diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d9c893f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/freeipa-4.9.8.tar.gz
diff --git a/.ipa.metadata b/.ipa.metadata
new file mode 100644
index 0000000..15ef586
--- /dev/null
+++ b/.ipa.metadata
@@ -0,0 +1 @@
+38641a7f95779ba35089fcc10e25ec82a9b0248e SOURCES/freeipa-4.9.8.tar.gz
diff --git a/SOURCES/0001-ipa-kdb-issue-PAC_REQUESTER_SID-only-for-TGTs.patch b/SOURCES/0001-ipa-kdb-issue-PAC_REQUESTER_SID-only-for-TGTs.patch
new file mode 100644
index 0000000..e303e04
--- /dev/null
+++ b/SOURCES/0001-ipa-kdb-issue-PAC_REQUESTER_SID-only-for-TGTs.patch
@@ -0,0 +1,36 @@
+From 669f3d71161741c676ddd6a08bd08d4a4ccd495b Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 26 Nov 2021 17:40:54 +0200
+Subject: [PATCH] ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
+
+MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021
+security fixes added the following requirement:
+
+- PAC_REQUESTER_SID is only added in TGT case (including referrals and
+ tickets to RODCs)
+
+Fixes: https://pagure.io/freeipa/issue/9031
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 6f7d1ac15daf17dfca36ebd3265c866725d24717..538cfbba958068bd2ee0aaae7a2743ae82237898 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -1148,7 +1148,8 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
+ #endif
+
+ #ifdef HAVE_PAC_REQUESTER_SID
+- {
++ /* MS-KILE 3.3.5.6.4.8: add PAC_REQUESTER_SID only in TGT case */
++ if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0) {
+ union PAC_INFO pac_requester_sid;
+ /* == Package PAC_REQUESTER_SID == */
+ memset(&pac_requester_sid, 0, sizeof(pac_requester_sid));
+--
+2.31.1
+
diff --git a/SOURCES/0002-ipa-kdb-fix-requester-SID-check-according-to-MS-KILE.patch b/SOURCES/0002-ipa-kdb-fix-requester-SID-check-according-to-MS-KILE.patch
new file mode 100644
index 0000000..b220cc9
--- /dev/null
+++ b/SOURCES/0002-ipa-kdb-fix-requester-SID-check-according-to-MS-KILE.patch
@@ -0,0 +1,122 @@
+From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 26 Nov 2021 11:13:51 +0200
+Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and
+ MS-SFU updates
+
+New versions of MS-KILE and MS-SFU after Windows Server November 2021
+security updates add PAC_REQUESTER_SID buffer check behavior:
+
+ - PAC_REQUESTER_SID should only be added for TGT requests
+
+ - if PAC_REQUESTER_SID is present, KDC must verify that the cname on
+ the ticket resolves to the account with the same SID as the
+ PAC_REQUESTER_SID. If it doesn't KDC must respond with
+ KDC_ERR_TKT_REVOKED
+
+Change requester SID check to skip exact check for non-local
+PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
+we know about.
+
+If requester SID is the same as in PAC, we already do cname vs PAC SID
+verification.
+
+With these changes FreeIPA works against Windows Server 2019 with
+November 2021 security fixes in cross-realm S4U2Self operations.
+
+Fixes: https://pagure.io/freeipa/issue/9031
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++---------
+ 1 file changed, 34 insertions(+), 13 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 538cfbba958068bd2ee0aaae7a2743ae82237898..1b972c167dd50619c7a6bd78eb5c81b0e05a4832 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
+ "local [%s], PAC [%s]",
+ dom ? dom : "<failed to display>",
+ sid ? sid : "<failed to display>");
+- return KRB5KDC_ERR_POLICY;
++ return KRB5KDC_ERR_TGT_REVOKED;
+ }
+ }
+
+@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
+ kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
+ if (kerr != 0) {
+ krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
+- return KRB5KDC_ERR_POLICY;
++ return KRB5KDC_ERR_TGT_REVOKED;
+ }
+
+ ied = (struct ipadb_e_data *)client_actual->e_data;
+@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
+ "local [%s] vs PAC [%s]",
+ local_sid ? local_sid : "<failed to display>",
+ pac_sid ? pac_sid : "<failed to display>");
+- kerr = KRB5KDC_ERR_POLICY;
++ kerr = KRB5KDC_ERR_TGT_REVOKED;
+ goto done;
+ }
+
+@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
+ /* Check that requester SID is the same as in the PAC entry */
+ if (requester_sid != NULL) {
+ struct dom_sid client_sid;
++ bool is_from_trusted_domain = false;
+ kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
+ if (kerr) {
+ goto done;
+ }
+ result = dom_sid_check(&client_sid, requester_sid, true);
+ if (!result) {
+- /* memctx is freed by the caller */
+- char *pac_sid = dom_sid_string(tmpctx, &client_sid);
+- char *req_sid = dom_sid_string(tmpctx, requester_sid);
+- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
+- "different from what PAC requester claims. "
+- "PAC [%s] vs PAC requester [%s]",
+- pac_sid ? pac_sid : "<failed to display>",
+- req_sid ? req_sid : "<failed to display>");
+- kerr = KRB5KDC_ERR_POLICY;
+- goto done;
++ struct ipadb_context *ipactx = ipadb_get_context(context);
++ if (!ipactx || !ipactx->mspac) {
++ return KRB5_KDB_DBNOTINITED;
++ }
++ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
++ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
++ /* Iterate through list of trusts and check if this SID belongs to
++ * one of the domains we trust */
++ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
++ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
++ requester_sid, false);
++ if (result) {
++ is_from_trusted_domain = true;
++ break;
++ }
++ }
++ }
++
++ if (!is_from_trusted_domain) {
++ /* memctx is freed by the caller */
++ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
++ char *req_sid = dom_sid_string(tmpctx, requester_sid);
++ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
++ "different from what PAC requester claims. "
++ "PAC [%s] vs PAC requester [%s]",
++ pac_sid ? pac_sid : "<failed to display>",
++ req_sid ? req_sid : "<failed to display>");
++ kerr = KRB5KDC_ERR_TGT_REVOKED;
++ goto done;
++ }
+ }
+ }
+
+--
+2.31.1
+
diff --git a/SOURCES/0003-ipatests-Fix-test_ipa_cert_fix.py-TestCertFixReplica.patch b/SOURCES/0003-ipatests-Fix-test_ipa_cert_fix.py-TestCertFixReplica.patch
new file mode 100644
index 0000000..022ae84
--- /dev/null
+++ b/SOURCES/0003-ipatests-Fix-test_ipa_cert_fix.py-TestCertFixReplica.patch
@@ -0,0 +1,48 @@
+From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Fri, 26 Nov 2021 12:11:21 +0530
+Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica
+ teardown
+
+Fixture `expire_certs` moves date back after renewing the certs.
+This is causing the ipa-replica to fail. This fix first uninstalls
+the server then moves back the date.
+
+Fixes: https://pagure.io/freeipa/issue/9052
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
+index 39904d5de64c59416f01646f437aabf797d57dd9..5b56054b4f16d5654ebeb61971a8775bfaf341b8 100644
+--- a/ipatests/test_integration/test_ipa_cert_fix.py
++++ b/ipatests/test_integration/test_ipa_cert_fix.py
+@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest):
+ setup_dns=False, extra_args=['--no-ntp']
+ )
+
++ @classmethod
++ def uninstall(cls, mh):
++ # Uninstall method is empty as the uninstallation is done in
++ # the fixture
++ pass
++
+ @pytest.fixture
+ def expire_certs(self):
+ # move system date to expire certs
+@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest):
+ yield
+
+ # move date back on replica and master
+- for host in self.master, self.replicas[0]:
++ for host in self.replicas[0], self.master:
++ tasks.uninstall_master(host)
+ tasks.move_date(host, 'start', '-3years-1days')
+
+ def test_renew_expired_cert_replica(self, expire_certs):
+--
+2.34.1
+
diff --git a/SOURCES/0004-Extend-test-to-see-if-replica-is-not-shown-when-runn.patch b/SOURCES/0004-Extend-test-to-see-if-replica-is-not-shown-when-runn.patch
new file mode 100644
index 0000000..f8d5334
--- /dev/null
+++ b/SOURCES/0004-Extend-test-to-see-if-replica-is-not-shown-when-runn.patch
@@ -0,0 +1,29 @@
+From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001
+From: Sumedh Sidhaye <ssidhaye@redhat.com>
+Date: Thu, 25 Nov 2021 17:48:20 +0530
+Subject: [PATCH] Extend test to see if replica is not shown when running
+ `ipa-replica-manage list -v <FQDN>`
+
+Related: https://pagure.io/freeipa/issue/8605
+
+Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_simple_replication.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
+index 8de3851447abdfd36171134cbb683115b34df749..17092a49966e61d5a4a9b04c15abcb1de8be9683 100644
+--- a/ipatests/test_integration/test_simple_replication.py
++++ b/ipatests/test_integration/test_simple_replication.py
+@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest):
+ # has to be run with --force, there is no --unattended
+ self.master.run_command(['ipa-replica-manage', 'del',
+ self.replicas[0].hostname, '--force'])
+- result = self.master.run_command(['ipa-replica-manage', 'list'])
++ result = self.master.run_command(
++ ['ipa-replica-manage', 'list', '-v', self.master.hostname])
+ assert self.replicas[0].hostname not in result.stdout_text
+--
+2.34.1
+
diff --git a/SOURCES/0005-ipatests-Test-default-value-of-nsslapd-sizelimit.patch b/SOURCES/0005-ipatests-Test-default-value-of-nsslapd-sizelimit.patch
new file mode 100644
index 0000000..d73aecd
--- /dev/null
+++ b/SOURCES/0005-ipatests-Test-default-value-of-nsslapd-sizelimit.patch
@@ -0,0 +1,40 @@
+From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Mon, 13 Dec 2021 17:37:05 +0530
+Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit.
+
+related : https://pagure.io/freeipa/issue/8962
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_installation.py | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index 95cfaad54c33a581c6af352097ea95ed435ea2b1..0947241ae2738419c4855e2517670c9033e634f0 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest):
+ )
+ assert "nsslapd-db-locks" not in result.stdout_text
+
++ def test_nsslapd_sizelimit(self):
++ """ Test for default value of nsslapd-sizelimit.
++
++ Related : https://pagure.io/freeipa/issue/8962
++ """
++ result = tasks.ldapsearch_dm(
++ self.master,
++ "cn=config",
++ ["nsslapd-sizelimit"],
++ scope="base"
++ )
++ assert "nsslapd-sizelimit: 100000" in result.stdout_text
++
+ def test_admin_root_alias_CVE_2020_10747(self):
+ # Test for CVE-2020-10747 fix
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1810160
+--
+2.34.1
+
diff --git a/SOURCES/0006-ipatests-Test-empty-cert-request-doesn-t-force-certm.patch b/SOURCES/0006-ipatests-Test-empty-cert-request-doesn-t-force-certm.patch
new file mode 100644
index 0000000..a8c1ba2
--- /dev/null
+++ b/SOURCES/0006-ipatests-Test-empty-cert-request-doesn-t-force-certm.patch
@@ -0,0 +1,123 @@
+From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Thu, 25 Nov 2021 13:10:05 +0530
+Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to
+ segfault
+
+When empty cert request is submitted to certmonger, it goes to
+segfault. This fix test that if something like this happens,
+certmonger should gracefuly handle it
+
+and some PEP8 fixes
+
+related: https://pagure.io/certmonger/issue/191
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+---
+ ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++-
+ 1 file changed, 78 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
+index 5ffb8c6086328d563084f1d4b73daa1d01d956e7..0518d79545f7592d17571068e2681474bd9e5b14 100644
+--- a/ipatests/test_integration/test_cert.py
++++ b/ipatests/test_integration/test_cert.py
+@@ -14,6 +14,7 @@ import random
+ import re
+ import string
+ import time
++import textwrap
+
+ from ipaplatform.paths import paths
+ from ipapython.dn import DN
+@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest):
+ tasks.kinit_admin(self.master)
+ tasks.user_add(self.master, user)
+
+- for id in (0,1):
++ for id in (0, 1):
+ csr_file = f'{id}.csr'
+ key_file = f'{id}.key'
+ cert_file = f'{id}.crt'
+@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest):
+ error_msg = 'ipa: ERROR: The certificate for ' \
+ '{} is not available on this server.'.format(lwca)
+ assert error_msg in result.stderr_text
++
++ def test_certmonger_empty_cert_not_segfault(self):
++ """Test empty cert request doesn't force certmonger to segfault
++
++ Test scenario:
++ create a cert request file in /var/lib/certmonger/requests which is
++ missing most of the required information, and ask request a new
++ certificate to certmonger. The wrong request file should not make
++ certmonger crash.
++
++ related: https://pagure.io/certmonger/issue/191
++ """
++ empty_cert_req_content = textwrap.dedent("""
++ id=dogtag-ipa-renew-agent
++ key_type=UNSPECIFIED
++ key_gen_type=UNSPECIFIED
++ key_size=0
++ key_gen_size=0
++ key_next_type=UNSPECIFIED
++ key_next_gen_type=UNSPECIFIED
++ key_next_size=0
++ key_next_gen_size=0
++ key_preserve=0
++ key_storage_type=NONE
++ key_perms=0
++ key_requested_count=0
++ key_issued_count=0
++ cert_storage_type=FILE
++ cert_perms=0
++ cert_is_ca=0
++ cert_ca_path_length=0
++ cert_no_ocsp_check=0
++ last_need_notify_check=19700101000000
++ last_need_enroll_check=19700101000000
++ template_is_ca=0
++ template_ca_path_length=-1
++ template_no_ocsp_check=0
++ state=NEED_KEY_PAIR
++ autorenew=0
++ monitor=0
++ submitted=19700101000000
++ """)
++ # stop certmonger service
++ self.master.run_command(['systemctl', 'stop', 'certmonger'])
++
++ # place an empty cert request file to certmonger request dir
++ self.master.put_file_contents(
++ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
++ empty_cert_req_content
++ )
++
++ # start certmonger, it should not fail
++ self.master.run_command(['systemctl', 'start', 'certmonger'])
++
++ # request a new cert, should succeed and certmonger doesn't goes
++ # to segfault
++ result = self.master.run_command([
++ "ipa-getcert", "request",
++ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),
++ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),
++ ])
++ request_id = re.findall(r'\d+', result.stdout_text)
++
++ # check if certificate is in MONITORING state
++ status = tasks.wait_for_request(self.master, request_id[0], 50)
++ assert status == "MONITORING"
++
++ self.master.run_command(
++ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]]
++ )
++ self.master.run_command([
++ 'rm', '-rf',
++ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
++ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'),
++ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key')
++ ])
+--
+2.34.1
+
diff --git a/SOURCES/0007-Test-cases-for-ipa-replica-conncheck-command.patch b/SOURCES/0007-Test-cases-for-ipa-replica-conncheck-command.patch
new file mode 100644
index 0000000..dfc7a74
--- /dev/null
+++ b/SOURCES/0007-Test-cases-for-ipa-replica-conncheck-command.patch
@@ -0,0 +1,104 @@
+From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Thu, 18 Nov 2021 18:36:58 +0530
+Subject: [PATCH] Test cases for ipa-replica-conncheck command
+
+Following test cases would be checked:
+- when called with --principal (it should then prompt for a password)
+- when called with --principal / --password
+- when called without principal and password but with a kerberos TGT,
+ kinit admin done before calling ipa-replica-conncheck
+- when called without principal and password, and without any kerberos
+ TGT (it should default to principal=admin and prompt for a password)
+
+related: https://pagure.io/freeipa/issue/9047
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+---
+ .../test_replica_promotion.py | 70 +++++++++++++++++++
+ 1 file changed, 70 insertions(+)
+
+diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
+index b9c56f775d08885cb6b1226eeb7bcf105f87cdc1..1a4e9bc121abf41a3919aedda3d334de9404d1a0 100644
+--- a/ipatests/test_integration/test_replica_promotion.py
++++ b/ipatests/test_integration/test_replica_promotion.py
+@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest):
+ self.assertCARenewalMaster(master, replica.hostname)
+ self.assertCARenewalMaster(replica, replica.hostname)
+
++ def test_replica_concheck(self):
++ """Test cases for ipa-replica-conncheck command
++
++ Following test cases would be checked:
++ - when called with --principal (it should then prompt for a password)
++ - when called with --principal / --password
++ - when called without principal and password but with a kerberos TGT,
++ kinit admin done before calling ipa-replica-conncheck
++ - when called without principal and password, and without any kerberos
++ TGT (it should default to principal=admin and prompt for a password)
++
++ related: https://pagure.io/freeipa/issue/9047
++ """
++ exp_str1 = "Connection from replica to master is OK."
