA installed
+on one or more masters in topology and prints an appropriate error message.
+
+https://fedorahosted.org/freeipa/ticket/4492
+
+Reviewed-By: Martin Basti <mbasti@redhat.com>
+---
+ ipaserver/install/ca.py | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
+index 0de992cb0c15f8161aae4937699baae2a94d305a..84cbf423246534259cd6b7a8cca25caa16e5594f 100644
+--- a/ipaserver/install/ca.py
++++ b/ipaserver/install/ca.py
+@@ -45,8 +45,16 @@ def install_check(standalone, replica_config, options):
+
+ return
+
+- if standalone and api.Command.ca_is_enabled()['result']:
+- sys.exit("CA is already installed.\n")
++ if standalone:
++ if cainstance.is_ca_installed_locally():
++ sys.exit("CA is already installed on this host.")
++ elif api.Command.ca_is_enabled()['result']:
++ sys.exit(
++ "One or more CA masters are already present in IPA realm "
++ "'%s'.\nIf you wish to replicate CA to this host, please "
++ "re-run 'ipa-ca-install'\nwith a replica file generated on "
++ "an existing CA master as argument." % realm_name
++ )
+
+ if options.external_cert_files:
+ if not cainstance.is_step_one_done():
+--
+2.5.0
+
diff --git a/SOURCES/0183-installer-Propagate-option-values-from-components-in.patch b/SOURCES/0183-installer-Propagate-option-values-from-components-in.patch
new file mode 100644
index 0000000..02b9eaf
--- /dev/null
+++ b/SOURCES/0183-installer-Propagate-option-values-from-components-in.patch
@@ -0,0 +1,132 @@
+From 95447911535974731a931b1d758f6cfd985c1e59 Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka@redhat.com>
+Date: Wed, 16 Dec 2015 12:43:13 +0000
+Subject: [PATCH] installer: Propagate option values from components instead of
+ copying them.
+
+https://fedorahosted.org/freeipa/ticket/5556
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipapython/install/core.py | 21 ++++++++++++++++++---
+ ipaserver/install/server/install.py | 25 -------------------------
+ ipaserver/install/server/replicainstall.py | 12 +-----------
+ 3 files changed, 19 insertions(+), 39 deletions(-)
+
+diff --git a/ipapython/install/core.py b/ipapython/install/core.py
+index 91ae854cdb2a8846e2a2673a5bfe54b4f75f3823..3bb13267326b8cf1f22bb34dcf1e03402479446e 100644
+--- a/ipapython/install/core.py
++++ b/ipapython/install/core.py
+@@ -484,6 +484,21 @@ class Composite(Configurable):
+ for comp_cls in result:
+ yield comp_cls.__outer_class__, comp_cls.__outer_name__
+
++ def __getattr__(self, name):
++ for owner_cls, knob_name in self.knobs():
++ if knob_name == name:
++ break
++ else:
++ raise AttributeError(name)
++
++ for component in self.__components:
++ if isinstance(component, owner_cls):
++ break
++ else:
++ raise AttributeError(name)
++
++ return getattr(component, name)
++
+ def _reset(self):
+ self.__components = list(self._get_components())
+
+@@ -501,8 +516,7 @@ class Composite(Configurable):
+ try:
+ validator.next()
+ except StopIteration:
+- if child.done():
+- self.__components.remove(child)
++ pass
+ else:
+ new_validate.append((child, validator))
+ if not new_validate:
+@@ -516,7 +530,8 @@ class Composite(Configurable):
+
+ yield from_(super(Composite, self)._configure())
+
+- execute = [(c, c._executor()) for c in self.__components]
++ execute = [(c, c._executor()) for c in self.__components
++ if not c.done()]
+ while True:
+ new_execute = []
+ for child, executor in execute:
+diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
+index 9d7036a7786a35e6aa2429254d62c8afb30970db..71992db0d39e1969649587486031a8fb1a03419d 100644
+--- a/ipaserver/install/server/install.py
++++ b/ipaserver/install/server/install.py
+@@ -1592,35 +1592,10 @@ class Server(common.Installable, common.Interactive, core.Composite):
+
+ self.setup_ca = False
+ self.setup_kra = False
+- self.external_ca = self.ca.external_ca
+- self.external_ca_type = self.ca.external_ca_type
+- self.external_cert_files = self.ca.external_cert_files
+- self.no_pkinit = self.ca.no_pkinit
+- self.dirsrv_cert_files = self.ca.dirsrv_cert_files
+- self.http_cert_files = self.ca.http_cert_files
+- self.pkinit_cert_files = self.ca.pkinit_cert_files
+- self.dirsrv_pin = self.ca.dirsrv_pin
+- self.http_pin = self.ca.http_pin
+- self.pkinit_pin = self.ca.pkinit_pin
+- self.dirsrv_cert_name = self.ca.dirsrv_cert_name
+- self.http_cert_name = self.ca.http_cert_name
+- self.pkinit_cert_name = self.ca.pkinit_cert_name
+- self.ca_cert_files = self.ca.ca_cert_files
+- self.subject = self.ca.subject
+- self.ca_signing_algorithm = self.ca.ca_signing_algorithm
+- self.setup_dns = self.dns.setup_dns
+- self.forwarders = self.dns.forwarders
+- self.no_forwarders = self.dns.no_forwarders
+- self.reverse_zones = self.dns.reverse_zones
+- self.no_reverse = self.dns.no_reverse
+- self.no_dnssec_validation = self.dns.no_dnssec_validation
+ self.dnssec_master = False
+ self.disable_dnssec_master = False
+ self.kasp_db_file = None
+ self.force = False
+- self.zonemgr = self.dns.zonemgr
+- self.no_host_dns = self.dns.no_host_dns
+- self.no_dns_sshfp = self.dns.no_dns_sshfp
+
+ self.unattended = not self.interactive
+
+diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
+index 6e9157cabc49161ba27983cbf1de1428d1b48b7d..a5d4a77f3daa8110ad0be064085b12b20da853cf 100644
+--- a/ipaserver/install/server/replicainstall.py
++++ b/ipaserver/install/server/replicainstall.py
+@@ -847,22 +847,12 @@ class Replica(common.Installable, common.Interactive, core.Composite):
+
+ self.external_ca = False
+ self.external_cert_files = None
+- self.no_pkinit = self.ca.no_pkinit
+- self.skip_schema_check = self.ca.skip_schema_check
+-
+- self.setup_dns = self.dns.setup_dns
+- self.forwarders = self.dns.forwarders
+- self.no_forwarders = self.dns.no_forwarders
+- self.reverse_zones = self.dns.reverse_zones
+- self.no_reverse = self.dns.no_reverse
+- self.no_dnssec_validation = self.dns.no_dnssec_validation
++
+ self.dnssec_master = False
+ self.disable_dnssec_master = False
+ self.kasp_db_file = None
+ self.force = False
+ self.zonemgr = None
+- self.no_host_dns = self.dns.no_host_dns
+- self.no_dns_sshfp = self.dns.no_dns_sshfp
+
+ self.unattended = not self.interactive
+
+--
+2.5.0
+
diff --git a/SOURCES/0184-installer-Fix-logic-of-reading-option-values-from-ca.patch b/SOURCES/0184-installer-Fix-logic-of-reading-option-values-from-ca.patch
new file mode 100644
index 0000000..ef50523
--- /dev/null
+++ b/SOURCES/0184-installer-Fix-logic-of-reading-option-values-from-ca.patch
@@ -0,0 +1,44 @@
+From 71809fb6071a86156f881e20d4845cbd47606862 Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka@redhat.com>
+Date: Wed, 16 Dec 2015 12:45:24 +0000
+Subject: [PATCH] installer: Fix logic of reading option values from cache.
+
+Only options explicitly set must be stored before installer exits first step
+of external CA setup. When installer continues all stored option values must
+be restored.
+
+https://fedorahosted.org/freeipa/ticket/5556
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/install/server/install.py | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
+index 71992db0d39e1969649587486031a8fb1a03419d..01dffd08d4c929ebc5ecb6e6b0a8b685c1320dbd 100644
+--- a/ipaserver/install/server/install.py
++++ b/ipaserver/install/server/install.py
+@@ -343,9 +343,7 @@ def install_check(installer):
+ sys.exit("Directory Manager password required")
+ try:
+ cache_vars = read_cache(dm_password)
+- for name, value in cache_vars.iteritems():
+- if name not in options.__dict__:
+- options.__dict__[name] = value
++ options.__dict__.update(cache_vars)
+ if cache_vars.get('external_ca', False):
+ options.external_ca = False
+ options.interactive = False
+@@ -767,7 +765,8 @@ def install(installer):
+ options.host_name = host_name
+ options.forwarders = dns.dns_forwarders
+ options.reverse_zones = dns.reverse_zones
+- cache_vars = {n: getattr(options, n) for o, n in installer.knobs()}
++ cache_vars = {n: options.__dict__[n] for o, n in installer.knobs()
++ if n in options.__dict__}
+ write_cache(cache_vars)
+
+ ca.install_step_0(False, None, options)
+--
+2.5.0
+
diff --git a/SOURCES/0185-Fixed-login-error-message-box-in-LoginScreen-page.patch b/SOURCES/0185-Fixed-login-error-message-box-in-LoginScreen-page.patch
new file mode 100644
index 0000000..d9aa1d0
--- /dev/null
+++ b/SOURCES/0185-Fixed-login-error-message-box-in-LoginScreen-page.patch
@@ -0,0 +1,47 @@
+From 303e3aea45c310e8a2508ac540264520d5d3eda4 Mon Sep 17 00:00:00 2001
+From: Abhijeet Kasurde <akasurde@redhat.com>
+Date: Mon, 28 Dec 2015 12:33:11 +0530
+Subject: [PATCH] Fixed login error message box in LoginScreen page
+
+Fix added for showing error message returned from server to client
+browser. User is now notified with proper error messages returned by
+server.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1293870
+
+Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
+Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
+---
+ install/ui/src/freeipa/widgets/LoginScreen.js | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js
+index eb95b9161f05eeac1ec9aed286c9730dada85d59..2c778b50cfb10bfa8eef25c5456c6ce913e02695 100644
+--- a/install/ui/src/freeipa/widgets/LoginScreen.js
++++ b/install/ui/src/freeipa/widgets/LoginScreen.js
+@@ -272,12 +272,12 @@ define(['dojo/_base/declare',
+ }
+ this.set('view', 'login');
+ } else {
++ otp_f.set_value('');
++ new_f.set_value('');
++ ver_f.set_value('');
+ val_summary.add_error('login', result.message);
+ }
+
+- otp_f.set_value('');
+- new_f.set_value('');
+- ver_f.set_value('');
+ },
+
+ refresh: function() {
+@@ -426,4 +426,4 @@ define(['dojo/_base/declare',
+ ];
+
+ return LoginScreen;
+-});
+\ No newline at end of file
++});
+--
+2.5.0
+
diff --git a/SOURCES/0186-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch b/SOURCES/0186-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch
new file mode 100644
index 0000000..3cebd4e
--- /dev/null
+++ b/SOURCES/0186-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch
@@ -0,0 +1,79 @@
+From 8d651ef5a00c418138c355aa95259246090705b7 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Thu, 21 Jan 2016 08:58:56 +0100
+Subject: [PATCH] cert renewal: import all external CA certs on IPA CA cert
+ renewal
+
+Import all external CA certs to the Dogtag NSS database on IPA CA cert
+renewal. This fixes Dogtag not being able to connect to DS which uses 3rd
+party server cert after ipa-certupdate.
+
+https://fedorahosted.org/freeipa/ticket/5595
+
+Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
+---
+ install/restart_scripts/renew_ca_cert | 28 +++++++++-------------------
+ 1 file changed, 9 insertions(+), 19 deletions(-)
+
+diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
+index 86f5765b7d8bbeafd5379831020a952a7aa6db41..92dc0e6685f61f34bd6df941ef63ac138ad7965b 100644
+--- a/install/restart_scripts/renew_ca_cert
++++ b/install/restart_scripts/renew_ca_cert
+@@ -28,7 +28,6 @@ import shutil
+ import traceback
+
+ from ipapython import dogtag, ipautil
+-from ipapython.dn import DN
+ from ipalib import api, errors, x509, certstore
+ from ipaserver.install import certs, cainstance, installutils
+ from ipaserver.plugins.ldap2 import ldap2
+@@ -158,11 +157,9 @@ def _main():
+ "Updating CA certificate failed: %s" % e)
+
+ # Add external CA certificates
+- ca_issuer = str(x509.get_issuer(cert, x509.DER))
+ try:
+- ca_certs = certstore.get_ca_certs(
+- conn, api.env.basedn, api.env.realm, False,
+- filter_subject=ca_issuer)
++ ca_certs = certstore.get_ca_certs_nss(
++ conn, api.env.basedn, api.env.realm, False)
+ except Exception, e:
+ syslog.syslog(
+ syslog.LOG_ERR,
+@@ -170,25 +167,18 @@ def _main():
+ "%s" % e)
+ ca_certs = []
+
+- for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs:
+- ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER)))
+- nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject)
+- nick = nick_base
+- i = 1
+- while db.has_nickname(nick):
+- nick = '%s [%s]' % (nick_base, i)
+- i += 1
+- if ca_trusted is False:
+- flags = 'p,p,p'
+- else:
+- flags = 'CT,c,'
+-
++ for ca_cert, ca_nick, ca_flags in ca_certs:
+ try:
+- db.add_cert(ca_cert, nick, flags)
++ db.add_cert(ca_cert, ca_nick, ca_flags)
+ except ipautil.CalledProcessError, e:
+ syslog.syslog(
+ syslog.LOG_ERR,
+ "Failed to add certificate %s" % ca_nick)
++
++ # Pass Dogtag's self-tests
++ for ca_nick in db.find_root_cert(nickname)[-2:-1]:
++ ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
++ db.trust_root_cert(ca_nick, 'C' + ca_flags)
+ finally:
+ if conn is not None and conn.isconnected():
+ conn.disconnect()
+--
+2.5.0
+
diff --git a/SOURCES/0187-CA-install-explicitly-set-dogtag_version-to-10.patch b/SOURCES/0187-CA-install-explicitly-set-dogtag_version-to-10.patch
new file mode 100644
index 0000000..5d9d2ff
--- /dev/null
+++ b/SOURCES/0187-CA-install-explicitly-set-dogtag_version-to-10.patch
@@ -0,0 +1,78 @@
+From c7f76e4f6c0f288b184152f5f6f45d11287914b3 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Mon, 25 Jan 2016 08:48:42 +0100
+Subject: [PATCH] CA install: explicitly set dogtag_version to 10
+
+When installing new CA master, explicitly set the dogtag_version option to
+10 in api.bootstrap() to prevent failures in code which expects the value
+to be 10 rather than the default value of 9.
+
+https://fedorahosted.org/freeipa/ticket/5611
+
+Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
+---
+ install/tools/ipa-ca-install | 2 +-
+ ipaserver/install/cainstance.py | 6 +++---
+ ipaserver/install/server/upgrade.py | 2 +-
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
+index 6564e4d0304d4e189b133c495b75f200b04e2988..e8ccaef5b90807f452f77c2b62641df3952180d6 100755
+--- a/install/tools/ipa-ca-install
++++ b/install/tools/ipa-ca-install
+@@ -162,7 +162,7 @@ def install_master(safe_options, options):
+
+ # override ra_plugin setting read from default.conf so that we have
+ # functional dogtag backend plugins during CA install
+- api.bootstrap(in_server=True, ra_plugin='dogtag')
++ api.bootstrap(in_server=True, ra_plugin='dogtag', dogtag_version=10)
+ api.finalize()
+
+ dm_password = options.password
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index d9bf4f31af5a922dd6f977a5011f50ce7cea8896..369902ad04b197c9e9516503c1f81c4de1ef153b 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -478,7 +478,7 @@ class CAInstance(DogtagInstance):
+ self.http_proxy)
+ self.step("restarting certificate server", self.restart_instance)
+ self.step("migrating certificate profiles to LDAP",
+- migrate_profiles_to_ldap)
++ lambda: migrate_profiles_to_ldap(self.dogtag_constants))
+ self.step("importing IPA certificate profiles",
+ import_included_profiles)
+ self.step("adding default CA ACL", ensure_default_caacl)
+@@ -1768,7 +1768,7 @@ def import_included_profiles():
+ conn.disconnect()
+
+
+-def migrate_profiles_to_ldap():
++def migrate_profiles_to_ldap(dogtag_constants):
+ """Migrate profiles from filesystem to LDAP.
+
+ This must be run *after* switching to the LDAPProfileSubsystem
+@@ -1783,7 +1783,7 @@ def migrate_profiles_to_ldap():
+ api.Backend.ra_certprofile._read_password()
+ api.Backend.ra_certprofile.override_port = 8443
+
+- with open(dogtag.configured_constants().CS_CFG_PATH) as f:
++ with open(dogtag_constants.CS_CFG_PATH) as f:
+ cs_cfg = f.read()
+ match = re.search(r'^profile\.list=(\S*)', cs_cfg, re.MULTILINE)
+ profile_ids = match.group(1).split(',')
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index 1f1cfeb672809c0298c69c121ac38d6c7a482d11..0a46635979497f8028465c2295b22485fd9c0279 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -336,7 +336,7 @@ def ca_enable_ldap_profile_subsystem(ca):
+ separator='=')
+
+ ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
+- cainstance.migrate_profiles_to_ldap()
++ cainstance.migrate_profiles_to_ldap(caconfig)
+
+ return needs_update
+
+--
+2.5.0
+
diff --git a/SOURCES/0188-fix-standalone-installation-of-externally-signed-CA-.patch b/SOURCES/0188-fix-standalone-installation-of-externally-signed-CA-.patch
new file mode 100644
index 0000000..cb659dc
--- /dev/null
+++ b/SOURCES/0188-fix-standalone-installation-of-externally-signed-CA-.patch
@@ -0,0 +1,30 @@
+From 06c2e339f28ab697c830dc1f9d6ef89b833b2d1a Mon Sep 17 00:00:00 2001
+From: Martin Babinsky <mbabinsk@redhat.com>
+Date: Tue, 26 Jan 2016 13:02:44 +0100
+Subject: [PATCH] fix standalone installation of externally signed CA on IPA
+ master
+
+https://fedorahosted.org/freeipa/ticket/5636
+
+Reviewed-By: Martin Basti <mbasti@redhat.com>
+---
+ ipaserver/install/ca.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
+index 84cbf423246534259cd6b7a8cca25caa16e5594f..d2fb5feeaf96e8450eddb1bc4e65ef3316b05b38 100644
+--- a/ipaserver/install/ca.py
++++ b/ipaserver/install/ca.py
+@@ -46,7 +46,8 @@ def install_check(standalone, replica_config, options):
+ return
+
+ if standalone:
+- if cainstance.is_ca_installed_locally():
++ if (not options.external_cert_files and
++ cainstance.is_ca_installed_locally()):
+ sys.exit("CA is already installed on this host.")
+ elif api.Command.ca_is_enabled()['result']:
+ sys.exit(
+--
+2.5.0
+
diff --git a/SOURCES/0189-replica-install-validate-DS-and-HTTP-server-certific.patch b/SOURCES/0189-replica-install-validate-DS-and-HTTP-server-certific.patch
new file mode 100644
index 0000000..01f3b25
--- /dev/null
+++ b/SOURCES/0189-replica-install-validate-DS-and-HTTP-server-certific.patch
@@ -0,0 +1,74 @@
+From 8ee71c8aab262ba0041ee9ac84fb862a5fda32cf Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Thu, 21 Jan 2016 15:48:30 +0100
+Subject: [PATCH] replica install: validate DS and HTTP server certificates
+
+Validate the DS and HTTP certificates from the replica info file early in
+ipa-replica-install to prevent crashes later.
+
+https://fedorahosted.org/freeipa/ticket/5598
+
+Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
+---
+ ipaserver/install/server/replicainstall.py | 31 +++++++++++++++++++++++++++++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
+index a5d4a77f3daa8110ad0be064085b12b20da853cf..317eda92dd4322542f035c2df4dba919a5898cc7 100644
+--- a/ipaserver/install/server/replicainstall.py
++++ b/ipaserver/install/server/replicainstall.py
+@@ -356,6 +356,8 @@ def install_check(installer):
+ config.setup_ca = options.setup_ca
+ config.setup_kra = options.setup_kra
+
++ ca_enabled = ipautil.file_exists(config.dir + "/cacert.p12")
++
+ # Create the management framework config file
+ # Note: We must do this before bootstraping and finalizing ipalib.api
+ old_umask = os.umask(022) # must be readable for httpd
+@@ -371,7 +373,7 @@ def install_check(installer):
+ ipautil.format_netloc(config.host_name))
+ fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
+ installutils.realm_to_serverid(config.realm_name))
+- if ipautil.file_exists(config.dir + "/cacert.p12"):
++ if ca_enabled:
+ fd.write("enable_ra=True\n")
+ fd.write("ra_plugin=dogtag\n")
+ fd.write("dogtag_version=%s\n" %
+@@ -395,6 +397,33 @@ def install_check(installer):
+ raise RuntimeError("CA cert file is not available. Please run "
+ "ipa-replica-prepare to create a new replica file.")
+
++ for pkcs12_name, pin_name in (('dscert.p12', 'dirsrv_pin.txt'),
++ ('httpcert.p12', 'http_pin.txt')):
++ pkcs12_info = make_pkcs12_info(config.dir, pkcs12_name, pin_name)
++ tmp_db_dir = tempfile.mkdtemp('ipa')
++ try:
++ tmp_db = certs.CertDB(config.realm_name,
++ nssdir=tmp_db_dir,
++ subject_base=config.subject_base)
++ if ca_enabled:
++ trust_flags = 'CT,C,C'
++ else:
++ trust_flags = None
++ tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1],
++ ca_file=cafile,
++ trust_flags=trust_flags)
++ if not tmp_db.find_server_certs():
++ raise RuntimeError(
++ "Could not find a suitable server cert in import in %s" %
++ pkcs12_info[0])
++ except Exception as e:
++ root_logger.error('%s', e)
++ raise RuntimeError(
++ "Server cert is not valid. Please run ipa-replica-prepare to "
++ "create a new replica file.")