++ exp_str2 = "Connection from master to replica is OK"
++ tasks.kdestroy_all(self.replicas[0])
++ # when called with --principal (it should then prompt for a password)
++ result = self.replicas[0].run_command(
++ ['ipa-replica-conncheck', '--auto-master-check',
++ '--master', self.master.hostname,
++ '-r', self.replicas[0].domain.realm,
++ '-p', self.replicas[0].config.admin_name],
++ stdin_text=self.master.config.admin_password
++ )
++ assert result.returncode == 0
++ assert (
++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
++ )
++
++ # when called with --principal / --password
++ result = self.replicas[0].run_command([
++ 'ipa-replica-conncheck', '--auto-master-check',
++ '--master', self.master.hostname,
++ '-r', self.replicas[0].domain.realm,
++ '-p', self.replicas[0].config.admin_name,
++ '-w', self.master.config.admin_password
++ ])
++ assert result.returncode == 0
++ assert (
++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
++ )
++
++ # when called without principal and password, and without
++ # any kerberos TGT, it should default to principal=admin
++ # and prompt for a password
++ result = self.replicas[0].run_command(
++ ['ipa-replica-conncheck', '--auto-master-check',
++ '--master', self.master.hostname,
++ '-r', self.replicas[0].domain.realm],
++ stdin_text=self.master.config.admin_password
++ )
++ assert result.returncode == 0
++ assert (
++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
++ )
++
++ # when called without principal and password but with a kerberos TGT,
++ # kinit admin done before calling ipa-replica-conncheck
++ tasks.kinit_admin(self.replicas[0])
++ result = self.replicas[0].run_command(
++ ['ipa-replica-conncheck', '--auto-master-check',
++ '--master', self.master.hostname,
++ '-r', self.replicas[0].domain.realm]
++ )
++ assert result.returncode == 0
++ assert (
++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
++ )
++ tasks.kdestroy_all(self.replicas[0])
++
+ def test_automatic_renewal_master_transfer_ondelete(self):
+ # Test that after replica uninstallation, master overtakes the cert
+ # renewal master role from replica (which was previously set there)
+--
+2.34.1
+
diff --git a/SOURCES/0008-PEP8-Fixes.patch b/SOURCES/0008-PEP8-Fixes.patch
new file mode 100644
index 0000000..52df09e
--- /dev/null
+++ b/SOURCES/0008-PEP8-Fixes.patch
@@ -0,0 +1,59 @@
+From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Thu, 18 Nov 2021 18:43:22 +0530
+Subject: [PATCH] PEP8 Fixes
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+---
+ .../test_integration/test_replica_promotion.py | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
+index 1a4e9bc121abf41a3919aedda3d334de9404d1a0..c328b1a08ffc8ac5efb0986d2b18c5074f573432 100644
+--- a/ipatests/test_integration/test_replica_promotion.py
++++ b/ipatests/test_integration/test_replica_promotion.py
+@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
+ assert res.returncode == 1
+ assert expected_err in res.stderr_text
+
+-
+ @replicas_cleanup
+ def test_one_command_installation(self):
+ """
+@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
+ Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
+ "freeipa-ldaps"])
+ self.replicas[0].run_command(['ipa-replica-install', '-w',
+- self.master.config.admin_password,
+- '-n', self.master.domain.name,
+- '-r', self.master.domain.realm,
+- '--server', self.master.hostname,
+- '-U'])
++ self.master.config.admin_password,
++ '-n', self.master.domain.name,
++ '-r', self.master.domain.realm,
++ '--server', self.master.hostname,
++ '-U'])
+ # Ensure that pkinit is properly configured, test for 7566
+ result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])
+ assert "PKINIT is enabled" in result.stdout_text
+@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest):
+ result1 = client.run_command(['ipa-replica-install', '-U', '-w',
+ self.master.config.dirman_password],
+ raiseonerr=False)
+- assert(result1.returncode == 0), (
++ assert (result1.returncode == 0), (
+ 'Failed to promote the client installed with the upcase domain name')
+
+ def test_client_rollback(self):
+@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest):
+ assert("An error occurred while removing SSSD" not in
+ result.stdout_text)
+
++
+ class TestRenewalMaster(IntegrationTest):
+
+ topology = 'star'
+--
+2.34.1
+
diff --git a/SOURCES/0009-ipatests-webui-Tests-for-subordinate-ids.patch b/SOURCES/0009-ipatests-webui-Tests-for-subordinate-ids.patch
new file mode 100644
index 0000000..a8f7a4f
--- /dev/null
+++ b/SOURCES/0009-ipatests-webui-Tests-for-subordinate-ids.patch
@@ -0,0 +1,209 @@
+From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Mon, 6 Dec 2021 20:50:01 +0530
+Subject: [PATCH] ipatests: webui: Tests for subordinate ids.
+
+Added web-ui tests to verify where operations
+using subordinate ids are working as expected.
+
+Related : https://pagure.io/freeipa/issue/8361
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++
+ ipatests/test_webui/ui_driver.py | 28 ++++++
+ 2 files changed, 169 insertions(+)
+ create mode 100644 ipatests/test_webui/test_subid.py
+
+diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py
+new file mode 100644
+index 0000000000000000000000000000000000000000..26decdba03955f28ab21a41ccffae2a9af7b09fe
+--- /dev/null
++++ b/ipatests/test_webui/test_subid.py
+@@ -0,0 +1,141 @@
++
++"""
++Tests for subordinateid.
++"""
++
++from ipatests.test_webui.ui_driver import UI_driver
++import ipatests.test_webui.data_config as config_data
++import ipatests.test_webui.data_user as user_data
++from ipatests.test_webui.ui_driver import screenshot
++import re
++
++
++class test_subid(UI_driver):
++
++ def add_user(self, pkey, name, surname):
++ self.add_record('user', {
++ 'pkey': pkey,
++ 'add': [
++ ('textbox', 'uid', pkey),
++ ('textbox', 'givenname', name),
++ ('textbox', 'sn', surname),
++ ]
++ })
++
++ def set_default_subid(self):
++ self.navigate_to_entity(config_data.ENTITY)
++ self.check_option('ipauserdefaultsubordinateid', 'checked')
++ self.facet_button_click('save')
++
++ def get_user_count(self, user_pkey):
++ self.navigate_to_entity('subid', facet='search')
++ self.apply_search_filter(user_pkey)
++ self.wait_for_request()
++ return self.get_rows()
++
++ @screenshot
++ def test_set_defaultsubid(self):
++ """
++ Test to verify that enable/disable is working for
++ adding subids to new users.
++ """
++ self.init_app()
++ self.add_record(user_data.ENTITY, user_data.DATA2)
++ self.navigate_to_entity(config_data.ENTITY)
++ # test subid can be enabled/disabled.
++ self.set_default_subid()
++ assert self.get_field_checked('ipauserdefaultsubordinateid')
++ self.set_default_subid()
++ assert not self.get_field_checked('ipauserdefaultsubordinateid')
++
++ @screenshot
++ def test_user_defaultsubid(self):
++ """
++ Test to verify that subid is generated for new user.
++ """
++ self.init_app()
++ user_pkey = "some-user"
++
++ self.set_default_subid()
++ assert self.get_field_checked('ipauserdefaultsubordinateid')
++
++ before_count = self.get_user_count(user_pkey)
++ assert len(before_count) == 0
++
++ self.add_user(user_pkey, 'Some', 'User')
++ after_count = self.get_user_count(user_pkey)
++ assert len(after_count) == 1
++
++ @screenshot
++ def test_user_subid_mod_desc(self):
++ """
++ Test to verify that auto-assigned subid description is modified.
++ """
++ self.init_app()
++ self.navigate_to_record("some-user")
++ self.switch_to_facet('memberof_subid')
++ rows = self.get_rows()
++ self.navigate_to_row_record(rows[-1])
++ self.fill_textbox("description", "some-user-subid-desc")
++ self.facet_button_click('save')
++
++ @screenshot
++ def test_admin_subid(self):
++ """
++ Test to verify that subid range is created with owner admin.
++ """
++ self.init_app()
++ self.navigate_to_entity('subid', facet='search')
++ self.facet_button_click('add')
++ self.select_combobox('ipaowner', 'admin')
++ self.dialog_button_click('add')
++ self.wait(0.3)
++ self.assert_no_error_dialog()
++
++ @screenshot
++ def test_admin_subid_negative(self):
++ """
++ Test to verify that readding the subid fails with error.
++ """
++ self.init_app()
++ self.navigate_to_entity('subid', facet='search')
++ self.facet_button_click('add')
++ self.select_combobox('ipaowner', 'admin')
++ self.dialog_button_click('add')
++ self.wait(0.3)
++ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog')
++ text = self.get_text('.modal-body div p', err_dialog)
++ text = text.strip()
++ pattern = r'Subordinate id with with name .* already exists.'
++ assert re.search(pattern, text) is not None
++ self.close_all_dialogs()
++
++ @screenshot
++ def test_user_subid_add(self):
++ """
++ Test to verify that subid range is created for given user.
++ """
++ self.init_app()
++ self.navigate_to_entity('subid', facet='search')
++ before_count = self.get_rows()
++ self.facet_button_click('add')
++ self.select_combobox('ipaowner', user_data.PKEY2)
++ self.dialog_button_click('add')
++ self.wait(0.3)
++ self.assert_no_error_dialog()
++ after_count = self.get_rows()
++ assert len(before_count) < len(after_count)
++
++ @screenshot
++ def test_subid_del(self):
++ """
++ Test to remove subordinate id for given user.
++ """
++ self.init_app()
++ self.navigate_to_entity('subid', facet='search')
++ user_uid = self.get_record_pkey("some-user", "ipaowner",
++ table_name="ipauniqueid")
++ before_count = self.get_rows()
++ self.delete_record(user_uid, table_name="ipauniqueid")
++ after_count = self.get_rows()
++ assert len(before_count) > len(after_count)
+diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
+index 46fd512ae67bee65be55ae0d4dedec53cc29de97..77fd74e49593183a37fe735bedf2e0d6b9257ac7 100644
+--- a/ipatests/test_webui/ui_driver.py
++++ b/ipatests/test_webui/ui_driver.py
+@@ -1151,6 +1151,34 @@ class UI_driver:
+ return row
+ return None
+
++ def get_row_by_column_value(self, key, column_name, parent=None,
++ table_name=None):
++ """
++ Get the first matched row element of a search table with given key
++ matched against selected column. None if not found
++ """
++ rows = self.get_rows(parent, table_name)
++ s = "td div[name='%s']" % column_name
++ for row in rows:
++ has = self.find(s, By.CSS_SELECTOR, row)
++ if has.text == key:
++ return row
++ return None
++
++ def get_record_pkey(self, key, column, parent=None, table_name=None):
++ """
++ Get record pkey if value of column is known
++ """
++ row = self.get_row_by_column_value(key,
++ column_name=column,
++ parent=parent,
++ table_name=table_name)
++ val = None
++ if row:
++ el = self.find("td input", By.CSS_SELECTOR, row)
++ val = el.get_attribute("value")
++ return val
++
+ def navigate_to_row_record(self, row, pkey_column=None):
+ """
+ Navigate to record by clicking on a link.
+--
+2.34.1
+
diff --git a/SOURCES/0010-Config-plugin-return-EmptyModlist-when-no-change-is-.patch b/SOURCES/0010-Config-plugin-return-EmptyModlist-when-no-change-is-.patch
new file mode 100644
index 0000000..c71d334
--- /dev/null
+++ b/SOURCES/0010-Config-plugin-return-EmptyModlist-when-no-change-is-.patch
@@ -0,0 +1,39 @@
+From b9c42fed9b6f60801f908c368d0d97a2a69f7bb2 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 15 Dec 2021 10:47:02 +0100
+Subject: [PATCH] Config plugin: return EmptyModlist when no change is applied
+
+When ipa config-mod is called with the option --enable-sid,
+the code needs to trap EmptyModlist exception (it is expected
+that no LDAP attribute is modified by this operation).
+The code had a flaw and was checking:
+ 'enable_sid' in options
+instead of
+ options['enable_sid']
+
+"'enable_sid' in options" always returns true as this option
+is a Flag with a default value, hence always present even if
+not specified on the command line.
+
+Fixes: https://pagure.io/freeipa/issue/9063
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/plugins/config.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
+index eae401fc3f7a1b7628eb211db206ba4bc2b36754..24446beb0b03a1510a96316eae915780817db102 100644
+--- a/ipaserver/plugins/config.py
++++ b/ipaserver/plugins/config.py
+@@ -707,7 +707,7 @@ class config_mod(LDAPUpdate):
+ if (isinstance(exc, errors.EmptyModlist) and
+ call_func.__name__ == 'update_entry' and
+ ('ca_renewal_master_server' in options or
+- 'enable_sid' in options)):
++ options['enable_sid'])):
+ return
+
+ super(config_mod, self).exc_callback(
+--
+2.34.1
+
diff --git a/SOURCES/0011-config-plugin-add-a-test-ensuring-EmptyModlist-is-re.patch b/SOURCES/0011-config-plugin-add-a-test-ensuring-EmptyModlist-is-re.patch
new file mode 100644
index 0000000..2bdb49c
--- /dev/null
+++ b/SOURCES/0011-config-plugin-add-a-test-ensuring-EmptyModlist-is-re.patch
@@ -0,0 +1,36 @@
+From cd735099e86304294217147ed578ac902fcf3dd3 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 15 Dec 2021 10:51:05 +0100
+Subject: [PATCH] config plugin: add a test ensuring EmptyModlist is returned
+
+Add a test to test_config_plugin, that calls ipa config-mod
+with the same value as already present in LDAP.
+The call must return EmptyModlist.
+
+Related: https://pagure.io/freeipa/issue/9063
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_xmlrpc/test_config_plugin.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py
+index e981bb4a03d39de450fc459d4b1ce4b636c19029..a8ec9f0e558d7efa091b50deca9fa7ca59fd7b11 100644
+--- a/ipatests/test_xmlrpc/test_config_plugin.py
++++ b/ipatests/test_xmlrpc/test_config_plugin.py
+@@ -312,4 +312,13 @@ class test_config(Declarative):
+ 'value': None,
+ },
+ ),
++ dict(
++ desc='Set the value to the already set value, no modifications',
++ command=(
++ 'config_mod', [], {
++ 'ipasearchrecordslimit': u'100',
++ },
++ ),
++ expected=errors.EmptyModlist(),
++ ),
+ ]
+--
+2.34.1
+
diff --git a/SOURCES/0012-ipatests-webui-Use-safe-loader-for-loading-YAML-conf.patch b/SOURCES/0012-ipatests-webui-Use-safe-loader-for-loading-YAML-conf.patch
new file mode 100644
index 0000000..4b7c9b8
--- /dev/null
+++ b/SOURCES/0012-ipatests-webui-Use-safe-loader-for-loading-YAML-conf.patch
@@ -0,0 +1,36 @@
+From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001
+From: Michal Polovka <mpolovka@redhat.com>
+Date: Fri, 7 Jan 2022 12:12:26 +0100
+Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML
+ configuration file
+
+FullLoader class for YAML loader was introduced in version 5.1 which
+also deprecated default loader. SafeLoader, however, stays consistent
+across the versions and brings added security.