++ finally:
++ shutil.rmtree(tmp_db_dir)
++
+ ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
+ remote_api = create_api(mode=None)
+ remote_api.bootstrap(in_server=True, context='installer',
+--
+2.5.0
+
diff --git a/SOURCES/0190-Do-not-decode-HTTP-reason-phrase-from-Dogtag.patch b/SOURCES/0190-Do-not-decode-HTTP-reason-phrase-from-Dogtag.patch
new file mode 100644
index 0000000..220c9ce
--- /dev/null
+++ b/SOURCES/0190-Do-not-decode-HTTP-reason-phrase-from-Dogtag.patch
@@ -0,0 +1,294 @@
+From ca08d7d3a7562588b09b78b7079b2c15e572a484 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Wed, 6 Jan 2016 14:50:42 +1100
+Subject: [PATCH] Do not decode HTTP reason phrase from Dogtag
+
+The HTTP reason phrase sent by Dogtag is assumed to be encoded in
+UTF-8, but the encoding used by Tomcat is dependent on system
+locale, causing decode errors in some locales.
+
+The reason phrase is optional and will not be sent in a future
+version of Tomcat[1], so do not bother decoding and returning it.
+
+[1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37
+
+Fixes: https://fedorahosted.org/freeipa/ticket/5578
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipapython/dogtag.py | 23 +++++++++++------------
+ ipaserver/install/certs.py | 7 +++----
+ ipaserver/plugins/dogtag.py | 44 ++++++++++++++++++++++----------------------
+ 3 files changed, 36 insertions(+), 38 deletions(-)
+
+diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
+index 8996902ba92f0fdd6106e2650c2decde375c593b..652bc3d13f2b47b35f6da30579f2df5f083dbff2 100644
+--- a/ipapython/dogtag.py
++++ b/ipapython/dogtag.py
+@@ -230,14 +230,14 @@ def ca_status(ca_host=None, use_proxy=True):
+ ca_port = 443
+ else:
+ ca_port = 8443
+- status, reason, headers, body = unauthenticated_https_request(
++ status, headers, body = unauthenticated_https_request(
+ ca_host, ca_port, '/ca/admin/ca/getStatus')
+ if status == 503:
+ # Service temporarily unavailable
+- return reason
++ return status
+ elif status != 200:
+ raise errors.RemoteRetrieveError(
+- reason=_("Retrieving CA status failed: %s") % reason)
++ reason=_("Retrieving CA status failed with status %d") % status)
+ return _parse_ca_status(body)
+
+
+@@ -248,8 +248,8 @@ def https_request(host, port, url, secdir, password, nickname,
+ :param url: The path (not complete URL!) to post to.
+ :param body: The request body (encodes kw if None)
+ :param kw: Keyword arguments to encode into POST body.
+- :return: (http_status, http_reason_phrase, http_headers, http_body)
+- as (integer, unicode, dict, str)
++ :return: (http_status, http_headers, http_body)
++ as (integer, dict, str)
+
+ Perform a client authenticated HTTPS request
+ """
+@@ -277,8 +277,8 @@ def http_request(host, port, url, **kw):
+ """
+ :param url: The path (not complete URL!) to post to.
+ :param kw: Keyword arguments to encode into POST body.
+- :return: (http_status, http_reason_phrase, http_headers, http_body)
+- as (integer, unicode, dict, str)
++ :return: (http_status, http_headers, http_body)
++ as (integer, dict, str)
+
+ Perform an HTTP request.
+ """
+@@ -291,8 +291,8 @@ def unauthenticated_https_request(host, port, url, **kw):
+ """
+ :param url: The path (not complete URL!) to post to.
+ :param kw: Keyword arguments to encode into POST body.
+- :return: (http_status, http_reason_phrase, http_headers, http_body)
+- as (integer, unicode, dict, str)
++ :return: (http_status, http_headers, http_body)
++ as (integer, dict, str)
+
+ Perform an unauthenticated HTTPS request.
+ """
+@@ -331,15 +331,14 @@ def _httplib_request(
+ res = conn.getresponse()
+
+ http_status = res.status
+- http_reason_phrase = unicode(res.reason, 'utf-8')
+ http_headers = res.msg.dict
+ http_body = res.read()
+ conn.close()
+ except Exception, e:
+ raise NetworkError(uri=uri, error=str(e))
+
+- root_logger.debug('response status %d %s', http_status, http_reason_phrase)
++ root_logger.debug('response status %d', http_status)
+ root_logger.debug('response headers %s', http_headers)
+ root_logger.debug('response body %r', http_body)
+
+- return http_status, http_reason_phrase, http_headers, http_body
++ return http_status, http_headers, http_body
+diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
+index 564332e6fde0698a23884922c5018fab59da7e4d..f8a9c9ecfd2fa1accb792c4748bc69f30701af6a 100644
+--- a/ipaserver/install/certs.py
++++ b/ipaserver/install/certs.py
+@@ -402,12 +402,11 @@ class CertDB(object):
+ dogtag.configured_constants().EE_SECURE_PORT,
+ "/ca/ee/ca/profileSubmitSSLClient",
+ self.secdir, password, "ipaCert", **params)
+- http_status, http_reason_phrase, http_headers, http_body = result
++ http_status, http_headers, http_body = result
+
+ if http_status != 200:
+ raise CertificateOperationError(
+- error=_('Unable to communicate with CMS (%s)') %
+- http_reason_phrase)
++ error=_('Unable to communicate with CMS (status %d)') % http_status)
+
+ # The result is an XML blob. Pull the certificate out of that
+ doc = xml.dom.minidom.parseString(http_body)
+@@ -459,7 +458,7 @@ class CertDB(object):
+ dogtag.configured_constants().EE_SECURE_PORT,
+ "/ca/ee/ca/profileSubmitSSLClient",
+ self.secdir, password, "ipaCert", **params)
+- http_status, http_reason_phrase, http_headers, http_body = result
++ http_status, http_headers, http_body = result
+ if http_status != 200:
+ raise RuntimeError("Unable to submit cert request")
+
+diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
+index f5f8eb67067c87f07c06e556fb9fc73792fbbc64..3029a9144d80a9b081853b95259fcd37e35d8c2b 100644
+--- a/ipaserver/plugins/dogtag.py
++++ b/ipaserver/plugins/dogtag.py
+@@ -1350,8 +1350,8 @@ class ra(rabase.rabase):
+ """
+ :param url: The URL to post to.
+ :param kw: Keyword arguments to encode into POST body.
+- :return: (http_status, http_reason_phrase, http_headers, http_body)
+- as (integer, unicode, dict, str)
++ :return: (http_status, http_headers, http_body)
++ as (integer, dict, str)
+
+ Perform an HTTP request.
+ """
+@@ -1361,8 +1361,8 @@ class ra(rabase.rabase):
+ """
+ :param url: The URL to post to.
+ :param kw: Keyword arguments to encode into POST body.
+- :return: (http_status, http_reason_phrase, http_headers, http_body)
+- as (integer, unicode, dict, str)
++ :return: (http_status, http_headers, http_body)
++ as (integer, dict, str)
+
+ Perform an HTTPS request
+ """
+@@ -1422,7 +1422,7 @@ class ra(rabase.rabase):
+ self.debug('%s.check_request_status()', self.fullname)
+
+ # Call CMS
+- http_status, http_reason_phrase, http_headers, http_body = \
++ http_status, http_headers, http_body = \
+ self._request('/ca/ee/ca/checkRequest',
+ self.env.ca_port,
+ requestId=request_id,
+@@ -1431,7 +1431,7 @@ class ra(rabase.rabase):
+ # Parse and handle errors
+ if http_status != 200:
+ self.raise_certificate_operation_error('check_request_status',
+- detail=http_reason_phrase)
++ detail=http_status)
+
+ parse_result = self.get_parse_result_xml(http_body, parse_check_request_result_xml)
+ request_status = parse_result['request_status']
+@@ -1507,7 +1507,7 @@ class ra(rabase.rabase):
+ serial_number = int(serial_number, 0)
+
+ # Call CMS
+- http_status, http_reason_phrase, http_headers, http_body = \
++ http_status, http_headers, http_body = \
+ self._sslget('/ca/agent/ca/displayBySerial',
+ self.env.ca_agent_port,
+ serialNumber=str(serial_number),
+@@ -1517,7 +1517,7 @@ class ra(rabase.rabase):
+ # Parse and handle errors
+ if http_status != 200:
+ self.raise_certificate_operation_error('get_certificate',
+- detail=http_reason_phrase)
++ detail=http_status)
+
+ parse_result = self.get_parse_result_xml(http_body, parse_display_cert_xml)
+ request_status = parse_result['request_status']
+@@ -1575,7 +1575,7 @@ class ra(rabase.rabase):
+ self.debug('%s.request_certificate()', self.fullname)
+
+ # Call CMS
+- http_status, http_reason_phrase, http_headers, http_body = \
++ http_status, http_headers, http_body = \
+ self._sslget('/ca/eeca/ca/profileSubmitSSLClient',
+ self.env.ca_ee_port,
+ profileId=profile_id,
+@@ -1585,7 +1585,7 @@ class ra(rabase.rabase):
+ # Parse and handle errors
+ if http_status != 200:
+ self.raise_certificate_operation_error('request_certificate',
+- detail=http_reason_phrase)
++ detail=http_status)
+
+ parse_result = self.get_parse_result_xml(http_body, parse_profile_submit_result_xml)
+ # Note different status return, it's not request_status, it's error_code
+@@ -1654,7 +1654,7 @@ class ra(rabase.rabase):
+ serial_number = int(serial_number, 0)
+
+ # Call CMS
+- http_status, http_reason_phrase, http_headers, http_body = \
++ http_status, http_headers, http_body = \
+ self._sslget('/ca/agent/ca/doRevoke',
+ self.env.ca_agent_port,
+ op='revoke',
+@@ -1666,7 +1666,7 @@ class ra(rabase.rabase):
+ # Parse and handle errors
+ if http_status != 200:
+ self.raise_certificate_operation_error('revoke_certificate',
+- detail=http_reason_phrase)
++ detail=http_status)
+
+ parse_result = self.get_parse_result_xml(http_body, parse_revoke_cert_xml)
+ request_status = parse_result['request_status']
+@@ -1717,7 +1717,7 @@ class ra(rabase.rabase):
+ serial_number = int(serial_number, 0)
+
+ # Call CMS
+- http_status, http_reason_phrase, http_headers, http_body = \
++ http_status, http_headers, http_body = \
+ self._sslget('/ca/agent/ca/doUnrevoke',
+ self.env.ca_agent_port,
+ serialNumber=str(serial_number),
+@@ -1726,7 +1726,7 @@ class ra(rabase.rabase):
+ # Parse and handle errors
+ if http_status != 200:
+ self.raise_certificate_operation_error('take_certificate_off_hold',
+- detail=http_reason_phrase)
++ detail=http_status)
+
+
+ parse_result = self.get_parse_result_xml(http_body, parse_unrevoke_cert_xml)
+@@ -2027,7 +2027,7 @@ class RestClient(Backend):
+ """Log into the REST API"""
+ if self.cookie is not None:
+ return
+- status, status_text, resp_headers, resp_body = dogtag.https_request(
++ status, resp_headers, resp_body = dogtag.https_request(
+ self.ca_host, self.override_port or self.env.ca_agent_port,
+ '/ca/rest/account/login',
+ self.sec_dir, self.password, self.ipa_certificate_nickname,
+@@ -2053,8 +2053,8 @@ class RestClient(Backend):
+ """
+ :param url: The URL to post to.
+ :param kw: Keyword arguments to encode into POST body.
+- :return: (http_status, http_reason_phrase, http_headers, http_body)
+- as (integer, unicode, dict, str)
++ :return: (http_status, http_headers, http_body)
++ as (integer, dict, str)
+
+ Perform an HTTPS request
+ """
+@@ -2068,7 +2068,7 @@ class RestClient(Backend):
+ resource = os.path.join('/ca/rest', self.path, path)
+
+ # perform main request
+- status, status_text, resp_headers, resp_body = dogtag.https_request(
++ status, resp_headers, resp_body = dogtag.https_request(
+ self.ca_host, self.override_port or self.env.ca_agent_port,
+ resource,
+ self.sec_dir, self.password, self.ipa_certificate_nickname,
+@@ -2077,10 +2077,10 @@ class RestClient(Backend):
+ if status < 200 or status >= 300:
+ explanation = self._parse_dogtag_error(resp_body) or ''
+ raise errors.RemoteRetrieveError(
+- reason=_('Non-2xx response from CA REST API: %(status)d %(status_text)s. %(explanation)s')
+- % {'status': status, 'status_text': status_text, 'explanation': explanation}
++ reason=_('Non-2xx response from CA REST API: %(status)d. %(explanation)s')
++ % {'status': status, 'explanation': explanation}
+ )
+- return (status, status_text, resp_headers, resp_body)
++ return (status, resp_headers, resp_body)
+
+
+ class ra_certprofile(RestClient):
+@@ -2105,7 +2105,7 @@ class ra_certprofile(RestClient):
+ """
+ Read the profile configuration from Dogtag
+ """
+- status, status_text, resp_headers, resp_body = self._ssldo(
++ status, resp_headers, resp_body = self._ssldo(
+ 'GET', profile_id + '/raw')
+ return resp_body
+
+--
+2.5.0
+
diff --git a/SOURCES/0191-upgrade-unconditional-import-of-certificate-profiles.patch b/SOURCES/0191-upgrade-unconditional-import-of-certificate-profiles.patch
new file mode 100644
index 0000000..db607c5
--- /dev/null
+++ b/SOURCES/0191-upgrade-unconditional-import-of-certificate-profiles.patch
@@ -0,0 +1,66 @@
+From 52e2e879fa4decf67a19d6c79f4ec409b6a0dce7 Mon Sep 17 00:00:00 2001
+From: Martin Babinsky <mbabinsk@redhat.com>
+Date: Mon, 22 Feb 2016 13:35:41 +0100
+Subject: [PATCH] upgrade: unconditional import of certificate profiles into
+ LDAP
+
+During IPA server upgrade, the migration of Dogtag profiles into LDAP
+backend was bound to the update of CS.cfg which enabled the LDAP profile
+subsystem. If the subsequent profile migration failed, the subsequent
+upgrades were not executing the migration code leaving CA subsystem in
+broken state. Therefore the migration code path should be executed
+regardless of the status of the main Dogtag config file.
+
+https://fedorahosted.org/freeipa/ticket/5682
+
+Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/install/cainstance.py | 8 ++++++--
+ ipaserver/install/server/upgrade.py | 4 +++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 369902ad04b197c9e9516503c1f81c4de1ef153b..1a98c438786ae7dad208212fff23e3a760c95b3c 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1807,7 +1807,6 @@ def migrate_profiles_to_ldap(dogtag_constants):
+ continue
+ class_id = match.group(1)
+
+- root_logger.info("Migrating profile '%s' to LDAP", profile_id)
+ with open(filename) as f:
+ profile_data = f.read()
+ if profile_data[-1] != '\n':
+@@ -1824,7 +1823,12 @@ def _create_dogtag_profile(profile_id, profile_data):
+ # import the profile
+ try:
+ profile_api.create_profile(profile_data)
+- except errors.RemoteRetrieveError:
++ root_logger.info("Profile '%s' successfully migrated to LDAP",
++ profile_id)
++ except errors.RemoteRetrieveError as e:
++ root_logger.debug("Error migrating '{}': {}".format(
++ profile_id, e))
++
+ # conflicting profile; replace it if we are
+ # installing IPA, but keep it for upgrades
+ if api.env.context == 'installer':
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index 0a46635979497f8028465c2295b22485fd9c0279..258d976c83844f89c1a939303b685fd6565b79e5 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -336,7 +336,9 @@ def ca_enable_ldap_profile_subsystem(ca):
+ separator='=')
+
+ ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
+- cainstance.migrate_profiles_to_ldap(caconfig)
++
++ root_logger.info('[Migrating certificate profiles to LDAP]')
++ cainstance.migrate_profiles_to_ldap(caconfig)
+
+ return needs_update
+
+--
+2.5.0
+
diff --git a/SOURCES/0192-upgrade-fix-config-of-sidgen-and-extdom-plugins.patch b/SOURCES/0192-upgrade-fix-config-of-sidgen-and-extdom-plugins.patch
new file mode 100644
index 0000000..c0aee5a
--- /dev/null
+++ b/SOURCES/0192-upgrade-fix-config-of-sidgen-and-extdom-plugins.patch
@@ -0,0 +1,279 @@
+From c7df4a1856e740e88ac3633344815d5a0ff0d1f2 Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Thu, 18 Feb 2016 19:59:50 +0100
+Subject: [PATCH] upgrade: fix config of sidgen and extdom plugins
+
+During upgrade to IPA 4.2, literally "$SUFFIX" value was added to
+configuration of sidgen and extdom plugins. This cause that SID are not properly configured.
+
+Upgrade must fix "$SUFFIX" to reals suffix DN, and run sidgen task
+against IPA domain (if exists).
+
+All trusts added when plugins configuration was broken must be re-added.
+
+https://fedorahosted.org/freeipa/ticket/5665
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Tomas Babej <tbabej@redhat.com>
+---
+ install/updates/90-post_upgrade_plugins.update | 2 +
+ ipaserver/install/dsinstance.py | 12 +-
+ ipaserver/install/plugins/adtrust.py | 153 ++++++++++++++++++++++++-
+ ipaserver/install/server/upgrade.py | 4 +-
+ 4 files changed, 162 insertions(+), 9 deletions(-)
+
+diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
+index 3df3a4574705dbd8df8f25149c13877898afb66b..f0d77138520f41376d71478d3633ea4c19f66195 100644
+--- a/install/updates/90-post_upgrade_plugins.update
++++ b/install/updates/90-post_upgrade_plugins.update
+@@ -4,6 +4,8 @@
+ # middle
+ plugin: update_dnszones
+ plugin: update_dns_limits
++plugin: update_sigden_extdom_broken_config
++plugin: update_sids
+ plugin: update_default_range
+ plugin: update_default_trust_view
+ plugin: update_ca_renewal_master
+diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
+index d78158532c4c88d9aa9acf3c65d278f5151458d8..7044782bac8068f7470b62bd7489b5319269b119 100644
+--- a/ipaserver/install/dsinstance.py
++++ b/ipaserver/install/dsinstance.py
+@@ -925,9 +925,9 @@ class DsInstance(service.Service):
+ """
+ Add sidgen directory server plugin configuration if it does not already exist.
+ """
+- self._ldap_mod('ipa-sidgen-conf.ldif', self.sub_dict)
++ self.add_sidgen_plugin(self.sub_dict['SUFFIX'])
+
+- def add_sidgen_plugin(self):
++ def add_sidgen_plugin(self, suffix):
+ """
+ Add sidgen plugin configuration only if it does not already exist.
+ """
+@@ -935,7 +935,7 @@ class DsInstance(service.Service):
+ try:
+ self.admin_conn.get_entry(dn)
+ except errors.NotFound:
+- self._add_sidgen_plugin()
++ self._ldap_mod('ipa-sidgen-conf.ldif', dict(SUFFIX=suffix))
+ else:
+ root_logger.debug("sidgen plugin is already configured")
+
+@@ -943,9 +943,9 @@ class DsInstance(service.Service):
+ """
+ Add directory server configuration for the extdom extended operation.
+ """
+- self._ldap_mod('ipa-extdom-extop-conf.ldif', self.sub_dict)
++ self.add_extdom_plugin(self.sub_dict['SUFFIX'])
+
+- def add_extdom_plugin(self):
++ def add_extdom_plugin(self, suffix):
+ """
+ Add extdom configuration if it does not already exist.
+ """
+@@ -953,7 +953,7 @@ class DsInstance(service.Service):
+ try:
+ self.admin_conn.get_entry(dn)
+ except errors.NotFound:
+- self._add_extdom_plugin()
++ self._ldap_mod('ipa-extdom-extop-conf.ldif', dict(SUFFIX=suffix))
+ else:
+ root_logger.debug("extdom plugin is already configured")
+
+diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
+index 45bcc5f2fe532446342300ff0c5e1e7149cf023b..4990a34f8972a0ffba098642c1ead09f976852e6 100644
+--- a/ipaserver/install/plugins/adtrust.py
++++ b/ipaserver/install/plugins/adtrust.py
+@@ -24,6 +24,7 @@ from ipapython.dn import DN
+ from ipapython.ipa_log_manager import *
+ from ipapython import sysrestore
+ from ipaserver.install import installutils
++from ipaserver.install import sysupgrade
+
+ DEFAULT_ID_RANGE_SIZE = 200000
+
+@@ -164,7 +165,6 @@ class update_default_trust_view(Updater):
+
+ return False, [update]
+
+-
+ class update_oddjobd_for_adtrust(Updater):
+ """
+ Enables and starts oddjobd daemon if ipa-adtrust-install has been run
+@@ -184,6 +184,157 @@ class update_oddjobd_for_adtrust(Updater):
+
+ return False, []
+
++
++class update_sigden_extdom_broken_config(Updater):
++ """Fix configuration of sidgen and extdom plugins
++
++ Upgrade to IPA 4.2+ cause that sidgen and extdom plugins have improperly
++ configured basedn.
++
++ All trusts which have been added when config was broken must to be
++ re-added manually.