+
+This fix is necessary as PyYAML > 5.1 is not available in downstream.
+
+Related: https://pagure.io/freeipa/issue/9009
+
+Signed-off-by: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_webui/ui_driver.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
+index 77fd74e49593183a37fe735bedf2e0d6b9257ac7..519efee9bba3de2114d22865a08df87f9b5f348a 100644
+--- a/ipatests/test_webui/ui_driver.py
++++ b/ipatests/test_webui/ui_driver.py
+@@ -192,7 +192,7 @@ class UI_driver:
+ if not NO_YAML and os.path.isfile(path):
+ try:
+ with open(path, 'r') as conf:
+- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader)
++ cls.config = yaml.safe_load(stream=conf)
+ except yaml.YAMLError as e:
+ pytest.skip("Invalid Web UI config.\n%s" % e)
+ except IOError as e:
+--
+2.34.1
+
diff --git a/SOURCES/0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch b/SOURCES/0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch
new file mode 100644
index 0000000..1fe86c1
--- /dev/null
+++ b/SOURCES/0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch
@@ -0,0 +1,107 @@
+From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001
+From: Sumedh Sidhaye <ssidhaye@redhat.com>
+Date: Fri, 14 Jan 2022 19:55:13 +0530
+Subject: [PATCH] Added test automation for SHA384withRSA CSR support
+
+Scenario 1:
+Setup master with --ca-signing-algorithm=SHA384withRSA
+Run certutil and check Signing Algorithm
+
+Scenario 2:
+Setup a master
+Stop services
+Modify default.params.signingAlg in CS.cfg
+Restart services
+Resubmit cert (Resubmitted cert should have new Algorithm)
+
+Pagure Link: https://pagure.io/freeipa/issue/8906
+
+Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Antonio Torres <antorres@redhat.com>
+---
+ .../test_integration/test_installation.py | 63 +++++++++++++++++++
+ 1 file changed, 63 insertions(+)
+
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index 0947241ae2738419c4855e2517670c9033e634f0..f2d372c0c0356f244971a2af808db45dd6c8cb5b 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks
+ from ipatests.pytest_ipa.integration.env_config import get_global_config
+ from ipatests.test_integration.base import IntegrationTest
+ from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
++from ipatests.test_integration.test_cert import get_certmonger_fs_id
+ from ipaplatform import services
+
+
+@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest):
+ tasks.install_replica(
+ self.master, self.replicas[0], setup_ca=False, setup_dns=False
+ )
++
++
++class TestInstallwithSHA384withRSA(IntegrationTest):
++ num_replicas = 0
++
++ def test_install_master_withalgo_sha384withrsa(self, server_cleanup):
++ tasks.install_master(
++ self.master,
++ extra_args=['--ca-signing-algorithm=SHA384withRSA'],
++ )
++
++ # check Signing Algorithm post installation
++ dashed_domain = self.master.domain.realm.replace(".", '-')
++ cmd_args = ['certutil', '-L', '-d',
++ '/etc/dirsrv/slapd-{}/'.format(dashed_domain),
++ '-n', 'Server-Cert']
++ result = self.master.run_command(cmd_args)
++ assert 'SHA-384 With RSA Encryption' in result.stdout_text
++
++ def test_install_master_modify_existing(self, server_cleanup):
++ """
++ Setup a master
++ Stop services
++ Modify default.params.signingAlg in CS.cfg
++ Restart services
++ Resubmit cert (Resubmitted cert should have new Algorithm)
++ """
++ tasks.install_master(self.master)
++ self.master.run_command(['ipactl', 'stop'])
++ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH,
++ encoding='utf-8')
++ new_lines = []
++ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA"
++ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA"
++ for line in cs_cfg_content.split('\n'):
++ if line.startswith('ca.signing.defaultSigningAlgorithm'):
++ new_lines.append(replace_str)
++ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'):
++ new_lines.append(ocsp_rep_str)
++ else:
++ new_lines.append(line)
++ self.master.put_file_contents(paths.CA_CS_CFG_PATH,
++ '\n'.join(new_lines))
++ self.master.run_command(['ipactl', 'start'])
++
++ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
++ result = self.master.run_command(cmd)
++ request_id = get_certmonger_fs_id(result.stdout_text)
++
++ # resubmit RA Agent cert
++ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
++ self.master.run_command(cmd)
++
++ tasks.wait_for_certmonger_status(self.master,
++ ('CA_WORKING', 'MONITORING'),
++ request_id)
++
++ cmd_args = ['openssl', 'x509', '-in',
++ paths.RA_AGENT_PEM, '-noout', '-text']
++ result = self.master.run_command(cmd_args)
++ assert_str = 'Signature Algorithm: sha384WithRSAEncryption'
++ assert assert_str in result.stdout_text
+--
+2.34.1
+
diff --git a/SOURCES/0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch b/SOURCES/0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch
new file mode 100644
index 0000000..f8593f8
--- /dev/null
+++ b/SOURCES/0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch
@@ -0,0 +1,44 @@
+From 9bae5492270d8b695999cd82831cbee62b04626b Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Fri, 28 Jan 2022 16:58:42 +0100
+Subject: [PATCH] ipa-pki-proxy.conf: provide access to
+ /kra/admin/kra/getStatus
+
+The access to /kra/admin/kra/getStatus will be needed
+in order to fix pki-healthcheck.
+Note that this commit is a pre-requisite for the fix
+to be done on PKI side. No test added since the full
+integration test already exists in test_replica_promotion.py,
+in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica
+
+Fixes: https://pagure.io/freeipa/issue/9099
+Related: https://pagure.io/freeipa/issue/8582
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ install/share/ipa-pki-proxy.conf.template | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template
+index 96708482cdac128930efaca33a806daaeba68042..7a46f20b9058bab63238f56295a92533c232d47a 100644
+--- a/install/share/ipa-pki-proxy.conf.template
++++ b/install/share/ipa-pki-proxy.conf.template
+@@ -1,4 +1,4 @@
+-# VERSION 16 - DO NOT REMOVE THIS LINE
++# VERSION 17 - DO NOT REMOVE THIS LINE
+
+ ProxyRequests Off
+
+@@ -11,7 +11,7 @@ ProxyRequests Off
+ </LocationMatch>
+
+ # matches for admin port and installer
+-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
++<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/admin/kra/getStatus">
+ SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ SSLVerifyClient none
+ ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
+--
+2.34.1
+
diff --git a/SOURCES/0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch b/SOURCES/0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch
new file mode 100644
index 0000000..c9be53f
--- /dev/null
+++ b/SOURCES/0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch
@@ -0,0 +1,59 @@
+From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Tue, 1 Feb 2022 16:43:09 +0100
+Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users
+
+Since 5d51ae5, principal keys were dropped in case user auth indicator
+was not including password. Thereafter, the key removal behavior was
+removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
+Support for hardened pre-auth methods (FAST and SPAKE) was added in
+d057040, and the removal of principal keys was restored afterwards by
+f0d12b7, but not taking the new hardened auth indicator into account.
+
+Fixes: https://pagure.io/freeipa/issue/9065
+Related to: https://pagure.io/freeipa/issue/8001
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
+index 15f3df4fee8bdfadf60a4b1d9a5115407d1bb294..0d0d3748ce63a8252e84220d036140818ffdfb6e 100644
+--- a/daemons/ipa-kdb/ipa_kdb_principals.c
++++ b/daemons/ipa-kdb/ipa_kdb_principals.c
+@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
+ &res_key_data, &result, &mkvno);
+ switch (ret) {
+ case 0:
+- /* Only set a principal's key if password auth can be used. Otherwise
+- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
+- * reply for AS-REQs which indicate the password authentication is
+- * available. This might confuse applications like e.g. SSSD which try
+- * to determine suitable authentication methods and corresponding
+- * prompts with the help of MIT Kerberos' responder interface which
+- * acts on the returned pre-authentication methods. A typical example
+- * is enforced OTP authentication where of course keys are available
+- * for the first factor but password authentication should not be
+- * advertised by the KDC. */
+- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
++ /* Only set a principal's key if password or hardened auth can be used.
++ * Otherwise the KDC would add pre-authentication methods to the
++ * NEEDED_PREAUTH reply for AS-REQs which indicate the password
++ * authentication is available. This might confuse applications like
++ * e.g. SSSD which try to determine suitable authentication methods and
++ * corresponding prompts with the help of MIT Kerberos' responder
++ * interface which acts on the returned pre-authentication methods. A
++ * typical example is enforced OTP authentication where of course keys
++ * are available for the first factor but password authentication
++ * should not be advertised by the KDC. */
++ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) &&
++ (ua != IPADB_USER_AUTH_NONE)) {
+ /* This is the same behavior as ENOENT below. */
+ ipa_krb5_free_key_data(res_key_data, result);
+ break;
+--
+2.34.1
+
diff --git a/SOURCES/0016-ipatests-add-case-for-hardened-only-ticket-policy.patch b/SOURCES/0016-ipatests-add-case-for-hardened-only-ticket-policy.patch
new file mode 100644
index 0000000..ba0214e
--- /dev/null
+++ b/SOURCES/0016-ipatests-add-case-for-hardened-only-ticket-policy.patch
@@ -0,0 +1,63 @@
+From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Tue, 1 Feb 2022 19:38:29 +0100
+Subject: [PATCH] ipatests: add case for hardened-only ticket policy
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+---
+ ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++--
+ 1 file changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
+index 63e75ae67f493352b1d3a611e7b079d914a7b253..9489fbc97b7836aecf491b57627f254d4849eb56 100644
+--- a/ipatests/test_integration/test_krbtpolicy.py
++++ b/ipatests/test_integration/test_krbtpolicy.py
+@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest):
+ result = master.run_command('klist | grep krbtgt')
+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
+
+- def test_krbtpolicy_hardended(self):
+- """Test a hardened kerberos ticket policy with 10 min tickets"""
++ def test_krbtpolicy_password_and_hardended(self):
++ """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
+ master = self.master
+ master.run_command(['ipa', 'user-mod', USER1,
+ '--user-auth-type', 'password',
+@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest):
+ result = master.run_command('klist | grep krbtgt')
+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
+
++ def test_krbtpolicy_hardended(self):
++ """Test a hardened kerberos ticket policy with 30min tickets"""
++ master = self.master
++ master.run_command(['ipa', 'user-mod', USER1,
++ '--user-auth-type', 'hardened'])
++ master.run_command(['ipa', 'config-mod',
++ '--user-auth-type', 'hardened'])
++ master.run_command(['ipa', 'krbtpolicy-mod', USER1,
++ '--hardened-maxlife', '1800'])
++
++ tasks.kdestroy_all(master)
++
++ master.run_command(['kinit', USER1],
++ stdin_text=PASSWORD + '\n')
++ result = master.run_command('klist | grep krbtgt')
++ assert maxlife_within_policy(result.stdout_text, 1800,
++ slush=1800) is True
++
++ tasks.kdestroy_all(master)
++
++ # Verify that the short policy only applies to USER1
++ master.run_command(['kinit', USER2],
++ stdin_text=PASSWORD + '\n')
++ result = master.run_command('klist | grep krbtgt')
++ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
++
+ def test_krbtpolicy_password(self):
+ """Test the kerberos ticket policy which issues 20 min tickets"""
+ master = self.master
+--
+2.34.1
+
diff --git a/SOURCES/0017-Don-t-always-override-the-port-in-import_included_pr.patch b/SOURCES/0017-Don-t-always-override-the-port-in-import_included_pr.patch
new file mode 100644
index 0000000..592f5b5
--- /dev/null
+++ b/SOURCES/0017-Don-t-always-override-the-port-in-import_included_pr.patch
@@ -0,0 +1,104 @@
+From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 28 Jan 2022 16:46:35 -0500
+Subject: [PATCH] Don't always override the port in import_included_profiles
+
+I can only guess to the original purpose of this override. I
+believe it was because this is called in the installer prior
+to Apache being set up. The expectation was that this would
+only be called locally. It predates the RestClient class.
+
+RestClient will attempt to find an available service. In this
+case, during a CA installation, the local server is not
+considered available because it lacks an entry in
+cn=masters. So it will never be returned as an option.
+
+So by overriding the port to 8443 the remote connection will
+likely fail because we don't require that the port be open.
+
+So instead, instantiate a RestClient and see what happens.
+
+There are several use-cases:
+
+1. Installing an initial server. The RestClient connection
+ should fail, so we will fall back to the override port and
+ use the local server. If Apache happens to be running with
+ a globally-issued certificate then the RestClient will
+ succeed. In this case if the connected host and the local
+ hostname are the same, override in that case as well.
+
+2. Installing as a replica. In this case the local server should
+ be ignored in all cases and a remote CA will be picked with
+ no override done.
+
+3. Switching from CA-less to CA-ful. The web server will be
+ trusted but the RestClient login will fail with a 404. Fall
+ back to the override port in this case.
+
+The motivation for this is trying to install an EL 8.x replica
+against an EL 7.9 server. 8.5+ includes the ACME service and
+a new profile is needed which doesn't exist in 7. This was
+failing because the RestClient determined that the local server
+wasn't running a CA so tried the remote one (7.9) on the override
+port 8443. Since this port isn't open: failure.
+
+Chances are that adding the profile is still going to fail
+because again, 7.9 lacks ACME capabilities, but it will fail in
+a way that allows the installation to continue.
+
+I suspect that all of the overrides can similarly handled, or
+handled directly within the RestClient class, but for the sake
+of "do no harm" I'm only changing this instance for now.
+
+https://pagure.io/freeipa/issue/9100
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 8c8bf1b3a7bcf8a9c50183579b874a5710a32ac3..ad206aad411b42336e86e0b651a948fccd3a75ac 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1953,7 +1953,35 @@ def import_included_profiles():
+ cn=['certprofiles'],
+ )
+
+- api.Backend.ra_certprofile.override_port = 8443
++ # At this point Apache may or may not be running with a valid
++ # certificate. The local server is not yet recognized as a full
++ # CA yet so it isn't discoverable. So try to do some detection
++ # on what port to use, 443 (remote) or 8443 (local) for importing
++ # the profiles.
++ #
++ # api.Backend.ra_certprofile invokes the RestClient class
++ # which will discover and login to the CA REST API. We can
++ # use this information to detect where to import the profiles.
++ #
++ # If the login is successful (e.g. doesn't raise an exception)
++ # and it returns our hostname (it prefers the local host) then
++ # we override and talk locally.
++ #
++ # Otherwise a NetworkError means we can't connect on 443 (perhaps
++ # a firewall) or we get an HTTP error (valid TLS certificate on
++ # Apache but no CA, login fails with 404) so we override to the
++ # local server.
++ #
++ # When override port was always set to 8443 the RestClient could
++ # pick a remote server and since 8443 isn't in our firewall profile
++ # setting up a new server would fail.
++ try:
++ with api.Backend.ra_certprofile as profile_api:
++ if profile_api.ca_host == api.env.host:
++ api.Backend.ra_certprofile.override_port = 8443
++ except (errors.NetworkError, errors.RemoteRetrieveError) as e:
++ logger.debug('Overriding CA port: %s', e)
++ api.Backend.ra_certprofile.override_port = 8443
+
+ for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES:
+ dn = DN(('cn', profile_id),
+--
+2.34.1
+
diff --git a/SOURCES/0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch b/SOURCES/0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch
new file mode 100644
index 0000000..9e18029
--- /dev/null
+++ b/SOURCES/0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch
@@ -0,0 +1,115 @@
+From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 31 Jan 2022 17:31:50 -0500
+Subject: [PATCH] Remove ipa-join errors from behind the debug option
+
+This brings it inline with the previous XML-RPC output which
+only hid the request and response from the output and not
+any errors returned.