++
++ https://fedorahosted.org/freeipa/ticket/5665
++ """
++
++ sidgen_config_dn = DN("cn=IPA SIDGEN,cn=plugins,cn=config")
++ extdom_config_dn = DN("cn=ipa_extdom_extop,cn=plugins,cn=config")
++
++ def _fix_config(self):
++ """Due upgrade error configuration of sidgen and extdom plugins may
++ contain literally "$SUFFIX" value instead of real DN in nsslapd-basedn
++ attribute
++
++ :return: True if config was fixed, False if fix is not needed
++ """
++ ldap = self.api.Backend.ldap2
++ basedn_attr = 'nsslapd-basedn'
++ modified = False
++
++ for dn in (self.sidgen_config_dn, self.extdom_config_dn):
++ try:
++ entry = ldap.get_entry(dn, attrs_list=[basedn_attr])
++ except errors.NotFound:
++ self.log.debug("configuration for %s not found, skipping", dn)
++ else:
++ configured_suffix = entry.single_value.get(basedn_attr)
++ if configured_suffix is None:
++ raise RuntimeError(
++ "Missing attribute {attr} in {dn}".format(
++ attr=basedn_attr, dn=dn
++ )
++ )
++ elif configured_suffix == "$SUFFIX":
++ # configured value is wrong, fix it
++ entry.single_value[basedn_attr] = str(self.api.env.basedn)
++ self.log.debug("updating attribute %s of %s to correct "
++ "value %s", basedn_attr, dn,
++ self.api.env.basedn)
++ ldap.update_entry(entry)
++ modified = True
++ else:
++ self.log.debug("configured basedn for %s is okay", dn)
++
++ return modified
++
++ def execute(self, **options):
++ if sysupgrade.get_upgrade_state('sidgen', 'config_basedn_updated'):
++ self.log.debug("Already done, skipping")
++ return False, ()
++
++ restart = False
++ if self._fix_config():
++ sysupgrade.set_upgrade_state('sidgen', 'update_sids', True)
++ restart = True # DS has to be restarted to apply changes
++
++ sysupgrade.set_upgrade_state('sidgen', 'config_basedn_updated', True)
++ return restart, ()
++
++
++class update_sids(Updater):
++ """SIDs may be not created properly if bug with wrong configuration for
++ sidgen and extdom plugins is effective
++
++ This must be run after "update_sigden_extdom_broken_config"
++ https://fedorahosted.org/freeipa/ticket/5665
++ """
++ sidgen_config_dn = DN("cn=IPA SIDGEN,cn=plugins,cn=config")
++
++ def execute(self, **options):
++ ldap = self.api.Backend.ldap2
++
++ if sysupgrade.get_upgrade_state('sidgen', 'update_sids') is not True:
++ self.log.debug("SIDs do not need to be generated")
++ return False, ()
++
++ # check if IPA domain for AD trust has been created, and if we need to
++ # regenerate missing SIDs if attribute 'ipaNTSecurityIdentifier'
++ domain_IPA_AD_dn = DN(
++ ('cn', self.api.env.domain),
++ self.api.env.container_cifsdomains,
++ self.api.env.basedn)
++ attr_name = 'ipaNTSecurityIdentifier'
++
++ try:
++ entry = ldap.get_entry(domain_IPA_AD_dn, attrs_list=[attr_name])
++ except errors.NotFound:
++ self.log.debug("IPA domain object %s is not configured",
++ domain_IPA_AD_dn)
++ sysupgrade.set_upgrade_state('sidgen', 'update_sids', False)
++ return False, ()
++ else:
++ if not entry.single_value.get(attr_name):
++ # we need to run sidgen task
++ sidgen_task_dn = DN(
++ "cn=generate domain sid,cn=ipa-sidgen-task,cn=tasks,"
++ "cn=config")
++ sidgen_tasks_attr = {
++ "objectclass": ["top", "extensibleObject"],
++ "cn": ["sidgen"],
++ "delay": [0],
++ "nsslapd-basedn": [self.api.env.basedn],
++ }
++
++ task_entry = ldap.make_entry(sidgen_task_dn,
++ **sidgen_tasks_attr)
++ try:
++ ldap.add_entry(task_entry)
++ except errors.DuplicateEntry:
++ self.log.debug("sidgen task already created")
++ else:
++ self.log.debug("sidgen task has been created")
++
++ # we have to check all trusts domains which may been affected by the
++ # bug. Symptom is missing 'ipaNTSecurityIdentifier' attribute
++
++ base_dn = DN(self.api.env.container_adtrusts, self.api.env.basedn)
++ try:
++ trust_domain_entries, truncated = ldap.find_entries(
++ base_dn=base_dn,
++ scope=ldap.SCOPE_ONELEVEL,
++ attrs_list=["cn"],
++ # more types of trusts can be stored under cn=trusts, we need
++ # the type with ipaNTTrustPartner attribute
++ filter="(!(%s=*))" % attr_name
++ )
++ except errors.NotFound:
++ pass
++ else:
++ if truncated:
++ self.log.warning("update_sids: Search results were truncated")
++
++ for entry in trust_domain_entries:
++ domain = entry.single_value["cn"]
++ self.log.error(
++ "Your trust to %s is broken. Please re-create it by "
++ "running 'ipa trust-add' again.", domain)
++
++ sysupgrade.set_upgrade_state('sidgen', 'update_sids', False)
++ return False, ()
++
++
+ api.register(update_default_range)
+ api.register(update_default_trust_view)
+ api.register(update_oddjobd_for_adtrust)
++api.register(update_sids)
++api.register(update_sigden_extdom_broken_config)
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index 258d976c83844f89c1a939303b685fd6565b79e5..c53b19a937d559b25da256670a5205ab40e0cadb 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -1290,8 +1290,8 @@ def ds_enable_sidgen_extdom_plugins(ds):
+ root_logger.debug('sidgen and extdom plugins are enabled already')
+ return
+
+- ds.add_sidgen_plugin()
+- ds.add_extdom_plugin()
++ ds.add_sidgen_plugin(api.env.basedn)
++ ds.add_extdom_plugin(api.env.basedn)
+ sysupgrade.set_upgrade_state('ds', 'enable_ds_sidgen_extdom_plugins', True)
+
+ def ca_upgrade_schema(ca):
+--
+2.5.0
+
diff --git a/SOURCES/0193-trusts-use-ipaNTTrustPartner-attribute-to-detect-tru.patch b/SOURCES/0193-trusts-use-ipaNTTrustPartner-attribute-to-detect-tru.patch
new file mode 100644
index 0000000..03b2239
--- /dev/null
+++ b/SOURCES/0193-trusts-use-ipaNTTrustPartner-attribute-to-detect-tru.patch
@@ -0,0 +1,63 @@
+From 6f958201dc32a1043c77632fe98c05307a4ea671 Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Mon, 22 Feb 2016 17:36:01 +0100
+Subject: [PATCH] trusts: use ipaNTTrustPartner attribute to detect trust
+ entries
+
+Trust entries were found by presence of ipaNTSecurityIdentifier
+attribute. Unfortunately this attribute might not be there due the bug.
+As replacement for this, attribute ipaNTTrustPartner can be used.
+
+Note: other non trust entries located in cn=trusts subtree can be
+cross-realm principals.
+
+https://fedorahosted.org/freeipa/ticket/5665
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Tomas Babej <tbabej@redhat.com>
+---
+ ipalib/plugins/trust.py | 7 +++++--
+ ipaserver/install/plugins/adtrust.py | 2 +-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
+index 173463ae7d4134b5bd155cc5fa920bfabd0a6958..ff142591d385e715994f0381c6b23c416763cd03 100644
+--- a/ipalib/plugins/trust.py
++++ b/ipalib/plugins/trust.py
+@@ -541,7 +541,10 @@ class trust(LDAPObject):
+ ldap = self.backend
+ filter = ldap.make_filter({'objectclass': ['ipaNTTrustedDomain'], 'cn': [keys[-1]] },
+ rules=ldap.MATCH_ALL)
+- filter = ldap.combine_filters((filter, "ipaNTSecurityIdentifier=*"), rules=ldap.MATCH_ALL)
++ # more type of objects can be located in subtree (for example
++ # cross-realm principals). we need this attr do detect trust
++ # entries
++ filter = ldap.combine_filters((filter, "ipaNTTrustPartner=*"), rules=ldap.MATCH_ALL)
+ result = ldap.get_entries(DN(self.container_dn, self.env.basedn),
+ ldap.SCOPE_SUBTREE, filter, [''])
+ if len(result) > 1:
+@@ -996,7 +999,7 @@ class trust_find(LDAPSearch):
+ # search needs to be done on a sub-tree scope
+ def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
+ # list only trust, not trust domains
+- trust_filter = '(ipaNTSecurityIdentifier=*)'
++ trust_filter = '(ipaNTTrustPartner=*)'
+ filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
+ return (filter, base_dn, ldap.SCOPE_SUBTREE)
+
+diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
+index 4990a34f8972a0ffba098642c1ead09f976852e6..ea6de5cefe1dc56fc55cca076643867ecbeb08fe 100644
+--- a/ipaserver/install/plugins/adtrust.py
++++ b/ipaserver/install/plugins/adtrust.py
+@@ -315,7 +315,7 @@ class update_sids(Updater):
+ attrs_list=["cn"],
+ # more types of trusts can be stored under cn=trusts, we need
+ # the type with ipaNTTrustPartner attribute
+- filter="(!(%s=*))" % attr_name
++ filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name
+ )
+ except errors.NotFound:
+ pass
+--
+2.5.0
+
diff --git a/SOURCES/0194-Warn-user-if-trust-is-broken.patch b/SOURCES/0194-Warn-user-if-trust-is-broken.patch
new file mode 100644
index 0000000..bab8f9d
--- /dev/null
+++ b/SOURCES/0194-Warn-user-if-trust-is-broken.patch
@@ -0,0 +1,115 @@
+From b08bab80ab8c11681a96a10807930c830a2d096f Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Fri, 19 Feb 2016 14:55:34 +0100
+Subject: [PATCH] Warn user if trust is broken
+
+Detect missing ipaNTSecurityIdentifier and print message for a user,
+that the trust is broken as result of trust-show and trust-find commands.
+
+https://fedorahosted.org/freeipa/ticket/5665
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Tomas Babej <tbabej@redhat.com>
+---
+ ipalib/messages.py | 11 +++++++++++
+ ipalib/plugins/trust.py | 41 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+)
+
+diff --git a/ipalib/messages.py b/ipalib/messages.py
+index 58ae1f3ecbbf139f6f584c0ea2ebea6eb92e6e2b..ce92547de78a07f00d40fd850563faf1253826e3 100644
+--- a/ipalib/messages.py
++++ b/ipalib/messages.py
+@@ -241,6 +241,17 @@ class DNSSECValidationFailingWarning(PublicMessage):
+ u"validation on all IPA servers.")
+
+
++class BrokenTrust(PublicMessage):
++ """
++ **13018** Trust for a specified domain is broken
++ """
++
++ errno = 13018
++ type = "warning"
++ format = _("Your trust to %(domain)s is broken. Please re-create it by "
++ "running 'ipa trust-add' again.")
++
++
+ def iter_messages(variables, base):
+ """Return a tuple with all subclasses
+ """
+diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
+index ff142591d385e715994f0381c6b23c416763cd03..d451325e31e4e1d8d7223f009677bbcb002c65cb 100644
+--- a/ipalib/plugins/trust.py
++++ b/ipalib/plugins/trust.py
+@@ -18,6 +18,9 @@
+ # You should have received a copy of the GNU General Public License
+ # along with this program. If not, see <http://www.gnu.org/licenses/>.
+
++from ipalib.messages import (
++ add_message,
++ BrokenTrust)
+ from ipalib.plugable import Registry
+ from ipalib.plugins.baseldap import *
+ from ipalib.plugins.dns import dns_container_exists
+@@ -554,6 +557,30 @@ class trust(LDAPObject):
+ dn=make_trust_dn(self.env, trust_type, DN(*sdn))
+ return dn
+
++ def warning_if_ad_trust_dom_have_missing_SID(self, result, **options):
++ """Due bug https://fedorahosted.org/freeipa/ticket/5665 there might be
++ AD trust domain without generated SID, warn user about it.
++ """
++ ldap = self.api.Backend.ldap2
++
++ try:
++ entries, truncated = ldap.find_entries(
++ base_dn=DN(self.container_dn, self.api.env.basedn),
++ attrs_list=['cn'],
++ filter='(&(ipaNTTrustPartner=*)'
++ '(!(ipaNTSecurityIdentifier=*)))',
++ )
++ except errors.NotFound:
++ pass
++ else:
++ for entry in entries:
++ add_message(
++ options['version'],
++ result,
++ BrokenTrust(domain=entry.single_value['cn'])
++ )
++
++
+ @register()
+ class trust_add(LDAPCreate):
+ __doc__ = _('''
+@@ -1003,6 +1030,13 @@ class trust_find(LDAPSearch):
+ filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
+ return (filter, base_dn, ldap.SCOPE_SUBTREE)
+
++ def execute(self, *args, **options):
++ result = super(trust_find, self).execute(*args, **options)
++
++ self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options)
++
++ return result
++
+ def post_callback(self, ldap, entries, truncated, *args, **options):
+ if options.get('pkey_only', False):
+ return truncated
+@@ -1022,6 +1056,13 @@ class trust_show(LDAPRetrieve):
+ has_output_params = LDAPRetrieve.has_output_params + trust_output_params +\
+ (Str('ipanttrusttype'), Str('ipanttrustdirection'))
+
++ def execute(self, *keys, **options):
++ result = super(trust_show, self).execute(*keys, **options)
++
++ self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options)
++
++ return result
++
+ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+
+ assert isinstance(dn, DN)
+--
+2.5.0
+
diff --git a/SOURCES/0195-fix-upgrade-wait-for-proper-DS-socket-after-DS-resta.patch b/SOURCES/0195-fix-upgrade-wait-for-proper-DS-socket-after-DS-resta.patch
new file mode 100644
index 0000000..040498d
--- /dev/null
+++ b/SOURCES/0195-fix-upgrade-wait-for-proper-DS-socket-after-DS-resta.patch
@@ -0,0 +1,39 @@
+From 69322c06e8fd9f21867a9c7aa04f990be47536df Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Tue, 23 Feb 2016 10:37:47 +0100
+Subject: [PATCH] fix upgrade: wait for proper DS socket after DS restart
+
+DS restart executed by upgrade plugin causes that upgrade framework
+is waiting for the improper socket. It leads to TimeoutError because
+DS is not listening on 389 port during upgrade. This commit fixes the issue.
+
+Required for: https://fedorahosted.org/freeipa/ticket/5665
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Tomas Babej <tbabej@redhat.com>
+---
+ ipaserver/install/ldapupdate.py | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
+index 6f796dfdc8bbac1bb99a8b5a1bd5a6aaa778db16..0e258612d3060188212fdd2625d7e62b5cb14ebf 100644
+--- a/ipaserver/install/ldapupdate.py
++++ b/ipaserver/install/ldapupdate.py
+@@ -44,7 +44,6 @@ from ipaplatform.paths import paths
+ from ipaplatform import services
+ from ipapython.dn import DN
+ from ipapython.ipa_log_manager import *
+-from ipapython.ipautil import wait_for_open_socket
+
+ UPDATES_DIR=paths.UPDATES_DIR
+
+@@ -932,5 +931,4 @@ class LDAPUpdate:
+ def restart_ds(self):
+ dirsrv = services.knownservices.dirsrv
+ self.log.debug('Restarting directory server to apply updates')
+- dirsrv.restart()
+- wait_for_open_socket(self.socket_name)
++ dirsrv.restart(ldapi=self.ldapi)
+--
+2.5.0
+
diff --git a/SOURCES/0196-slapi-nis-update-configuration-to-allow-external-mem.patch b/SOURCES/0196-slapi-nis-update-configuration-to-allow-external-mem.patch
new file mode 100644
index 0000000..f9f9843
--- /dev/null
+++ b/SOURCES/0196-slapi-nis-update-configuration-to-allow-external-mem.patch
@@ -0,0 +1,61 @@
+From 01ccf0deee2cfa98f76d79eb435be74efecd4626 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 22 Feb 2016 12:40:03 +0200
+Subject: [PATCH] slapi-nis: update configuration to allow external members of
+ IPA groups
+
+Currently in an environment with trust to AD the compat tree does not
+show AD users as members of IPA groups. The reason is that IPA groups
+are read directly from the IPA DS tree and external groups are not
+handled.
+
+slapi-nis project has added support for it in 0.55, make sure we update
+configuration for the group map if it exists and depend on 0.55 version.
+
+https://fedorahosted.org/freeipa/ticket/4403
+
+Reviewed-By: Tomas Babej <tbabej@redhat.com>
+---
+ freeipa.spec.in | 2 +-
+ install/updates/50-externalmembers.update | 3 +++
+ install/updates/Makefile.am | 1 +
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+ create mode 100644 install/updates/50-externalmembers.update
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index cd26d4ce66e320f8b8bf6aaa3e738b4c11f89aa9..17b90fc4653bd7694bf389a19d5847d7df544890 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -139,7 +139,7 @@ Requires(pre): systemd-units
+ Requires(post): systemd-units
+ Requires: selinux-policy >= %{selinux_policy_version}
+ Requires(post): selinux-policy-base
+-Requires: slapi-nis >= 0.54.2-1
++Requires: slapi-nis >= 0.55-1
+ Requires: pki-ca >= 10.2.5
+ Requires: pki-kra >= 10.2.5
+ Requires(preun): python systemd-units
+diff --git a/install/updates/50-externalmembers.update b/install/updates/50-externalmembers.update
+new file mode 100644
+index 0000000000000000000000000000000000000000..6b9c5dd23fac65fd5e9055b255e7c4d41e5cc66b
+--- /dev/null
++++ b/install/updates/50-externalmembers.update
+@@ -0,0 +1,3 @@
++dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
++addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
++addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup
+diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
+index 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..86799838c8713d04d03a69167a00ee4baa6acd6c 100644
+--- a/install/updates/Makefile.am
++++ b/install/updates/Makefile.am
+@@ -45,6 +45,7 @@ app_DATA = \
+ 50-krbenctypes.update \
+ 50-nis.update \
+ 50-ipaconfig.update \
++ 50-externalmembers.update \
+ 55-pbacmemberof.update \
+ 59-trusts-sysacount.update \
+ 60-trusts.update \
+--
+2.5.0
+
diff --git a/SOURCES/0197-Insure-the-admin_conn-is-disconnected-on-stop.patch b/SOURCES/0197-Insure-the-admin_conn-is-disconnected-on-stop.patch
new file mode 100644
index 0000000..1d60fc2
--- /dev/null
+++ b/SOURCES/0197-Insure-the-admin_conn-is-disconnected-on-stop.patch
@@ -0,0 +1,36 @@
+From 431f42703acfb2f22c034a336277dcb2c320928a Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 4 Aug 2015 10:15:36 -0400
+Subject: [PATCH] Insure the admin_conn is disconnected on stop
+
+If we stop or restart the server insure admin_conn gets reset or other
+parts may fail to properly connect/authenticate
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/install/dsinstance.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
+index 7044782bac8068f7470b62bd7489b5319269b119..cadf9ccbe8ed0a20813af3fd671b18942a918b0b 100644
+--- a/ipaserver/install/dsinstance.py
++++ b/ipaserver/install/dsinstance.py
+@@ -478,7 +478,14 @@ class DsInstance(service.Service):
+ # Does not apply with newer DS releases
+ pass
+
++ def stop(self, *args, **kwargs):
++ if self.admin_conn:
++ self.ldap_disconnect()
++ super(DsInstance, self).stop(*args, **kwargs)
++
+ def restart(self, instance=''):
++ if self.admin_conn:
++ self.ldap_disconnect()
+ try:
+ super(DsInstance, self).restart(instance)
+ if not is_ds_running(instance):
+--
+2.5.0
+
diff --git a/SOURCES/0198-Fix-connections-to-DS-during-installation.patch b/SOURCES/0198-Fix-connections-to-DS-during-installation.patch
new file mode 100644
index 0000000..8a9e587
--- /dev/null
+++ b/SOURCES/0198-Fix-connections-to-DS-during-installation.patch
@@ -0,0 +1,42 @@
+From 520e2ed9c5b2cfe3e3231bd616639bddb16d6995 Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Tue, 1 Mar 2016 17:36:55 +0100
+Subject: [PATCH] Fix connections to DS during installation
+
+Regression caused by commit 9818e463f5d0a91b300801ee7c8f31f25de402b2,
+admin_conn should be connected in method if there is no connection.
+
+https://fedorahosted.org/freeipa/ticket/5665
+
+Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
+---
+ ipaserver/install/dsinstance.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
+index cadf9ccbe8ed0a20813af3fd671b18942a918b0b..4ad0f9e7def8a10b1eaffce1b3d9cadd9cdcc689 100644
+--- a/ipaserver/install/dsinstance.py
++++ b/ipaserver/install/dsinstance.py
+@@ -938,6 +938,9 @@ class DsInstance(service.Service):
+ """
+ Add sidgen plugin configuration only if it does not already exist.
+ """
++ if not self.admin_conn:
++ self.ldap_connect()
++
+ dn = DN('cn=IPA SIDGEN,cn=plugins,cn=config')
+ try:
+ self.admin_conn.get_entry(dn)
+@@ -956,6 +959,9 @@ class DsInstance(service.Service):
+ """
+ Add extdom configuration if it does not already exist.
+ """
++ if not self.admin_conn:
++ self.ldap_connect()
++
+ dn = DN('cn=ipa_extdom_extop,cn=plugins,cn=config')
+ try:
+ self.admin_conn.get_entry(dn)
+--
+2.5.0
+
diff --git a/SOURCES/0199-Fix-broken-trust-warnings.patch b/SOURCES/0199-Fix-broken-trust-warnings.patch
new file mode 100644
index 0000000..3b650c6
--- /dev/null
+++ b/SOURCES/0199-Fix-broken-trust-warnings.patch
@@ -0,0 +1,32 @@
+From 9f131566a8218a082b59ec980e04f9193e9c85f7 Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Wed, 16 Mar 2016 13:41:51 +0100
+Subject: [PATCH] Fix broken trust warnings
+
+Warning should be shown only for parent entries of trust domain. Subdomains do not contain ipaNTSecurityIdentifier attribute at all.