+
+https://pagure.io/freeipa/issue/9103
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+Reviewed-By: Peter Keresztes Schmidt <carbenium@outlook.com>
+---
+ client/ipa-join.c | 27 +++++++++------------------
+ 1 file changed, 9 insertions(+), 18 deletions(-)
+
+diff --git a/client/ipa-join.c b/client/ipa-join.c
+index d98739a9abfb01ecf619187483bfc6677957d498..5888a33bf221eb5d455b2adcfa0f33b38f0969ca 100644
+--- a/client/ipa-join.c
++++ b/client/ipa-join.c
+@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
+
+ json_str = json_dumps(json, 0);
+ if (!json_str) {
+- if (debug)
+- fprintf(stderr, _("json_dumps() failed\n"));
++ fprintf(stderr, _("json_dumps() failed\n"));
+
+ rval = 17;
+ goto cleanup;
+@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
+ CURLcode res = curl_easy_perform(curl);
+ if (res != CURLE_OK)
+ {
+- if (debug)
+- fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
++ fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
+
+ rval = 17;
+ goto cleanup;
+@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
+ curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code);
+
+ if (resp_code != 200) {
+- if (debug)
+- fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
++ fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
+
+ if (!quiet && resp_code == 401)
+ fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n"));
+@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
+
+ j_root = json_loads(payload, 0, &j_error);
+ if (!j_root) {
+- if (debug)
+- fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
++ fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
+
+ rval = 17;
+ goto cleanup;
+@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
+
+ *j_result_obj = json_object_get(j_root, "result");
+ if (!*j_result_obj) {
+- if (debug)
+- fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
++ fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
+
+ rval = 17;
+ goto cleanup;
+@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet)
+ &tmp_hostdn,
+ "krbprincipalname", &tmp_princ,
+ "krblastpwdchange", &tmp_pwdch) != 0) {
+- if (debug)
+- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
++ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
+
+ rval = 17;
+ goto cleanup;
+@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co
+ "nshardwareplatform", uinfo.machine);
+
+ if (!json_req) {
+- if (debug)
+- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
++ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
+
+ rval = 17;
+ goto cleanup;
+@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) {
+
+ if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}",
+ "result", result) != 0) {
+- if (debug)
+- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
++ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
+
+ rval = 20;
+ goto cleanup;
+@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) {
+ host);
+
+ if (!json_req) {
+- if (debug)
+- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
++ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
+
+ rval = 17;
+ goto cleanup;
+--
+2.34.1
+
diff --git a/SOURCES/0019-Enable-the-ccache-sweep-timer-during-installation.patch b/SOURCES/0019-Enable-the-ccache-sweep-timer-during-installation.patch
new file mode 100644
index 0000000..328c1ff
--- /dev/null
+++ b/SOURCES/0019-Enable-the-ccache-sweep-timer-during-installation.patch
@@ -0,0 +1,47 @@
+From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 7 Feb 2022 10:39:55 -0500
+Subject: [PATCH] Enable the ccache sweep timer during installation
+
+The timer was only being enabled during package installation
+if IPA was configured. So effectively only on upgrade.
+
+Add as a separate installation step after the ccache directory
+is configured.
+
+Fixes: https://pagure.io/freeipa/issue/9107
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/install/httpinstance.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
+index 732bb58d49addcb2a9f7698d577527257a17fe66..50ccf5e5031c37171cebe6f20232f3bd645cedeb 100644
+--- a/ipaserver/install/httpinstance.py
++++ b/ipaserver/install/httpinstance.py
+@@ -140,6 +140,8 @@ class HTTPInstance(service.Service):
+ self.step("publish CA cert", self.__publish_ca_cert)
+ self.step("clean up any existing httpd ccaches",
+ self.remove_httpd_ccaches)
++ self.step("enable ccache sweep",
++ self.enable_ccache_sweep)
+ self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
+ if not self.is_kdcproxy_configured():
+ self.step("create KDC proxy config", self.create_kdcproxy_conf)
+@@ -177,6 +179,11 @@ class HTTPInstance(service.Service):
+ [paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES]
+ )
+
++ def enable_ccache_sweep(self):
++ ipautil.run(
++ [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer']
++ )
++
+ def __configure_http(self):
+ self.update_httpd_service_ipa_conf()
+ self.update_httpd_wsgi_conf()
+--
+2.34.1
+
diff --git a/SOURCES/0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch b/SOURCES/0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch
new file mode 100644
index 0000000..3eabe4b
--- /dev/null
+++ b/SOURCES/0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch
@@ -0,0 +1,71 @@
+From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Wed, 9 Feb 2022 18:56:21 +0530
+Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during
+ installation
+
+This test checks that ipa-ccache-sweep.timer is enabled by default
+during the ipa installation.
+
+related: https://pagure.io/freeipa/issue/9107
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ .../test_integration/test_installation.py | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index f2d372c0c0356f244971a2af808db45dd6c8cb5b..63edbaa2bb4dbae174c6ab8c8f193cc24cc45b14 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest):
+
+ # Tweak sysrestore.state to drop installation section
+ self.master.run_command(
+- ['sed','-i', r's/\[installation\]/\[badinstallation\]/',
++ ['sed', '-i', r's/\[installation\]/\[badinstallation\]/',
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
+
+ # Re-run installation check and it should fall back to old method
+@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest):
+
+ # Restore installation section.
+ self.master.run_command(
+- ['sed','-i', r's/\[badinstallation\]/\[installation\]/',
++ ['sed', '-i', r's/\[badinstallation\]/\[installation\]/',
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
+
+ # Uninstall and confirm that the old method reports correctly
+@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host):
+ break
+ return(pid)
+
++
+ def get_ipa_services_pids(host):
+ ipa_services_name = [
+ "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia",
+@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest):
+ def test_install_master(self):
+ tasks.install_master(self.master, setup_dns=False, setup_kra=True)
+
++ def test_ipa_ccache_sweep_timer_enabled(self):
++ """Test ipa-ccache-sweep.timer enabled by default during installation
++
++ This test checks that ipa-ccache-sweep.timer is enabled by default
++ during the ipa installation.
++
++ related: https://pagure.io/freeipa/issue/9107
++ """
++ result = self.master.run_command(
++ ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'],
++ raiseonerr=False
++ )
++ assert 'enabled' in result.stdout_text
++
+ def test_install_dns(self):
+ tasks.install_dns(self.master)
+
+--
+2.34.1
+
diff --git a/SOURCES/0021-ipa_cldap-fix-memory-leak.patch b/SOURCES/0021-ipa_cldap-fix-memory-leak.patch
new file mode 100644
index 0000000..3c8109e
--- /dev/null
+++ b/SOURCES/0021-ipa_cldap-fix-memory-leak.patch
@@ -0,0 +1,38 @@
+From 186ebe311bc9545d7a9860cd5e8c748131bbe41e Mon Sep 17 00:00:00 2001
+From: Francisco Trivino <ftrivino@redhat.com>
+Date: Thu, 10 Feb 2022 14:23:12 +0100
+Subject: [PATCH] ipa_cldap: fix memory leak
+
+ipa_cldap_encode_netlogon() allocates memory to store binary data as part of
+berval (bv_val) when processing a CLDAP packet request from a worker. The
+data is used by ipa_cldap_respond() but bv_val is not freed later on.
+
+This commit is adding the corresponding free() after ipa_cldap_respond()
+is completed.
+
+Discovered by LeakSanitizer
+
+Fixes: https://pagure.io/freeipa/issue/9110
+Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
+index db4a3d061..252bcf647 100644
+--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
+@@ -287,6 +287,7 @@ done:
+ ipa_cldap_respond(ctx, req, &reply);
+
+ ipa_cldap_free_kvps(&req->kvps);
++ free(reply.bv_val);
+ free(req);
+ return;
+ }
+--
+2.34.1
+
diff --git a/SOURCES/0022-ipatests-remove-additional-check-for-failed-units_rhbz#2053025.patch b/SOURCES/0022-ipatests-remove-additional-check-for-failed-units_rhbz#2053025.patch
new file mode 100644
index 0000000..c384f15
--- /dev/null
+++ b/SOURCES/0022-ipatests-remove-additional-check-for-failed-units_rhbz#2053025.patch
@@ -0,0 +1,31 @@
+From b36bcf4ea5ed93baa4dc63f8e2be542d678211fb Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Thu, 10 Feb 2022 18:49:06 +0530
+Subject: [PATCH] ipatests: remove additional check for failed units.
+
+On RHEL tests are randomly failing because of this check
+and the test doesn't need to check this.
+
+Related : https://pagure.io/freeipa/issue/9108
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_otp.py | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
+index d8ce527ca..6e70ddcb3 100644
+--- a/ipatests/test_integration/test_otp.py
++++ b/ipatests/test_integration/test_otp.py
+@@ -316,7 +316,6 @@ class TestOTPToken(IntegrationTest):
+ check_services = self.master.run_command(
+ ['systemctl', 'list-units', '--state=failed']
+ )
+- assert "0 loaded units listed" in check_services.stdout_text
+ assert "ipa-otpd" not in check_services.stdout_text
+ # Be sure no services are running and failed units
+ self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
+--
+2.34.1
+
diff --git a/SOURCES/0023-ipatests-fix-TestOTPToken-rhbz#2053025.patch b/SOURCES/0023-ipatests-fix-TestOTPToken-rhbz#2053025.patch
new file mode 100644
index 0000000..e7081cd
--- /dev/null
+++ b/SOURCES/0023-ipatests-fix-TestOTPToken-rhbz#2053025.patch
@@ -0,0 +1,40 @@
+From 4c54e9d6ddb72eab6f654bf3dc2d29f27498ac96 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Sun, 5 Dec 2021 17:38:58 +0100
+Subject: [PATCH] ipatests: fix
+ TestOTPToken::test_check_otpd_after_idle_timeout
+
+The test sets 389-ds nsslapd-idletimeout to 60s, then does a
+kinit with an otp token (which makes ipa-otpd create a LDAP
+connection), then sleeps for 60s. The expectation is that
+ns-slapd will detect that the LDAP conn from ipa-otpd is idle
+and close the connection.
+According to 389ds doc, the idle timeout is enforced when the
+connection table is walked. By doing a ldapsearch, the test
+"wakes up" ns-slapd and forces the detection of ipa-otpd
+idle connection.
+
+Fixes: https://pagure.io/freeipa/issue/9044
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ ipatests/test_integration/test_otp.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
+index 353470897..d8ce527ca 100644
+--- a/ipatests/test_integration/test_otp.py
++++ b/ipatests/test_integration/test_otp.py
+@@ -354,6 +354,9 @@ class TestOTPToken(IntegrationTest):
+ otpvalue = totp.generate(int(time.time())).decode("ascii")
+ kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
+ time.sleep(60)
++ # ldapsearch will wake up slapd and force walking through
++ # the connection list, in order to spot the idle connections
++ tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base")
+
+ def test_cb(cmd_jornalctl):
+ # check if LDAP connection is timed out
+--
+2.34.1
+
diff --git a/SOURCES/0024-ipatests-Tests-for-Autoprivate-group.patch b/SOURCES/0024-ipatests-Tests-for-Autoprivate-group.patch
new file mode 100644
index 0000000..f66b4cc
--- /dev/null
+++ b/SOURCES/0024-ipatests-Tests-for-Autoprivate-group.patch
@@ -0,0 +1,326 @@
+From 6b70e3c49acc55b5553101cf850fc40978861979 Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Mon, 17 Jan 2022 16:57:52 +0530
+Subject: [PATCH] ipatests: Tests for Autoprivate group.
+
+Added tests using posix AD trust and non posix AD trust.
+For option --auto-private-groups=[hybrid/true/false]
+
+Related : https://pagure.io/freeipa/issue/8807
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ .../nightly_ipa-4-9_latest.yaml | 2 +-
+ .../nightly_ipa-4-9_latest_selinux.yaml | 2 +-
+ .../nightly_ipa-4-9_previous.yaml | 2 +-
+ ipatests/test_integration/test_trust.py | 242 +++++++++++++++++-
+ 4 files changed, 240 insertions(+), 8 deletions(-)
+
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+index 6817421b278999c52c32b3e28dd06587e30d874f..8b1f58c4d99e744e319e6c758050a62a8d35c9ee 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+@@ -1627,7 +1627,7 @@ jobs:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ test_suite: test_integration/test_trust.py
+ template: *ci-ipa-4-9-latest
+- timeout: 9000
++ timeout: 10000
+ topology: *adroot_adchild_adtree_master_1client
+
+ fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+index 817329756dc145fa5e6bc7aa0477e5df2a6ece5b..a11376ab836e7ed2f942c29753707e5b8e88a00f 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+@@ -1743,7 +1743,7 @@ jobs:
+ selinux_enforcing: True
+ test_suite: test_integration/test_trust.py
+ template: *ci-ipa-4-9-latest
+- timeout: 9000
++ timeout: 10000
+ topology: *adroot_adchild_adtree_master_1client
+
+ fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+index 4196265c772ec393ebb8f8bbdc4af845cd6d2d24..3f8ce8b7641fdfdc27278651cbf83c2b152e1a16 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+@@ -1627,7 +1627,7 @@ jobs:
+ build_url: '{fedora-previous-ipa-4-9/build_url}'
+ test_suite: test_integration/test_trust.py
+ template: *ci-ipa-4-9-previous
+- timeout: 9000
++ timeout: 10000
+ topology: *adroot_adchild_adtree_master_1client
+
+ fedora-previous-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
+diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
+index 0634badbb6a9aa148db2e3062e866215e61e89e7..ff2dd9cc819e1c5620ce449384957a633ae6d1f0 100644
+--- a/ipatests/test_integration/test_trust.py
++++ b/ipatests/test_integration/test_trust.py
+@@ -62,11 +62,12 @@ class BaseTestTrust(IntegrationTest):
+ cls.check_sid_generation()
+ tasks.sync_time(cls.master, cls.ad)
+
+- cls.child_ad = cls.ad_subdomains[0]
+- cls.ad_subdomain = cls.child_ad.domain.name
+- cls.tree_ad = cls.ad_treedomains[0]
+- cls.ad_treedomain = cls.tree_ad.domain.name
+-
++ if cls.num_ad_subdomains > 0:
++ cls.child_ad = cls.ad_subdomains[0]
++ cls.ad_subdomain = cls.child_ad.domain.name
++ if cls.num_ad_treedomains > 0:
++ cls.tree_ad = cls.ad_treedomains[0]
++ cls.ad_treedomain = cls.tree_ad.domain.name
+ # values used in workaround for
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1711958
+ cls.srv_gc_record_name = \
+@@ -106,6 +107,63 @@ class BaseTestTrust(IntegrationTest):
+ expected_text = 'iparangetype: %s\n' % expected_type
+ assert expected_text in result.stdout_text
+
++ def mod_idrange_auto_private_group(
++ self, option='false'
++ ):
++ """
++ Set the auto-private-group option of the default trusted
++ AD domain range.
++ """
++ tasks.kinit_admin(self.master)
++ rangename = self.ad_domain.upper() + '_id_range'
++ error_msg = "ipa: ERROR: no modifications to be performed"
++ cmd = ["ipa", "idrange-mod", rangename,
++ "--auto-private-groups", option]
++ result = self.master.run_command(cmd, raiseonerr=False)
++ if result.returncode != 0:
++ tasks.assert_error(result, error_msg)
++ tasks.clear_sssd_cache(self.master)
++ tasks.clear_sssd_cache(self.clients[0])
++ test = self.master.run_command(["ipa", "idrange-show", rangename])
++ assert "Auto private groups: {0}".format(option) in test.stdout_text
++
++ def get_user_id(self, host, username):
++ """
++ User uid gid is parsed from the output of id user command.
++ """
++ tasks.clear_sssd_cache(self.master)
++ tasks.clear_sssd_cache(self.clients[0])
++ self.master.run_command(["id", username])
++ test_id = host.run_command(["id", username])
++ regex = r"^uid=(?P<uid>\d+).*gid=(?P<gid>\d+).*groups=(?P<groups>\d+)"
++ match = re.match(regex, test_id.stdout_text)
++ uid = match.group('uid')
++ gid = match.group('gid')
++ return uid, gid
++
++ @contextmanager
++ def set_idoverrideuser(self, user, uid, gid):
++ """
++ Fixture to add/remove idoverrideuser for default idview,
++ also creates idm group with the provided gid because
++ gid overrides requires an existing group.
++ """
++ tasks.clear_sssd_cache(self.master)
++ tasks.clear_sssd_cache(self.clients[0])
++ tasks.kinit_admin(self.master)
++ try:
++ args = ["ipa", "idoverrideuser-add", "Default Trust View",
++ "--gid", gid, "--uid", uid, user]
++ self.master.run_command(args)
++ tasks.group_add(self.master, "idgroup",
++ extra_args=["--gid", gid])
++ yield
++ finally:
++ self.master.run_command([
++ "ipa", "idoverrideuser-del", "Default Trust View", user]
++ )
++ self.master.run_command(["ipa", "group-del", "idgroup"])
++
+ def remove_trust(self, ad):
+ tasks.remove_trust_with_ad(self.master,
+ ad.domain.name, ad.hostname)
+@@ -993,3 +1051,177 @@ class TestTrust(BaseTestTrust):
+ self.master.run_command(['rm', '-f', ad_zone_file])
+ tasks.configure_dns_for_trust(self.master, self.ad)
+ self.remove_trust(self.ad)
++
++
++class TestNonPosixAutoPrivateGroup(BaseTestTrust):
++ """
++ Tests for auto-private-groups option with non posix AD trust
++ Related : https://pagure.io/freeipa/issue/8807
++ """
++ topology = 'line'
++ num_ad_domains = 1
++ num_clients = 1
++ num_ad_subdomains = 0
++ num_ad_treedomains = 0
++ uid_override = "99999999"
++ gid_override = "78878787"
++
++ def test_add_nonposix_trust(self):
++ tasks.configure_dns_for_trust(self.master, self.ad)
++ tasks.establish_trust_with_ad(
++ self.master, self.ad_domain,
++ extra_args=['--range-type', 'ipa-ad-trust'])
++
++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++ def test_auto_private_groups_default_trusted_range(self, type):
++ """
++ Modify existing range for default trusted AD domain range
++ with auto-private-groups set as true/hybrid/false and test
++ user with no posix attributes.
++ """
++ self.mod_idrange_auto_private_group(type)
++ nonposixuser = "nonposixuser@%s" % self.ad_domain
++ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
++ if type == "true":
++ assert uid == gid
++ else:
++ test_group = self.clients[0].run_command(["id", nonposixuser])
++ gid_str = "gid={0}(domain users@{1})".format(gid, self.ad_domain)
++ grp_str = "groups={0}(domain users@{1})".format(gid,
++ self.ad_domain)
++ assert gid_str in test_group.stdout_text
++ assert grp_str in test_group.stdout_text
++ assert uid != gid
++
++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++ def test_idoverride_with_auto_private_group(self, type):
++ """
++ Override ad trusted user in default trust view
++ and set auto-private-groups=[hybrid,true,false]
++ and ensure that overridden values takes effect.
++ """
++ nonposixuser = "nonposixuser@%s" % self.ad_domain
++ with self.set_idoverrideuser(nonposixuser,
++ self.uid_override,
++ self.gid_override
++ ):
++ self.mod_idrange_auto_private_group(type)
++ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
++ assert (uid == self.uid_override and gid == self.gid_override)
++ test_group = self.clients[0].run_command(
++ ["id", nonposixuser]).stdout_text
++ assert "domain users@{0}".format(self.ad_domain) in test_group
++
++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++ def test_nonposixuser_nondefault_primary_group(self, type):
++ """
++ Test for non default primary group.
++ For hybrid/false gid corresponds to the group testgroup1.
++ """
++ nonposixuser1 = "nonposixuser1@%s" % self.ad_domain
++ self.mod_idrange_auto_private_group(type)
++ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser1)
++ if type == "true":
++ assert uid == gid
++ else:
++ test_group = self.clients[0].run_command(["id", nonposixuser1])
++ gid_str = "gid={0}(testgroup1@{1})".format(gid, self.ad_domain)
++ group = "groups={0}(testgroup1@{1})".format(gid, self.ad_domain)
++ assert (gid_str in test_group.stdout_text
++ and group in test_group.stdout_text)
++
++
++class TestPosixAutoPrivateGroup(BaseTestTrust):
++ """
++ Tests for auto-private-groups option with posix AD trust
++ Related : https://pagure.io/freeipa/issue/8807
++ """
++ topology = 'line'
++ num_ad_domains = 1
++ num_clients = 1
++ num_ad_subdomains = 0
++ num_ad_treedomains = 0
++ uid_override = "99999999"
++ gid_override = "78878787"
++
++ def test_add_posix_trust(self):
++ tasks.configure_dns_for_trust(self.master, self.ad)
++ tasks.establish_trust_with_ad(
++ self.master, self.ad_domain,
++ extra_args=['--range-type', 'ipa-ad-trust-posix'])
++
++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++ def test_gidnumber_not_corresponding_existing_group(self, type):
++ """
++ Test checks that sssd can resolve AD users which
++ contain posix attributes (uidNumber and gidNumber)
++ but there is no group with the corresponding gidNumber.
++ """
++ posixuser = "testuser2@%s" % self.ad_domain
++ self.mod_idrange_auto_private_group(type)
++ if type != "true":
++ result = self.clients[0].run_command(['id', posixuser],
++ raiseonerr=False)
++ tasks.assert_error(result, "no such user")
++ else:
++ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
++ assert uid == gid
++ assert uid == '10060'
++
++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++ def test_only_uid_number_auto_private_group_default(self, type):
++ """
++ Test checks that posix user with only uidNumber defined
++ and gidNumber not set, auto-private-group
++ is set to false/true/hybrid
++ """
++ posixuser = "testuser1@%s" % self.ad_domain
++ self.mod_idrange_auto_private_group(type)
++ if type == "true":
++ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
++ assert uid == gid
++ else:
++ for host in [self.master, self.clients[0]]:
++ result = host.run_command(['id', posixuser], raiseonerr=False)
++ tasks.assert_error(result, "no such user")
++
++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++ def test_auto_private_group_primary_group(self, type):
++ """
++ Test checks that AD users which contain posix attributes
++ (uidNumber and gidNumber) and there is primary group
++ with gid number defined.
++ """
++ posixuser = "testuser@%s" % self.ad_domain
++ self.mod_idrange_auto_private_group(type)
++ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
++ test_grp = self.clients[0].run_command(["id", posixuser])
++ assert uid == '10042'
++ if type == "true":
++ assert uid == gid
++ groups = "groups=10042(testuser@{0}),10047(testgroup@{1})".format(
++ self.ad_domain, self.ad_domain)
++ assert groups in test_grp.stdout_text
++ else:
++ assert gid == '10047'
++ groups = "10047(testgroup@{0})".format(self.ad_domain)
++ assert groups in test_grp.stdout_text
++
++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++ def test_idoverride_with_auto_private_group(self, type):
++ """
++ Override ad trusted user in default trust view
++ and set auto-private-groups=[hybrid,true,false]
++ and ensure that overridden values takes effect.
++ """
++ posixuser = "testuser@%s" % self.ad_domain
++ with self.set_idoverrideuser(posixuser,
++ self.uid_override,
++ self.gid_override):
++ self.mod_idrange_auto_private_group(type)
++ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
++ assert(uid == self.uid_override
++ and gid == self.gid_override)
++ result = self.clients[0].run_command(['id', posixuser])
++ assert "10047(testgroup@{0})".format(
++ self.ad_domain) in result.stdout_text
+--
+2.34.1
+
diff --git a/SOURCES/0025-mark-xfail-for-test_idoverride_with_auto_private_gro.patch b/SOURCES/0025-mark-xfail-for-test_idoverride_with_auto_private_gro.patch
new file mode 100644
index 0000000..2b84d99
--- /dev/null
+++ b/SOURCES/0025-mark-xfail-for-test_idoverride_with_auto_private_gro.patch
@@ -0,0 +1,43 @@
+From 84381001d2e114b1f29fe89e16155c040b56b80f Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Thu, 10 Feb 2022 17:07:45 +0530
+Subject: [PATCH] mark xfail for
+ test_idoverride_with_auto_private_group[hybrid]
+
+Related : https://github.com/SSSD/sssd/issues/5989
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ ipatests/test_integration/test_trust.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
+index ff2dd9cc819e1c5620ce449384957a633ae6d1f0..54bd154628cb8fb063d9839d7928acd37647e2a4 100644
+--- a/ipatests/test_integration/test_trust.py
++++ b/ipatests/test_integration/test_trust.py
+@@ -15,6 +15,7 @@ from ipaplatform.paths import paths
+ from ipatests.test_integration.base import IntegrationTest
+ from ipatests.pytest_ipa.integration import tasks
+ from ipatests.pytest_ipa.integration import fips
++from ipatests.util import xfail_context
+ from ipapython.dn import DN
+ from collections import namedtuple
+ from contextlib import contextmanager
+@@ -1110,7 +1111,11 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
+ assert (uid == self.uid_override and gid == self.gid_override)
+ test_group = self.clients[0].run_command(
+ ["id", nonposixuser]).stdout_text
+- assert "domain users@{0}".format(self.ad_domain) in test_group
++ version = tasks.get_sssd_version(self.clients[0])
++ with xfail_context(version <= tasks.parse_version('2.6.3')
++ and type == "hybrid",
++ 'https://github.com/SSSD/sssd/issues/5989'):
++ assert "domain users@{0}".format(self.ad_domain) in test_group
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_nonposixuser_nondefault_primary_group(self, type):
+--
+2.34.1
+
diff --git a/SOURCES/0026-Mark-xfail-test_gidnumber_not_corresponding_existing.patch b/SOURCES/0026-Mark-xfail-test_gidnumber_not_corresponding_existing.patch
new file mode 100644
index 0000000..a45d917
--- /dev/null
+++ b/SOURCES/0026-Mark-xfail-test_gidnumber_not_corresponding_existing.patch
@@ -0,0 +1,38 @@
+From 7ad500e5d3f7d9af81e8a3137158672c6fafb0b4 Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Thu, 10 Feb 2022 17:29:45 +0530
+Subject: [PATCH] Mark xfail
+ test_gidnumber_not_corresponding_existing_group[true,hybrid]
+
+Related : https://github.com/SSSD/sssd/issues/5988
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ ipatests/test_integration/test_trust.py | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
+index 54bd154628cb8fb063d9839d7928acd37647e2a4..c128378151ec4c0fb295823d75f2a04df2f7ffa0 100644
+--- a/ipatests/test_integration/test_trust.py
++++ b/ipatests/test_integration/test_trust.py
+@@ -1169,9 +1169,12 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
+ raiseonerr=False)
+ tasks.assert_error(result, "no such user")
+ else:
+- (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+- assert uid == gid
+- assert uid == '10060'
++ sssd_version = tasks.get_sssd_version(self.clients[0])
++ with xfail_context(sssd_version <= tasks.parse_version('2.6.3'),
++ 'https://github.com/SSSD/sssd/issues/5988'):
++ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
++ assert uid == gid
++ assert uid == '10060'
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_only_uid_number_auto_private_group_default(self, type):
+--
+2.34.1
+
diff --git a/SOURCES/0027-KRB-instance-make-provision-to-work-with-crypto-poli.patch b/SOURCES/0027-KRB-instance-make-provision-to-work-with-crypto-poli.patch
new file mode 100644
index 0000000..fb75eeb
--- /dev/null
+++ b/SOURCES/0027-KRB-instance-make-provision-to-work-with-crypto-poli.patch
@@ -0,0 +1,108 @@
+From a51900819bd5332bc05ec9d513f062844b3a7763 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 25 Feb 2022 08:58:24 +0200
+Subject: [PATCH] KRB instance: make provision to work with crypto policy
+ without SHA-1 HMAC types
+
+RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use.
+
+Due to bootstrapping process, force explicitly supported encryption
+types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only
+in FIPS mode at bootstrap time which then fails to initialize kadmin
+principals requiring use of AES256-SHA2 and AES128-SHA2.
+
+Camellia ciphers must be filtered out in FIPS mode, we do that already
+in the kerberos.ldif.
+
+At this point we are not changing the master key encryption type to
+AES256-SHA2 because upgrading existing deployments is complicated and
+at the time when a replica configuration is deployed, we don't know what
+is the encryption type of the master key of the original server as well.
+
+Fixes: https://pagure.io/freeipa/issue/9119
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Julien Rische <jrische@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+---
+ install/share/kdc.conf.template | 3 ++-
+ install/share/kerberos.ldif | 2 ++
+ ipaserver/install/krbinstance.py | 21 ++++++++++++++++++++-
+ 3 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
+index 232fedc445f660c30a88d8844d9f1b6042db41a7..685d42f3b7fb263e86b7a6db98be8bcc53e7bbe6 100644
+--- a/install/share/kdc.conf.template
++++ b/install/share/kdc.conf.template
+@@ -6,7 +6,8 @@
+
+ [realms]
+ $REALM = {
+- master_key_type = aes256-cts
++ master_key_type = $MASTER_KEY_TYPE
++ supported_enctypes = $SUPPORTED_ENCTYPES
+ max_life = 7d
+ max_renewable_life = 14d
+ acl_file = $KRB5KDC_KADM5_ACL
+diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
+index 3b75b445641fd86e2029ceb51e479c6ccb17856c..51e5cf9bca4b0b2cf2e1fe3ec85777deb61b76b0 100644
+--- a/install/share/kerberos.ldif
++++ b/install/share/kerberos.ldif
+@@ -28,6 +28,8 @@ ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
+ ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
+ krbMaxTicketLife: 86400
+ krbMaxRenewableAge: 604800
++krbDefaultEncSaltTypes: aes256-sha2:special
++krbDefaultEncSaltTypes: aes128-sha2:special
+ krbDefaultEncSaltTypes: aes256-cts:special
+ krbDefaultEncSaltTypes: aes128-cts:special
+
+diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
+index 216c1032d8abd9fc119d98d8f9976ce17d246ea4..852edcd9978f4a47d355e206fbb4a513ea699865 100644
+--- a/ipaserver/install/krbinstance.py
++++ b/ipaserver/install/krbinstance.py
+@@ -51,6 +51,14 @@ logger = logging.getLogger(__name__)
+
+ PKINIT_ENABLED = 'pkinitEnabled'
+
++MASTER_KEY_TYPE = 'aes256-sha1'
++SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
++ 'aes256-sha2:normal', 'aes128-sha2:normal',
++ 'aes256-cts:special', 'aes128-cts:special',
++ 'aes256-cts:normal', 'aes128-cts:normal',
++ 'camellia256-cts:special', 'camellia128-cts:special',
++ 'camellia256-cts:normal', 'camellia128-cts:normal')
++
+
+ def get_pkinit_request_ca():
+ """
+@@ -252,6 +260,7 @@ class KrbInstance(service.Service):
+ else:
+ includes = ''
+
++ fips_enabled = tasks.is_fips_enabled()
+ self.sub_dict = dict(FQDN=self.fqdn,
+ IP=self.ip,
+ PASSWORD=self.kdc_password,
+@@ -269,7 +278,17 @@ class KrbInstance(service.Service):
+ KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
+ CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
+ INCLUDES=includes,
+- FIPS='#' if tasks.is_fips_enabled() else '')
++ FIPS='#' if fips_enabled else '')
++
++ if fips_enabled:
++ supported_enctypes = list(
++ filter(lambda e: not e.startswith('camelia'),
++ SUPPORTED_ENCTYPES))
++ else:
++ supported_enctypes = SUPPORTED_ENCTYPES
++ self.sub_dict['SUPPORTED_ENCTYPES'] = ' '.join(supported_enctypes)
++
++ self.sub_dict['MASTER_KEY_TYPE'] = MASTER_KEY_TYPE
+
+ # IPA server/KDC is not a subdomain of default domain
+ # Proper domain-realm mapping needs to be specified
+--
+2.34.1
+
diff --git a/SOURCES/0028-tests-ensure-AD-SUPPORT-subpolicy-is-active.patch b/SOURCES/0028-tests-ensure-AD-SUPPORT-subpolicy-is-active.patch
new file mode 100644
index 0000000..562bba7
--- /dev/null
+++ b/SOURCES/0028-tests-ensure-AD-SUPPORT-subpolicy-is-active.patch
@@ -0,0 +1,58 @@
+From b016683552a58f9cc2a05cf628cc467234eaf599 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 28 Feb 2022 11:10:49 +0200
+Subject: [PATCH] tests: ensure AD-SUPPORT subpolicy is active
+
+Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
+mode. This is required in FIPS mode due to AD not supporting Kerberos
+AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
+defined in RFC 8009.