+
+https://fedorahosted.org/freeipa/ticket/5737
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipalib/plugins/trust.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
+index d451325e31e4e1d8d7223f009677bbcb002c65cb..4b3cb7aab665e5cd952704a58e4b58ea55ecab0a 100644
+--- a/ipalib/plugins/trust.py
++++ b/ipalib/plugins/trust.py
+@@ -565,7 +565,9 @@ class trust(LDAPObject):
+
+ try:
+ entries, truncated = ldap.find_entries(
+- base_dn=DN(self.container_dn, self.api.env.basedn),
++ base_dn=DN(self.api.env.container_adtrusts,
++ self.api.env.basedn),
++ scope=ldap.SCOPE_ONELEVEL,
+ attrs_list=['cn'],
+ filter='(&(ipaNTTrustPartner=*)'
+ '(!(ipaNTSecurityIdentifier=*)))',
+--
+2.5.0
+
diff --git a/SOURCES/0200-replica-install-improvements-in-the-handling-of-CA-r.patch b/SOURCES/0200-replica-install-improvements-in-the-handling-of-CA-r.patch
new file mode 100644
index 0000000..e16c0c9
--- /dev/null
+++ b/SOURCES/0200-replica-install-improvements-in-the-handling-of-CA-r.patch
@@ -0,0 +1,108 @@
+From d1470a8a5d2f39b57d8d66e8d0d7e8437fcd2ae4 Mon Sep 17 00:00:00 2001
+From: Martin Babinsky <mbabinsk@redhat.com>
+Date: Wed, 2 Dec 2015 12:22:45 +0100
+Subject: [PATCH] replica install: improvements in the handling of CA-related
+ IPA config entries
+
+When a CA-less replica is installed, its IPA config file should be updated so
+that ca_host points to nearest CA master and all certificate requests are
+forwarded to it. A subsequent installation of CA subsystem on the replica
+should clear this entry from the config so that all certificate requests are
+handled by freshly installed local CA.
+
+https://fedorahosted.org/freeipa/ticket/5506
+
+Reviewed-By: Martin Basti <mbasti@redhat.com>
+---
+ ipaserver/install/ca.py | 16 ----------------
+ ipaserver/install/cainstance.py | 18 ++++++++++++++++++
+ ipaserver/install/server/replicainstall.py | 3 +++
+ 3 files changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
+index d2fb5feeaf96e8450eddb1bc4e65ef3316b05b38..b4db8dcbfad9d482e7106cd06b3d497ccf8954f0 100644
+--- a/ipaserver/install/ca.py
++++ b/ipaserver/install/ca.py
+@@ -12,7 +12,6 @@ from ipaplatform.paths import paths
+ from ipaserver.install import installutils, certs
+ from ipaserver.install.replication import replica_conn_check
+ from ipalib import api, certstore, x509
+-from ConfigParser import RawConfigParser
+ from ipapython.dn import DN
+ from ipapython.ipa_log_manager import root_logger
+
+@@ -240,21 +239,6 @@ def install_step_1(standalone, replica_config, options):
+ if standalone:
+ ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME)
+
+- # Update config file
+- try:
+- parser = RawConfigParser()
+- parser.read(paths.IPA_DEFAULT_CONF)
+- parser.set('global', 'enable_ra', 'True')
+- parser.set('global', 'ra_plugin', 'dogtag')
+- parser.set('global', 'dogtag_version',
+- str(dogtag_constants.DOGTAG_VERSION))
+- with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+- parser.write(f)
+- except IOError, e:
+- print "Failed to update /etc/ipa/default.conf"
+- root_logger.error(str(e))
+- sys.exit(1)
+-
+ # We need to restart apache as we drop a new config file in there
+ services.knownservices.httpd.restart(capture_output=True)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 1a98c438786ae7dad208212fff23e3a760c95b3c..b06760308865aa42afac79d6750f4a422a5c8f95 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -482,6 +482,8 @@ class CAInstance(DogtagInstance):
+ self.step("importing IPA certificate profiles",
+ import_included_profiles)
+ self.step("adding default CA ACL", ensure_default_caacl)
++ self.step("updating IPA configuration",
++ lambda: update_ipa_conf(self.dogtag_constants))
+
+ self.start_creation(runtime=210)
+
+@@ -1880,6 +1882,22 @@ def ensure_default_caacl():
+ api.Backend.ldap2.disconnect()
+
+
++def update_ipa_conf(dogtag_constants):
++ """
++ Update IPA configuration file to ensure that RA plugins are enabled and
++ that CA host points to localhost
++ """
++ parser = ConfigParser.RawConfigParser()
++ parser.read(paths.IPA_DEFAULT_CONF)
++ parser.set('global', 'enable_ra', 'True')
++ parser.set('global', 'ra_plugin', 'dogtag')
++ parser.set('global', 'dogtag_version',
++ str(dogtag_constants.DOGTAG_VERSION))
++ parser.remove_option('global', 'ca_host')
++ with open(paths.IPA_DEFAULT_CONF, 'w') as f:
++ parser.write(f)
++
++
+ if __name__ == "__main__":
+ standard_logging_setup("install.log")
+ ds = dsinstance.DsInstance()
+diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
+index 317eda92dd4322542f035c2df4dba919a5898cc7..2ab95add90d33eb191d4e75b62cb4eceac40551b 100644
+--- a/ipaserver/install/server/replicainstall.py
++++ b/ipaserver/install/server/replicainstall.py
+@@ -378,6 +378,9 @@ def install_check(installer):
+ fd.write("ra_plugin=dogtag\n")
+ fd.write("dogtag_version=%s\n" %
+ dogtag.install_constants.DOGTAG_VERSION)
++
++ if not config.setup_ca:
++ fd.write("ca_host={0}\n".format(config.master_host_name))
+ else:
+ fd.write("enable_ra=False\n")
+ fd.write("ra_plugin=none\n")
+--
+2.5.0
+
diff --git a/SOURCES/0201-certdb-never-use-the-r-option-of-certutil.patch b/SOURCES/0201-certdb-never-use-the-r-option-of-certutil.patch
new file mode 100644
index 0000000..48c2bcc
--- /dev/null
+++ b/SOURCES/0201-certdb-never-use-the-r-option-of-certutil.patch
@@ -0,0 +1,49 @@
+From c0598b1af6885b1558ef592d6e2a5250f707e878 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Thu, 10 Mar 2016 13:16:41 +0100
+Subject: [PATCH] certdb: never use the -r option of certutil
+
+The -r option makes certutil output certificates in DER. If there are
+multiple certificates sharing the same nickname, certutil will output
+them concatenated into a single blob. The blob is not a valid DER
+anymore and causes failures further in the code.
+
+Use the -a option instead to output the certificates in PEM and convert
+them to DER on demand.
+
+https://fedorahosted.org/freeipa/ticket/5117
+https://fedorahosted.org/freeipa/ticket/5720
+
+Reviewed-By: David Kupka <dkupka@redhat.com>
+---
+ ipapython/certdb.py | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/ipapython/certdb.py b/ipapython/certdb.py
+index 5a6e494fb8a5963ae9c68c697234e83575bc89ec..63dc4580b43ec11329d2074fc9a33e55dac9cb03 100644
+--- a/ipapython/certdb.py
++++ b/ipapython/certdb.py
+@@ -395,15 +395,15 @@ class NSSDatabase(object):
+ "Setting trust on %s failed" % root_nickname)
+
+ def get_cert(self, nickname, pem=False):
+- args = ['-L', '-n', nickname]
+- if pem:
+- args.append('-a')
+- else:
+- args.append('-r')
++ args = ['-L', '-n', nickname, '-a']
+ try:
+ cert, err, returncode = self.run_certutil(args)
+ except ipautil.CalledProcessError:
+ raise RuntimeError("Failed to get %s" % nickname)
++ if not pem:
++ (cert, start) = find_cert_from_txt(cert, start=0)
++ cert = x509.strip_header(cert)
++ cert = base64.b64decode(cert)
+ return cert
+
+ def has_nickname(self, nickname):
+--
+2.5.0
+
diff --git a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
index 4c2fd45..6cb68b1 100644
--- a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
+++ b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
@@ -1,4 +1,4 @@
-From 38e9b66a161f8e5c540c69f46a8bc699d0906636 Mon Sep 17 00:00:00 2001
+From b30152e2225fed9a991423c35506f3aa62b38350 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 5 Sep 2014 11:24:27 +0200
Subject: [PATCH] Hide pkinit functionality from production version
@@ -13,7 +13,7 @@ https://fedorahosted.org/freeipa/ticket/616
3 files changed, 8 insertions(+), 17 deletions(-)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
-index 5246f5f5469c85571d04c99d872f38018802abaa..3ecf44fffad22e11b5008dadc24c9933eac965cf 100644
+index b9ae60e9bc9d40be5f86e312980846b2ad80f67d..62cc8368abd999bec07154dc2c715431ff0c3b1a 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -65,9 +65,6 @@ class ReplicaPrepare(admintool.AdminTool):
@@ -72,10 +72,10 @@ index 5246f5f5469c85571d04c99d872f38018802abaa..3ecf44fffad22e11b5008dadc24c9933