+
+Fixes: https://pagure.io/freeipa/issue/9119
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Julien Rische <jrische@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+---
+ ipatests/pytest_ipa/integration/fips.py | 6 ++++++
+ ipatests/pytest_ipa/integration/tasks.py | 3 +++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/ipatests/pytest_ipa/integration/fips.py b/ipatests/pytest_ipa/integration/fips.py
+index 694ec8a9927da917fe99482094f68540a1032c14..b33aa91b14552d6f47191c913db4f974a5a5948c 100644
+--- a/ipatests/pytest_ipa/integration/fips.py
++++ b/ipatests/pytest_ipa/integration/fips.py
+@@ -68,3 +68,9 @@ def disable_userspace_fips(host):
+ # sanity check
+ assert not is_fips_enabled(host)
+ host.run_command(["openssl", "md5", "/dev/null"])
++
++
++def enable_crypto_subpolicy(host, subpolicy):
++ result = host.run_command(["update-crypto-policies", "--show"])
++ policy = result.stdin_text.strip() + ":" + subpolicy
++ host.run_command(["update-crypto-policies", "--set", policy])
+diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
+index 7e1b7c24dab00986ff6e75430bf55e55dd1a6b8e..13d84e23fa7dc8a5e562e8498c9142e2bcad696a 100755
+--- a/ipatests/pytest_ipa/integration/tasks.py
++++ b/ipatests/pytest_ipa/integration/tasks.py
+@@ -66,6 +66,7 @@ from .env_config import env_to_script
+ from .host import Host
+ from .firewall import Firewall
+ from .resolver import ResolvedResolver
++from .fips import is_fips_enabled, enable_crypto_subpolicy
+
+ logger = logging.getLogger(__name__)
+
+@@ -362,6 +363,8 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
+ if setup_adtrust:
+ args.append('--setup-adtrust')
+ fw_services.append("freeipa-trust")
++ if is_fips_enabled(host):
++ enable_crypto_subpolicy(host, "AD-SUPPORT")
+ if external_ca:
+ args.append('--external-ca')
+
+--
+2.34.1
+
diff --git a/SOURCES/0029-ipatests-extend-AES-keyset-to-SHA2-based-ones.patch b/SOURCES/0029-ipatests-extend-AES-keyset-to-SHA2-based-ones.patch
new file mode 100644
index 0000000..b20a590
--- /dev/null
+++ b/SOURCES/0029-ipatests-extend-AES-keyset-to-SHA2-based-ones.patch
@@ -0,0 +1,46 @@
+From 49d9147e38c5b50c52a1ebc7283753c779c2f81f Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 3 Mar 2022 14:38:57 +0200
+Subject: [PATCH] ipatests: extend AES keyset to SHA2-based ones
+
+Fixes: https://pagure.io/freeipa/issue/9119
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Julien Rische <jrische@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+---
+ ipaserver/install/plugins/adtrust.py | 3 ++-
+ ipatests/pytest_ipa/integration/tasks.py | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
+index 5b87ac47c6919de287b07c9ceef7ae22e1e79398..67e372bdb40a0b1f6815f107fc567f0ae056dad8 100644
+--- a/ipaserver/install/plugins/adtrust.py
++++ b/ipaserver/install/plugins/adtrust.py
+@@ -754,7 +754,8 @@ class update_host_cifs_keytabs(Updater):
+ """
+
+ host_princ_template = "host/{master}@{realm}"
+- valid_etypes = ['aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
++ valid_etypes = ['aes256-cts-hmac-sha384-192', 'aes128-cts-hmac-sha256-128',
++ 'aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
+
+ def extract_key_refs(self, keytab):
+ host_princ = self.host_princ_template.format(
+diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
+index 13d84e23fa7dc8a5e562e8498c9142e2bcad696a..d06f8eb2cf6c36956ec200a1abb7c488d1dad9aa 100755
+--- a/ipatests/pytest_ipa/integration/tasks.py
++++ b/ipatests/pytest_ipa/integration/tasks.py
+@@ -2261,7 +2261,8 @@ class KerberosKeyCopier:
+ copier.copy_keys('/etc/krb5.keytab', tmpname, replacement=replacement)
+ """
+ host_princ_template = "host/{master}@{realm}"
+- valid_etypes = ['aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
++ valid_etypes = ['aes256-cts-hmac-sha384-192', 'aes128-cts-hmac-sha256-128',
++ 'aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
+
+ def __init__(self, host):
+ self.host = host
+--
+2.34.1
+
diff --git a/SOURCES/0030-freeipa.spec-bump-crypto-policies-dependency-for-Cen.patch b/SOURCES/0030-freeipa.spec-bump-crypto-policies-dependency-for-Cen.patch
new file mode 100644
index 0000000..4c61492
--- /dev/null
+++ b/SOURCES/0030-freeipa.spec-bump-crypto-policies-dependency-for-Cen.patch
@@ -0,0 +1,35 @@
+From ee39de46a1c1ea96bbe524f159ae435319b2d072 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 3 Mar 2022 14:43:11 +0200
+Subject: [PATCH] freeipa.spec: bump crypto-policies dependency for CentOS 9
+ Stream
+
+Fixes: https://pagure.io/freeipa/issue/9119
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Julien Rische <jrische@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+---
+ freeipa.spec.in | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 0b24febc0baff6f60fd2b4cb254971bd3e3aa3b8..c1d81605068c6fc3e6c765ad01c4967fa9f03c95 100755
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -695,6 +695,12 @@ Provides: %{name}-admintools = %{version}-%{release}
+ Conflicts: crypto-policies < 20200629-1
+ %endif
+
++%if 0%{?rhel} == 9
++# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and
++# AD-SUPPORT-LEGACY policy modules
++Conflicts: crypto-policies < 20220223-1
++%endif
++
+ %description client
+ IPA is an integrated solution to provide centrally managed Identity (users,
+ hosts, services), Authentication (SSO, 2FA), and Authorization
+--
+2.34.1
+
diff --git a/SOURCES/0031-Kerberos-instance-default-to-AES256-SHA2-for-master-.patch b/SOURCES/0031-Kerberos-instance-default-to-AES256-SHA2-for-master-.patch
new file mode 100644
index 0000000..4cb65b1
--- /dev/null
+++ b/SOURCES/0031-Kerberos-instance-default-to-AES256-SHA2-for-master-.patch
@@ -0,0 +1,56 @@
+From 3e54c4362490b4da1b6cb3e141bb6e08fecc58c0 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 14 Mar 2022 13:23:04 +0200
+Subject: [PATCH] Kerberos instance: default to AES256-SHA2 for master key
+ encryption
+
+KDC configuration in /var/kerberos/krb5kdc/kdc.conf is generated from
+the template in install/share/kdc.conf.template. Master key encryption
+type specified there is used to bootstrap the master key in LDAP
+database. Once it is done, actual deployment does not rely on the
+master_key_type value anymore. The actual master key(s) get loaded from
+LDAP database where they stored in a BER-encoded format, preserving all
+parameters, including encryption type.
+
+This means we can safely migrate to AES256-SHA2 as the default master
+key encryption type for new installations. Replicas will get their
+master key encryption type details from the server they were provisioned
+from.
+
+MIT Kerberos supports AES256-SHA2 since 1.15 (2015), meaning RHEL 7.4 is
+the earliest supported version as it provides krb5 1.15.1. Current
+supported RHEL 7 version is RHEL 7.9. Since RHEL 6 already cannot be
+used as a replica to IPA 4.5+ due to a domain level 1 upgrade, this
+change does not affect old releases.
+
+Migration from the previously deployed master key encryption type is
+described by MIT Kerberos upstream in
+http://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key
+
+One would need to use '-x ipa-setup-override-restrictions' to allow
+the `kdb5_util` utility to modify the data over IPA KDB driver.
+
+Fixes: https://pagure.io/freeipa/issue/9119
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+---
+ ipaserver/install/krbinstance.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
+index 01b3309d50c0e8025e3381eac577225b1ef0be9d..a5eaa7b17133498f08e84d01c90764236e8ebe84 100644
+--- a/ipaserver/install/krbinstance.py
++++ b/ipaserver/install/krbinstance.py
+@@ -51,7 +51,7 @@ logger = logging.getLogger(__name__)
+
+ PKINIT_ENABLED = 'pkinitEnabled'
+
+-MASTER_KEY_TYPE = 'aes256-sha1'
++MASTER_KEY_TYPE = 'aes256-sha2'
+ SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
+ 'aes256-sha2:normal', 'aes128-sha2:normal',
+ 'aes256-cts:special', 'aes128-cts:special',
+--
+2.34.1
+
diff --git a/SOURCES/0032-test_otp-do-not-use-paramiko-unless-it-is-really-nee.patch b/SOURCES/0032-test_otp-do-not-use-paramiko-unless-it-is-really-nee.patch
new file mode 100644
index 0000000..368346f
--- /dev/null
+++ b/SOURCES/0032-test_otp-do-not-use-paramiko-unless-it-is-really-nee.patch
@@ -0,0 +1,44 @@
+From 3baae8d1bd0a0c4c707314524289e86e6ecbc0df Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 14 Mar 2022 21:09:36 +0200
+Subject: [PATCH] test_otp: do not use paramiko unless it is really needed
+
+paramiko cannot be used in FIPS mode. We have few tests that import
+generic methods from test_otp (add_token/del_token) and those tests fail
+in FIPS mode due to unconditional 'import paramiko'.
+
+Instead, move 'import paramiko' to the ssh_2f() helper which is not used
+in FIPS mode (the whole SSH 2FA test is skipped then).
+
+Related: https://pagure.io/freeipa/issue/9119
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+---
+ ipatests/test_integration/test_otp.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
+index bec76d205bf37699483b65ebbc5613cbbb466bb4..04bef4626077e727654898b07a76acab4f1d5971 100644
+--- a/ipatests/test_integration/test_otp.py
++++ b/ipatests/test_integration/test_otp.py
+@@ -5,7 +5,6 @@
+ """
+ import base64
+ import logging
+-import paramiko
+ import pytest
+ import re
+ import time
+@@ -102,6 +101,8 @@ def ssh_2f(hostname, username, answers_dict, port=22):
+ logger.info(
+ "Answer to ssh prompt is: '%s'", answers_dict[prmpt_str])
+ return resp
++
++ import paramiko
+ trans = paramiko.Transport((hostname, port))
+ trans.connect()
+ trans.auth_interactive(username, answer_handler)
+--
+2.34.1
+
diff --git a/SOURCES/0033-test_krbtpolicy-skip-SPAKE-related-tests-in-FIPS-mod.patch b/SOURCES/0033-test_krbtpolicy-skip-SPAKE-related-tests-in-FIPS-mod.patch
new file mode 100644
index 0000000..de21062
--- /dev/null
+++ b/SOURCES/0033-test_krbtpolicy-skip-SPAKE-related-tests-in-FIPS-mod.patch
@@ -0,0 +1,44 @@
+From 2e70535f74e7d9dd76e728eca1119ce522fd138a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 15 Mar 2022 11:39:46 +0200
+Subject: [PATCH] test_krbtpolicy: skip SPAKE-related tests in FIPS mode
+
+SPAKE is based on the crypto primitives which are not FIPS compliant
+yet. This means that in FIPS mode use of 'hardened' authentication
+indicator is not possible. Skip corresponding tests in FIPS mode.
+
+Related: https://pagure.io/freeipa/issue/9119
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+---
+ ipatests/test_integration/test_krbtpolicy.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
+index 9489fbc97b7836aecf491b57627f254d4849eb56..eae16247bdfb195c1d91209cf2d11eac4c25018f 100644
+--- a/ipatests/test_integration/test_krbtpolicy.py
++++ b/ipatests/test_integration/test_krbtpolicy.py
+@@ -105,6 +105,9 @@ class TestPWPolicy(IntegrationTest):
+
+ def test_krbtpolicy_password_and_hardended(self):
+ """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
++ if self.master.is_fips_mode:
++ pytest.skip("SPAKE pre-auth is not compatible with FIPS mode")
++
+ master = self.master
+ master.run_command(['ipa', 'user-mod', USER1,
+ '--user-auth-type', 'password',
+@@ -133,6 +136,9 @@ class TestPWPolicy(IntegrationTest):
+
+ def test_krbtpolicy_hardended(self):
+ """Test a hardened kerberos ticket policy with 30min tickets"""
++ if self.master.is_fips_mode:
++ pytest.skip("SPAKE pre-auth is not compatible with FIPS mode")
++
+ master = self.master
+ master.run_command(['ipa', 'user-mod', USER1,
+ '--user-auth-type', 'hardened'])
+--
+2.34.1
+
diff --git a/SOURCES/0034-Support-AES-for-KRA-archival-wrapping.patch b/SOURCES/0034-Support-AES-for-KRA-archival-wrapping.patch
new file mode 100644
index 0000000..8d4ec8a
--- /dev/null
+++ b/SOURCES/0034-Support-AES-for-KRA-archival-wrapping.patch
@@ -0,0 +1,555 @@
+From 895e99b6843c2fa2274acab824607c33c1a560a4 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Mon, 7 Oct 2019 14:13:03 +0200
+Subject: [PATCH] Support AES for KRA archival wrapping
+
+The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping
+algorithm since the plugin was introduced. Allow use of AES-128-CBC as
+alternative wrapping algorithm for transport of secrets.
+
+Fixes: https://pagure.io/freeipa/issue/6524
+
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ API.txt | 7 +-
+ VERSION.m4 | 5 +-
+ ipaclient/plugins/vault.py | 155 +++++++++++++++++++++++++------------
+ ipalib/capabilities.py | 4 +
+ ipalib/constants.py | 12 +++
+ ipaserver/plugins/vault.py | 61 ++++++++++++---
+ 6 files changed, 180 insertions(+), 64 deletions(-)
+
+diff --git a/API.txt b/API.txt
+index 576fa7c51e31886b257ccf176aaf232c0f2ea5ee..f95f2c8457e39f2268386a8a2336952d3285e008 100644
+--- a/API.txt
++++ b/API.txt
+@@ -6548,7 +6548,7 @@ output: Output('completed', type=[<type 'int'>])
+ output: Output('failed', type=[<type 'dict'>])
+ output: Entry('result')
+ command: vault_archive_internal/1
+-args: 1,9,3
++args: 1,10,3
+ arg: Str('cn', cli_name='name')
+ option: Flag('all', autofill=True, cli_name='all', default=False)
+ option: Bytes('nonce')
+@@ -6559,6 +6559,7 @@ option: Flag('shared?', autofill=True, default=False)
+ option: Str('username?', cli_name='user')
+ option: Bytes('vault_data')
+ option: Str('version?')
++option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
+ output: Entry('result')
+ output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+ output: PrimaryKey('value')
+@@ -6649,7 +6650,7 @@ output: Output('completed', type=[<type 'int'>])
+ output: Output('failed', type=[<type 'dict'>])
+ output: Entry('result')
+ command: vault_retrieve_internal/1
+-args: 1,7,3
++args: 1,8,3
+ arg: Str('cn', cli_name='name')
+ option: Flag('all', autofill=True, cli_name='all', default=False)
+ option: Flag('raw', autofill=True, cli_name='raw', default=False)
+@@ -6658,6 +6659,7 @@ option: Bytes('session_key')
+ option: Flag('shared?', autofill=True, default=False)
+ option: Str('username?', cli_name='user')
+ option: Str('version?')
++option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
+ output: Entry('result')
+ output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+ output: PrimaryKey('value')
+@@ -7327,6 +7329,7 @@ default: vaultcontainer_del/1
+ default: vaultcontainer_remove_owner/1
+ default: vaultcontainer_show/1
+ default: whoami/1
++capability: vault_aes_keywrap 2.246
+ capability: messages 2.52
+ capability: optional_uid_params 2.54
+ capability: permissions2 2.69
+diff --git a/VERSION.m4 b/VERSION.m4
+index 70aaff4c9b9514a5937eae60074376e1a592464e..997ac35e74fa6f2a96da027ed3ce93cf809b62a7 100644
+--- a/VERSION.m4
++++ b/VERSION.m4
+@@ -86,9 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
+ # #
+ ########################################################
+ define(IPA_API_VERSION_MAJOR, 2)
+-# Last change: add enable_sid to config
+-define(IPA_API_VERSION_MINOR, 245)
+-
++# Last change: Add wrapping algorithm to vault archive/retrieve
++define(IPA_API_VERSION_MINOR, 246)
+
+ ########################################################
+ # Following values are auto-generated from values above
+diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
+index d3a1d370efaccc7e5b0088bd3df341d76884d509..115171c7768d44251c17d0bcdac9c37b3a25db99 100644
+--- a/ipaclient/plugins/vault.py
++++ b/ipaclient/plugins/vault.py
+@@ -25,11 +25,12 @@ import io
+ import json
+ import logging
+ import os
++import ssl
+ import tempfile
+
+ from cryptography.fernet import Fernet, InvalidToken
+ from cryptography.hazmat.backends import default_backend
+-from cryptography.hazmat.primitives import hashes, serialization
++from cryptography.hazmat.primitives import hashes
+ from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+ from cryptography.hazmat.primitives.asymmetric import padding
+ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+@@ -39,7 +40,7 @@ from cryptography.hazmat.primitives.serialization import (
+
+ from ipaclient.frontend import MethodOverride
+ from ipalib import x509
+-from ipalib.constants import USER_CACHE_PATH
++from ipalib import constants
+ from ipalib.frontend import Local, Method, Object
+ from ipalib.util import classproperty
+ from ipalib import api, errors
+@@ -546,42 +547,49 @@ class vault_mod(Local):
+ return response
+
+
+-class _TransportCertCache:
++class _KraConfigCache:
++ """The KRA config cache stores vaultconfig-show result.
++ """
+ def __init__(self):
+ self._dirname = os.path.join(
+- USER_CACHE_PATH, 'ipa', 'kra-transport-certs'
++ constants.USER_CACHE_PATH, 'ipa', 'kra-config'
+ )
+
+ def _get_filename(self, domain):
+- basename = DNSName(domain).ToASCII() + '.pem'
++ basename = DNSName(domain).ToASCII() + '.json'
+ return os.path.join(self._dirname, basename)
+
+- def load_cert(self, domain):
+- """Load cert from cache
++ def load(self, domain):
++ """Load config from cache
+
+ :param domain: IPA domain
+- :return: cryptography.x509.Certificate or None
++ :return: dict or None
+ """
+ filename = self._get_filename(domain)
+ try:
+ try:
+- return x509.load_certificate_from_file(filename)
+- except EnvironmentError as e:
++ with open(filename) as f:
++ return json.load(f)
++ except OSError as e:
+ if e.errno != errno.ENOENT:
+ raise
+ except Exception:
+ logger.warning("Failed to load %s", filename, exc_info=True)
+ return None
+
+- def store_cert(self, domain, transport_cert):
+- """Store a new cert or override existing cert
++ def store(self, domain, response):
++ """Store config in cache
+
+ :param domain: IPA domain
+- :param transport_cert: cryptography.x509.Certificate
+- :return: True if cert was stored successfully
++ :param config: ipa vaultconfig-show response
++ :return: True if config was stored successfully
+ """
++ config = response['result'].copy()
++ # store certificate as PEM-encoded ASCII
++ config['transport_cert'] = ssl.DER_cert_to_PEM_cert(
++ config['transport_cert']
++ )
+ filename = self._get_filename(domain)
+- pem = transport_cert.public_bytes(serialization.Encoding.PEM)
+ try:
+ try:
+ os.makedirs(self._dirname)
+@@ -589,9 +597,9 @@ class _TransportCertCache:
+ if e.errno != errno.EEXIST:
+ raise
+ with tempfile.NamedTemporaryFile(dir=self._dirname, delete=False,
+- mode='wb') as f:
++ mode='w') as f:
+ try:
+- f.write(pem)
++ json.dump(config, f)
+ ipautil.flush_sync(f)
+ f.close()
+ os.rename(f.name, filename)
+@@ -604,8 +612,8 @@ class _TransportCertCache:
+ else:
+ return True
+
+- def remove_cert(self, domain):
+- """Remove a cert from cache, ignores errors
++ def remove(self, domain):
++ """Remove a config from cache, ignores errors
+
+ :param domain: IPA domain
+ :return: True if cert was found and removed
+@@ -621,7 +629,7 @@ class _TransportCertCache:
+ return True
+
+
+-_transport_cert_cache = _TransportCertCache()
++_kra_config_cache = _KraConfigCache()
+
+
+ @register(override=True, no_fail=True)
+@@ -636,13 +644,8 @@ class vaultconfig_show(MethodOverride):
+
+ response = super(vaultconfig_show, self).forward(*args, **options)
+
+- # cache transport certificate
+- transport_cert = x509.load_der_x509_certificate(
+- response['result']['transport_cert'])
+-
+- _transport_cert_cache.store_cert(
+- self.api.env.domain, transport_cert
+- )
++ # cache config
++ _kra_config_cache.store(self.api.env.domain, response)
+
+ if file:
+ with open(file, 'wb') as f:
+@@ -652,10 +655,54 @@ class vaultconfig_show(MethodOverride):
+
+
+ class ModVaultData(Local):
+- def _generate_session_key(self):
+- key_length = max(algorithms.TripleDES.key_sizes)
+- algo = algorithms.TripleDES(os.urandom(key_length // 8))
+- return algo
++ def _generate_session_key(self, name):
++ if name not in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
++ msg = _("{algo} is not a supported vault wrapping algorithm")
++ raise errors.ValidationError(msg.format(algo=repr(name)))
++ if name == constants.VAULT_WRAPPING_AES128_CBC:
++ return algorithms.AES(os.urandom(128 // 8))
++ elif name == constants.VAULT_WRAPPING_3DES:
++ return algorithms.TripleDES(os.urandom(196 // 8))
++ else:
++ # unreachable
++ raise ValueError(name)
++
++ def _get_vaultconfig(self, force_refresh=False):
++ config = None
++ if not force_refresh:
++ config = _kra_config_cache.load(self.api.env.domain)
++ if config is None:
++ # vaultconfig_show also caches data
++ response = self.api.Command.vaultconfig_show()
++ config = response['result']
++ transport_cert = x509.load_der_x509_certificate(
++ config['transport_cert']
++ )
++ else:
++ # cached JSON uses PEM-encoded ASCII string
++ transport_cert = x509.load_pem_x509_certificate(
++ config['transport_cert'].encode('ascii')
++ )
++
++ default_algo = config.get('wrapping_default_algorithm')
++ if default_algo is None:
++ # old server
++ wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC
++ elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
++ # try to use server default
++ wrapping_algo = default_algo
++ else:
++ # prefer server's sorting order
++ for algo in config['wrapping_supported_algorithms']:
++ if algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
++ wrapping_algo = algo
++ break
++ else:
++ raise errors.ValidationError(
++ "No overlapping wrapping algorithm between server and "
++ "client."
++ )
++ return transport_cert, wrapping_algo
+
+ def _do_internal(self, algo, transport_cert, raise_unexpected,
+ *args, **options):
+@@ -675,29 +722,23 @@ class ModVaultData(Local):
+ except (errors.InternalError,
+ errors.ExecutionError,
+ errors.GenericError):
+- _transport_cert_cache.remove_cert(self.api.env.domain)
++ _kra_config_cache.remove(self.api.env.domain)
+ if raise_unexpected:
+ raise
+ return None
+
+- def internal(self, algo, *args, **options):
++ def internal(self, algo, transport_cert, *args, **options):
+ """
+ Calls the internal counterpart of the command.
+ """
+- domain = self.api.env.domain
+-
+ # try call with cached transport certificate
+- transport_cert = _transport_cert_cache.load_cert(domain)
+- if transport_cert is not None:
+- result = self._do_internal(algo, transport_cert, False,
++ result = self._do_internal(algo, transport_cert, False,
+ *args, **options)
+- if result is not None:
+- return result
++ if result is not None:
++ return result
+
+ # retrieve transport certificate (cached by vaultconfig_show)
+- response = self.api.Command.vaultconfig_show()
+- transport_cert = x509.load_der_x509_certificate(
+- response['result']['transport_cert'])
++ transport_cert = self._get_vaultconfig(force_refresh=True)[0]
+ # call with the retrieved transport certificate
+ return self._do_internal(algo, transport_cert, True,
+ *args, **options)
+@@ -777,7 +818,7 @@ class vault_archive(ModVaultData):
+ def _wrap_data(self, algo, json_vault_data):
+ """Encrypt data with wrapped session key and transport cert
+
+- :param bytes algo: wrapping algorithm instance
++ :param algo: wrapping algorithm instance
+ :param bytes json_vault_data: dumped vault data
+ :return:
+ """
+@@ -929,15 +970,24 @@ class vault_archive(ModVaultData):
+
+ json_vault_data = json.dumps(vault_data).encode('utf-8')
+
++ # get config
++ transport_cert, wrapping_algo = self._get_vaultconfig()
++ # let options override wrapping algo
++ # For backwards compatibility do not send old legacy wrapping algo
++ # to server. Only send the option when non-3DES is used.
++ wrapping_algo = options.pop('wrapping_algo', wrapping_algo)
++ if wrapping_algo != constants.VAULT_WRAPPING_3DES:
++ options['wrapping_algo'] = wrapping_algo
++
+ # generate session key
+- algo = self._generate_session_key()
++ algo = self._generate_session_key(wrapping_algo)
+ # wrap vault data
+ nonce, wrapped_vault_data = self._wrap_data(algo, json_vault_data)
+ options.update(
+ nonce=nonce,
+ vault_data=wrapped_vault_data
+ )
+- return self.internal(algo, *args, **options)
++ return self.internal(algo, transport_cert, *args, **options)
+
+
+ @register(no_fail=True)
+@@ -1061,10 +1111,19 @@ class vault_retrieve(ModVaultData):
+ vault = self.api.Command.vault_show(*args, **options)['result']
+ vault_type = vault['ipavaulttype'][0]
+
++ # get config
++ transport_cert, wrapping_algo = self._get_vaultconfig()
++ # let options override wrapping algo
++ # For backwards compatibility do not send old legacy wrapping algo
++ # to server. Only send the option when non-3DES is used.
++ wrapping_algo = options.pop('wrapping_algo', wrapping_algo)
++ if wrapping_algo != constants.VAULT_WRAPPING_3DES:
++ options['wrapping_algo'] = wrapping_algo
++
+ # generate session key
+- algo = self._generate_session_key()
++ algo = self._generate_session_key(wrapping_algo)
+ # send retrieval request to server
+- response = self.internal(algo, *args, **options)
++ response = self.internal(algo, transport_cert, *args, **options)
+ # unwrap data with session key
+ vault_data = self._unwrap_response(
+ algo,
+diff --git a/ipalib/capabilities.py b/ipalib/capabilities.py
+index 55b84aa6bc73d583e7bd5d03d2f4f1cc5c8e7c0b..4d8ae408bf67c280d27ce494baa9db9aaff0cd69 100644
+--- a/ipalib/capabilities.py
++++ b/ipalib/capabilities.py
+@@ -54,6 +54,10 @@ capabilities = dict(
+
+ # dns_name_values: dnsnames as objects
+ dns_name_values=u'2.88',
++
++ # vault supports aes key wrapping
++ vault_aes_keywrap='2.246'
++
+ )
+
+
+diff --git a/ipalib/constants.py b/ipalib/constants.py
+index 9f19b0f9941ba5068f1e6c218092e3b76fdc7599..11171b2e8aeb6f7306299b2bd7db3a3f39d29d4a 100644
+--- a/ipalib/constants.py
++++ b/ipalib/constants.py
+@@ -374,3 +374,15 @@ KRA_TRACKING_REQS = {
+ }
+
+ ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
++
++# vault data wrapping algorithms
++VAULT_WRAPPING_3DES = 'des-ede3-cbc'
++VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc'
++VAULT_WRAPPING_SUPPORTED_ALGOS = (
++ # old default was 3DES
++ VAULT_WRAPPING_3DES,
++ # supported since pki-kra >= 10.4
++ VAULT_WRAPPING_AES128_CBC,
++)
++# 3DES for backwards compatibility
++VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES
+diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
+index aebac7dff7bb9d183c6012cc685577d476e18c4e..4d40f66c6a793a831e91c5fe25c8b5277cbd1972 100644
+--- a/ipaserver/plugins/vault.py
++++ b/ipaserver/plugins/vault.py
+@@ -23,6 +23,10 @@ from ipalib.frontend import Command, Object
+ from ipalib import api, errors
+ from ipalib import Bytes, Flag, Str, StrEnum
+ from ipalib import output
++from ipalib.constants import (
++ VAULT_WRAPPING_SUPPORTED_ALGOS, VAULT_WRAPPING_DEFAULT_ALGO,
++ VAULT_WRAPPING_3DES, VAULT_WRAPPING_AES128_CBC,
++)
+ from ipalib.crud import PKQuery, Retrieve
+ from ipalib.parameters import Principal
+ from ipalib.plugable import Registry
+@@ -39,14 +43,8 @@ from ipaserver.masters import is_service_enabled
+ if api.env.in_server:
+ import pki.account
+ import pki.key
+- # pylint: disable=no-member
+- try:
+- # pki >= 10.4.0
+- from pki.crypto import DES_EDE3_CBC_OID
+- except ImportError:
+- DES_EDE3_CBC_OID = pki.key.KeyClient.DES_EDE3_CBC_OID
+- # pylint: enable=no-member
+-
++ from pki.crypto import DES_EDE3_CBC_OID
++ from pki.crypto import AES_128_CBC_OID
+
+ if six.PY3:
+ unicode = str
+@@ -652,6 +652,20 @@ class vault(LDAPObject):
+ ),
+ )
+
++ def _translate_algorithm(self, name):
++ if name is None:
++ name = VAULT_WRAPPING_DEFAULT_ALGO
++ if name not in VAULT_WRAPPING_SUPPORTED_ALGOS:
++ msg = _("{algo} is not a supported vault wrapping algorithm")
++ raise errors.ValidationError(msg.format(algo=name))
++ if name == VAULT_WRAPPING_3DES:
++ return DES_EDE3_CBC_OID
++ elif name == VAULT_WRAPPING_AES128_CBC:
++ return AES_128_CBC_OID
++ else:
++ # unreachable
++ raise ValueError(name)
++
+ def get_dn(self, *keys, **options):
+ """
+ Generates vault DN from parameters.