# If any of the PKCS#12 options are selected, all are required.
cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
-index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e943548cd9a30 100644
+index 01dffd08d4c929ebc5ecb6e6b0a8b685c1320dbd..a2a22c6334edf442e07ff3a1b4b9b309de2bc8a5 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
-@@ -1173,6 +1173,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
+@@ -1172,6 +1172,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
no_pkinit = Knob(
bool, False,
@@ -83,7 +83,7 @@ index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e9435
description="disables pkinit setup steps",
)
-@@ -1196,6 +1197,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
+@@ -1195,6 +1196,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
pkinit_cert_files = Knob(
(list, str), None,
@@ -91,7 +91,7 @@ index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e9435
description=("File containing the Kerberos KDC SSL certificate and "
"private key"),
cli_name='pkinit-cert-file',
-@@ -1221,6 +1223,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
+@@ -1220,6 +1222,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
pkinit_pin = Knob(
str, None,
@@ -99,7 +99,7 @@ index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e9435
sensitive=True,
description="The password to unlock the Kerberos KDC private key",
cli_aliases=['pkinit_pin'],
-@@ -1241,6 +1244,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
+@@ -1240,6 +1243,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
pkinit_cert_name = Knob(
str, None,
@@ -108,10 +108,10 @@ index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e9435
cli_metavar='NAME',
)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index 6e9157cabc49161ba27983cbf1de1428d1b48b7d..2544db2875cc29b1c0f6f8acd855bcfa02fc645a 100644
+index 2ab95add90d33eb191d4e75b62cb4eceac40551b..b000e8ce84df3cb2a6bc90520cb4713ab416f4da 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
-@@ -658,6 +658,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite):
+@@ -690,6 +690,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite):
no_pkinit = Knob(
bool, False,
@@ -120,5 +120,5 @@ index 6e9157cabc49161ba27983cbf1de1428d1b48b7d..2544db2875cc29b1c0f6f8acd855bcfa
)
--
-2.4.3
+2.5.0
diff --git a/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch
index 877f1c5..681bfbe 100644
--- a/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
-From b8aa1e36a06ec183709933e51ef105d7b4a96d6d Mon Sep 17 00:00:00 2001
+From 5e341cea66938c8dfd99d83c869a1f2ba71479be Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 5 Sep 2014 11:46:59 +0200
Subject: [PATCH] Change branding to IPA and Identity Management
@@ -54,7 +54,7 @@ Subject: [PATCH] Change branding to IPA and Identity Management
47 files changed, 57 insertions(+), 57 deletions(-)
diff --git a/install/html/browserconfig.html b/install/html/browserconfig.html
-index d721a4ad2a3b684a4bf45602584fee78f4613360..b0cd570403b1604449887302844c43b1e89b80e2 100644
+index 9c5cf68211281723e12b518f346aac43c1541cdc..14c4ca1f98a60cd8dfe486f8b942fcf9ae9de4c0 100644
--- a/install/html/browserconfig.html
+++ b/install/html/browserconfig.html
@@ -2,7 +2,7 @@
@@ -723,10 +723,10 @@ index d75a2427352851fecc045707a8cf73f99d05843b..2a42272ef433a1ddb7a040143ff63a31
'''
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
-index 95a9b560843cfea9b4f7b2718e4e943548cd9a30..f62874f085ee3ae478fc769465fe375abc4465e6 100644
+index a2a22c6334edf442e07ff3a1b4b9b309de2bc8a5..0534be818ecf950d9a9dab8f8a1797209d2dfc7d 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
-@@ -368,7 +368,7 @@ def install_check(installer):
+@@ -366,7 +366,7 @@ def install_check(installer):
print("======================================="
"=======================================")
@@ -736,10 +736,10 @@ index 95a9b560843cfea9b4f7b2718e4e943548cd9a30..f62874f085ee3ae478fc769465fe375a
print "This includes:"
if setup_ca:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index 2d34fdd02b57eb962cdffba508e53cfea0c922e1..55c58335c5bbc6993999da4c465e58f4ce3225aa 100644
+index b000e8ce84df3cb2a6bc90520cb4713ab416f4da..3c13a3e743074e01ca952e114c2374205bdd68f8 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
-@@ -435,7 +435,7 @@ def install_check(installer):
+@@ -467,7 +467,7 @@ def install_check(installer):
above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
if under_lower_bound or above_upper_bound:
@@ -749,5 +749,5 @@ index 2d34fdd02b57eb962cdffba508e53cfea0c922e1..55c58335c5bbc6993999da4c465e58f4
"this domain. The Domain Level needs to be "
"raised before installing a replica with "
--
-2.5.1
+2.5.0
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
- PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
- PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
- ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+ ETC_CENTOS_RELEASE = "/etc/centos-release"
- RESOLV_CONF = "/etc/resolv.conf"
- SAMBA_KEYTAB = "/etc/samba/samba.keytab"
- SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
- os = "fedora"
-+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+ os = "centos"
- elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
- os = "rhel"
-
---
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 4744e1e..4da86e8 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -35,7 +35,7 @@
Name: ipa
Version: 4.2.0
-Release: 15.0.1%{?dist}.6.1
+Release: 15%{?dist}.15
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -43,10 +43,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -231,6 +231,27 @@ Patch0177: 0177-Upgrade-Fix-upgrade-of-NIS-Server-configuration.patch
Patch0178: 0178-use-FFI-call-to-rpmvercmp-function-for-version-compa.patch
Patch0179: 0179-ipalib-assume-version-2.0-when-skip_version_check-is.patch
Patch0180: 0180-always-start-certmonger-during-IPA-server-configurat.patch
+Patch0181: 0181-ipa-kdb-map_groups-consider-all-results.patch
+Patch0182: 0182-ipa-ca-install-print-more-specific-errors-when-CA-is.patch
+Patch0183: 0183-installer-Propagate-option-values-from-components-in.patch
+Patch0184: 0184-installer-Fix-logic-of-reading-option-values-from-ca.patch
+Patch0185: 0185-Fixed-login-error-message-box-in-LoginScreen-page.patch
+Patch0186: 0186-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch
+Patch0187: 0187-CA-install-explicitly-set-dogtag_version-to-10.patch
+Patch0188: 0188-fix-standalone-installation-of-externally-signed-CA-.patch
+Patch0189: 0189-replica-install-validate-DS-and-HTTP-server-certific.patch
+Patch0190: 0190-Do-not-decode-HTTP-reason-phrase-from-Dogtag.patch
+Patch0191: 0191-upgrade-unconditional-import-of-certificate-profiles.patch
+Patch0192: 0192-upgrade-fix-config-of-sidgen-and-extdom-plugins.patch
+Patch0193: 0193-trusts-use-ipaNTTrustPartner-attribute-to-detect-tru.patch
+Patch0194: 0194-Warn-user-if-trust-is-broken.patch
+Patch0195: 0195-fix-upgrade-wait-for-proper-DS-socket-after-DS-resta.patch
+Patch0196: 0196-slapi-nis-update-configuration-to-allow-external-mem.patch
+Patch0197: 0197-Insure-the-admin_conn-is-disconnected-on-stop.patch
+Patch0198: 0198-Fix-connections-to-DS-during-installation.patch
+Patch0199: 0199-Fix-broken-trust-warnings.patch
+Patch0200: 0200-replica-install-improvements-in-the-handling-of-CA-r.patch
+Patch0201: 0201-certdb-never-use-the-r-option-of-certutil.patch
Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002: 1002-Remove-pkinit-plugin.patch
@@ -242,7 +263,6 @@ Patch1007: 1007-Do-not-build-tests.patch
Patch1008: 1008-RCUE.patch
Patch1009: 1009-Do-not-allow-installation-in-FIPS-mode.patch
Patch1010: 1010-WebUI-add-API-browser-is-experimental-warning.patch
-Patch1011: ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -353,7 +373,7 @@ Requires(pre): systemd-units
Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base >= %{selinux_policy_version}
-Requires: slapi-nis >= 0.54-3
+Requires: slapi-nis >= 0.54-8
Requires: pki-ca >= 10.2.5-5
Requires: pki-kra >= 10.2.5-5
Requires(preun): python systemd-units
@@ -377,7 +397,7 @@ Requires: systemd-python
Requires: %{etc_systemd_dir}
Requires: gzip
# RHEL spec file only: START
-# Requires: redhat-access-plugin-ipa
+Requires: redhat-access-plugin-ipa
# RHEL spec file only: END
Conflicts: %{alt_name}-server
@@ -480,7 +500,7 @@ Requires: pam_krb5
Requires: wget
Requires: libcurl >= 7.21.7-2
Requires: xmlrpc-c >= 1.27.4
-Requires: sssd >= 1.13.0-6
+Requires: sssd >= 1.13.0-40.el7_2.2
Requires: python-sssdconfig
Requires: certmonger >= 0.78
Requires: nss-tools
@@ -586,10 +606,10 @@ for p in %patches ; do
done
# Red Hat's Identity Management branding
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
%build
@@ -1186,14 +1206,73 @@ fi
# RHEL spec file only: DELETED: Do not build tests
%changelog
-* Tue Apr 12 2016 CentOS Sources <bugs@centos.org> - 4.2.0-15.el7.centos.6.1
-- Roll in CentOS Branding
-- add .0.1 to release for dist tag change to .el7.centos
+* Mon Apr 18 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.15
+- Related: #1327197 Crash during IPA upgrade due to slapd
+ - spec file: update minimum required version of slapi-nis
-* Wed Apr 06 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.0-15.6.1
+* Wed Apr 06 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.0-15.14
- Rebuild against newer Samba version
- Related: #1322690
+* Tue Apr 5 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.13
+- Resolves: #1324060 Installers fail when there are multiple versions of the
+ same certificate
+ - certdb: never use the -r option of certutil
+
+* Thu Mar 17 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.12
+- Resolves: #1309382 issues with migration from RHEL 6 self-signed to RHEL 7 CA
+ IPA setup
+ - replica install: improvements in the handling of CA-related IPA config
+ entries
+
+* Thu Mar 17 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.11
+- Resolves: #1311470 ipa trust-add succeded but after that ipa trust-find
+ returns "0 trusts matched"
+ - Fix broken trust warnings
+
+* Wed Mar 2 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.10
+- Resolves: #1311470 ipa trust-add succeded but after that ipa trust-find
+ returns "0 trusts matched"
+ - Insure the admin_conn is disconnected on stop
+ - Fix connections to DS during installation
+- Renamed patch 1011 to 0196, as it was merged upstream
+
+* Wed Feb 24 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.9
+- Resolves: #1311468 shared certificateProfiles container is missing on a
+ freshly installed RHEL7.2 system
+ - upgrade: unconditional import of certificate profiles into LDAP
+- Resolves: #1311470 ipa trust-add succeded but after that ipa trust-find
+ returns "0 trusts matched"
+ - upgrade: fix config of sidgen and extdom plugins
+ - trusts: use ipaNTTrustPartner attribute to detect trust entries
+ - Warn user if trust is broken
+ - fix upgrade: wait for proper DS socket after DS restart
+- Resolves: #1311502 [RFE] compat tree: show AD members of IPA groups
+ - slapi-nis: update configuration to allow external members of IPA groups
+
+* Tue Feb 23 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.8
+- Resolves: #1303052 install fails when locale is "fr_FR.UTF-8"
+ - Do not decode HTTP reason phrase from Dogtag
+- Resolves: #1303059 --setup-dns and other options is forgotten for using an
+ external PKI
+ - installer: Propagate option values from components instead of copying them.
+ - installer: Fix logic of reading option values from cache.
+- Resolves: #1309362 User should be notified for wrong password in password
+ reset page
+ - Fixed login error message box in LoginScreen page
+- Resolves: #1309382 issues with migration from RHEL 6 self-signed to RHEL 7 CA
+ IPA setup
+ - ipa-ca-install: print more specific errors when CA is already installed
+ - cert renewal: import all external CA certs on IPA CA cert renewal
+ - CA install: explicitly set dogtag_version to 10
+ - fix standalone installation of externally signed CA on IPA master
+ - replica install: validate DS and HTTP server certificates
+
+* Mon Feb 8 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.7
+- Resolves: #1304333 In IPA-AD trust environment some secondary IPA based Posix
+ groups are missing
+ - ipa-kdb: map_groups() consider all results
+
* Tue Feb 2 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.6
- Resolves: #1298103 ipa-server-upgrade fails if certmonger is not running
- always start certmonger during IPA server configuration upgrade