+@@ -992,14 +1006,18 @@ class vaultconfig_show(Retrieve):
+ )
+
+ def execute(self, *args, **options):
+-
+ if not self.api.Command.kra_is_enabled()['result']:
+ raise errors.InvocationError(
+ format=_('KRA service is not enabled'))
+
++ config = dict(
++ wrapping_supported_algorithms=VAULT_WRAPPING_SUPPORTED_ALGOS,
++ wrapping_default_algorithm=VAULT_WRAPPING_DEFAULT_ALGO,
++ )
++
+ with self.api.Backend.kra.get_client() as kra_client:
+ transport_cert = kra_client.system_certs.get_transport_cert()
+- config = {'transport_cert': transport_cert.binary}
++ config['transport_cert'] = transport_cert.binary
+
+ self.api.Object.config.show_servroles_attributes(
+ config, "KRA server", **options)
+@@ -1029,6 +1047,13 @@ class vault_archive_internal(PKQuery):
+ 'nonce',
+ doc=_('Nonce'),
+ ),
++ StrEnum(
++ 'wrapping_algo?',
++ doc=_('Key wrapping algorithm'),
++ values=VAULT_WRAPPING_SUPPORTED_ALGOS,
++ default=VAULT_WRAPPING_DEFAULT_ALGO,
++ autofill=True,
++ ),
+ )
+
+ has_output = output.standard_entry
+@@ -1045,6 +1070,9 @@ class vault_archive_internal(PKQuery):
+ nonce = options.pop('nonce')
+ wrapped_session_key = options.pop('session_key')
+
++ wrapping_algo = options.pop('wrapping_algo', None)
++ algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
++
+ # retrieve vault info
+ vault = self.api.Command.vault_show(*args, **options)['result']
+
+@@ -1071,7 +1099,7 @@ class vault_archive_internal(PKQuery):
+ pki.key.KeyClient.PASS_PHRASE_TYPE,
+ wrapped_vault_data,
+ wrapped_session_key,
+- algorithm_oid=DES_EDE3_CBC_OID,
++ algorithm_oid=algorithm_oid,
+ nonce_iv=nonce,
+ )
+
+@@ -1098,6 +1126,13 @@ class vault_retrieve_internal(PKQuery):
+ 'session_key',
+ doc=_('Session key wrapped with transport certificate'),
+ ),
++ StrEnum(
++ 'wrapping_algo?',
++ doc=_('Key wrapping algorithm'),
++ values=VAULT_WRAPPING_SUPPORTED_ALGOS,
++ default=VAULT_WRAPPING_DEFAULT_ALGO,
++ autofill=True,
++ ),
+ )
+
+ has_output = output.standard_entry
+@@ -1112,6 +1147,9 @@ class vault_retrieve_internal(PKQuery):
+
+ wrapped_session_key = options.pop('session_key')
+
++ wrapping_algo = options.pop('wrapping_algo', None)
++ algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
++
+ # retrieve vault info
+ vault = self.api.Command.vault_show(*args, **options)['result']
+
+@@ -1132,6 +1170,9 @@ class vault_retrieve_internal(PKQuery):
+
+ key_info = response.key_infos[0]
+
++ # XXX hack
++ kra_client.keys.encrypt_alg_oid = algorithm_oid
++
+ # retrieve encrypted data from KRA
+ key = kra_client.keys.retrieve_key(
+ key_info.get_key_id(),
+--
+2.34.1
+
diff --git a/SOURCES/0035-Set-AES-as-default-for-KRA-archival-wrapping.patch b/SOURCES/0035-Set-AES-as-default-for-KRA-archival-wrapping.patch
new file mode 100644
index 0000000..f762229
--- /dev/null
+++ b/SOURCES/0035-Set-AES-as-default-for-KRA-archival-wrapping.patch
@@ -0,0 +1,86 @@
+From 984190eea01ac42cd1f97567a67dd9446e5b0bf9 Mon Sep 17 00:00:00 2001
+From: Francisco Trivino <ftrivino@redhat.com>
+Date: Fri, 11 Mar 2022 17:47:38 +0100
+Subject: [PATCH] Set AES as default for KRA archival wrapping
+
+This commit sets AES-128-CBC as default wrapping algorithm as
+TripleDES (des-ede3-cbc) is not supported anymore in C9S.
+
+Fixes: https://pagure.io/freeipa/issue/6524
+
+Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ API.txt | 6 +++---
+ ipalib/constants.py | 14 +++++++++-----
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/API.txt b/API.txt
+index f95f2c8457e39f2268386a8a2336952d3285e008..1f27dcc616a6395c56ef91f3453e7620625c7645 100644
+--- a/API.txt
++++ b/API.txt
+@@ -6559,7 +6559,7 @@ option: Flag('shared?', autofill=True, default=False)
+ option: Str('username?', cli_name='user')
+ option: Bytes('vault_data')
+ option: Str('version?')
+-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
++option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
+ output: Entry('result')
+ output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+ output: PrimaryKey('value')
+@@ -6659,7 +6659,7 @@ option: Bytes('session_key')
+ option: Flag('shared?', autofill=True, default=False)
+ option: Str('username?', cli_name='user')
+ option: Str('version?')
+-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
++option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
+ output: Entry('result')
+ output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+ output: PrimaryKey('value')
+@@ -7329,10 +7329,10 @@ default: vaultcontainer_del/1
+ default: vaultcontainer_remove_owner/1
+ default: vaultcontainer_show/1
+ default: whoami/1
+-capability: vault_aes_keywrap 2.246
+ capability: messages 2.52
+ capability: optional_uid_params 2.54
+ capability: permissions2 2.69
+ capability: primary_key_types 2.83
+ capability: datetime_values 2.84
+ capability: dns_name_values 2.88
++capability: vault_aes_keywrap 2.246
+diff --git a/ipalib/constants.py b/ipalib/constants.py
+index 11171b2e8aeb6f7306299b2bd7db3a3f39d29d4a..68178004181bebcc8c093dac55e18d5afe0251e5 100644
+--- a/ipalib/constants.py
++++ b/ipalib/constants.py
+@@ -29,6 +29,8 @@ from ipaplatform.constants import constants as _constants
+ from ipapython.dn import DN
+ from ipapython.fqdn import gethostfqdn
+ from ipapython.version import VERSION, API_VERSION
++from cryptography.hazmat.primitives.ciphers import algorithms, modes
++from cryptography.hazmat.backends.openssl.backend import backend
+
+
+ FQDN = gethostfqdn()
+@@ -379,10 +381,12 @@ ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
+ VAULT_WRAPPING_3DES = 'des-ede3-cbc'
+ VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc'
+ VAULT_WRAPPING_SUPPORTED_ALGOS = (
+- # old default was 3DES
+- VAULT_WRAPPING_3DES,
+- # supported since pki-kra >= 10.4
++ # new default and supported since pki-kra >= 10.4
+ VAULT_WRAPPING_AES128_CBC,
+ )
+-# 3DES for backwards compatibility
+-VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES
++VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC
++
++# Add 3DES for backwards compatibility if supported
++if backend.cipher_supported(algorithms.TripleDES(b"\x00" * 8),
++ modes.CBC(b"\x00" * 8)):
++ VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
+--
+2.34.1
+
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
new file mode 100644
index 0000000..0e9a6de
--- /dev/null
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -0,0 +1,223 @@
+From ac3ba2b4ff4cd3ca85c1ff07c2b050f8b5eb7c2b Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Sun, 7 Oct 2018 12:25:40 +0300
+Subject: [PATCH 1/3] install/ui/css/patternfly.css: Change branding to IPA and
+ Identity Management
+
+---
+ install/ui/css/patternfly.css | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/install/ui/css/patternfly.css b/install/ui/css/patternfly.css
+index ee92053..de574a8 100644
+--- a/install/ui/css/patternfly.css
++++ b/install/ui/css/patternfly.css
+@@ -4,4 +4,4 @@
+ *
+ * Copyright 2013 bootstrap-select
+ * Licensed under the MIT license
+- */.bootstrap-select.btn-group,.bootstrap-select.btn-group[class*=span]{float:none;display:inline-block;margin-bottom:10px;margin-left:0}.form-horizontal .bootstrap-select.btn-group,.form-inline .bootstrap-select.btn-group,.form-search .bootstrap-select.btn-group{margin-bottom:0}.bootstrap-select.form-control{margin-bottom:0;padding:0;border:none}.bootstrap-select.btn-group.pull-right,.bootstrap-select.btn-group[class*=span].pull-right,.row-fluid .bootstrap-select.btn-group[class*=span].pull-right{float:right}.input-append .bootstrap-select.btn-group{margin-left:-1px}.input-prepend .bootstrap-select.btn-group{margin-right:-1px}.bootstrap-select:not([class*=span]):not([class*=col-]):not([class*=form-control]){width:220px}.bootstrap-select{width:220px\9}.bootstrap-select.form-control:not([class*=span]){width:100%}.bootstrap-select>.btn{width:100%}.error .bootstrap-select .btn{border:1px solid #b94a48}.dropdown-menu{z-index:2000}.bootstrap-select.show-menu-arrow.open>.btn{z-index:2051}.bootstrap-select .btn:focus{outline:thin dotted #333!important;outline:5px auto -webkit-focus-ring-color!important;outline-offset:-2px}.bootstrap-select.btn-group .btn .filter-option{overflow:hidden;position:absolute;left:12px;right:25px;text-align:left}.bootstrap-select.btn-group .btn .caret{position:absolute;top:50%;right:12px;margin-top:-2px;vertical-align:middle}.bootstrap-select.btn-group .dropdown-menu li.disabled>a,.bootstrap-select.btn-group>.disabled{cursor:not-allowed}.bootstrap-select.btn-group>.disabled:focus{outline:0!important}.bootstrap-select.btn-group[class*=span] .btn{width:100%}.bootstrap-select.btn-group .dropdown-menu{min-width:100%;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}.bootstrap-select.btn-group .dropdown-menu.inner{position:static;border:0;padding:0;margin:0;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0;-webkit-box-shadow:none;-moz-box-shadow:none;box-shadow:none}.bootstrap-select.btn-group .dropdown-menu dt{display:block;padding:3px 20px;cursor:default}.bootstrap-select.btn-group .div-contain{overflow:hidden}.bootstrap-select.btn-group .dropdown-menu li{position:relative}.bootstrap-select.btn-group .dropdown-menu li>a.opt{position:relative;padding-left:35px}.bootstrap-select.btn-group .dropdown-menu li>a{cursor:pointer}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.btn-group.show-tick .dropdown-menu li.selected a i.check-mark{display:inline-block;position:absolute;right:15px;margin-top:2.5px}.bootstrap-select.btn-group .dropdown-menu li a i.check-mark{display:none}.bootstrap-select.btn-group.show-tick .dropdown-menu li a span.text{margin-right:34px}.bootstrap-select.btn-group .dropdown-menu li small{padding-left:.5em}.bootstrap-select.btn-group .dropdown-menu li.active:not(.disabled)>a small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:hover small{color:#64b1d8;color:rgba(255,255,255,.4)}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.show-menu-arrow .dropdown-toggle:before{content:'';display:inline-block;border-left:7px solid transparent;border-right:7px solid transparent;border-bottom:7px solid #CCC;border-bottom-color:rgba(0,0,0,.2);position:absolute;bottom:-4px;left:9px;display:none}.bootstrap-select.show-menu-arrow .dropdown-toggle:after{content:'';display:inline-block;border-left:6px solid transparent;border-right:6px solid transparent;border-bottom:6px solid #fff;position:absolute;bottom:-4px;left:10px;display:none}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:before{bottom:auto;top:-3px;border-top:7px solid #ccc;border-bottom:0;border-top-color:rgba(0,0,0,.2)}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:after{bottom:auto;top:-3px;border-top:6px solid #fff;border-bottom:0}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:before{right:12px;left:auto}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:after{right:13px;left:auto}.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:after,.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:before{display:block}.bootstrap-select.btn-group .no-results{padding:3px;background:#f5f5f5;margin:0 5px}.mobile-device{position:absolute;top:0;left:0;display:block!important;width:100%;height:100%!important;opacity:0}.bootstrap-select.fit-width{width:auto!important}.bootstrap-select.btn-group.fit-width .btn .filter-option{position:static}.bootstrap-select.btn-group.fit-width .btn .caret{position:static;top:auto;margin-top:-1px}.control-group.error .bootstrap-select .dropdown-toggle{border-color:#b94a48}.bootstrap-select-searchbox{padding:4px 8px}.bootstrap-select-searchbox input{margin-bottom:0}.alert{border-width:1px;padding-left:47px;padding-right:14px;position:relative}.alert .alert-link{color:#0088ce}.alert .alert-link:hover{color:#00659c}.alert>.btn.pull-right{margin-top:-3px}.alert>.pficon{font-size:22px;position:absolute;left:13px;top:10px}.alert .close{opacity:.85;filter:alpha(opacity=85)}.alert .close:focus,.alert .close:hover{opacity:1;filter:alpha(opacity=100)}.alert .pficon-info{color:#4d5258}.alert-dismissable{padding-right:28px}.alert-dismissable .close{right:-13px;top:1px}.badge{margin-left:6px}.nav-pills>li>a>.badge{margin-left:6px}.bootstrap-select.btn-group.form-control{margin-bottom:0}.bootstrap-select.btn-group .btn{-webkit-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.bootstrap-select.btn-group .btn:hover{border-color:#7dc3e8}.bootstrap-select.btn-group .btn .caret{margin-top:-4px}.bootstrap-select.btn-group .btn:focus{border-color:#0088ce;outline:0!important;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6);box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6)}.has-error .bootstrap-select.btn-group .btn{border-color:#c00}.has-error .bootstrap-select.btn-group .btn:focus{border-color:#900;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33}.has-success .bootstrap-select.btn-group .btn{border-color:#3c763d}.has-success .bootstrap-select.btn-group .btn:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168}.has-warning .bootstrap-select.btn-group .btn{border-color:#ec7a08}.has-warning .bootstrap-select.btn-group .btn:focus{border-color:#bb6106;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60}.bootstrap-select.btn-group .dropdown-menu>.active>a,.bootstrap-select.btn-group .dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.bootstrap-select.btn-group .dropdown-menu>.active>a small,.bootstrap-select.btn-group .dropdown-menu>.active>a:active small{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.disabled>a{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu .divider{background:#ededed!important;margin:4px 1px!important}.bootstrap-select.btn-group .dropdown-menu dt{color:#8b8d8f;font-weight:400;padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li>a.opt{padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu li a:focus small,.bootstrap-select.btn-group .dropdown-menu li a:hover small{color:#9c9c9c}.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:hover small{color:#9c9c9c}.combobox-container.combobox-selected .glyphicon-remove{display:inline-block}.combobox-container .caret{margin-left:0}.combobox-container .combobox::-ms-clear{display:none}.combobox-container .dropdown-menu{margin-top:-1px;width:100%}.combobox-container .glyphicon-remove{display:none;top:auto;width:12px}.combobox-container .glyphicon-remove:before{content:"\e60b";font-family:PatternFlyIcons-webfont}.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;position:relative}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.combobox-container .input-group-addon:focus,.combobox-container .input-group-addon:hover,.open .dropdown-toggle.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.open .dropdown-toggle.combobox-container .input-group-addon{background-image:none}.combobox-container .input-group-addon.active.focus,.combobox-container .input-group-addon.active:focus,.combobox-container .input-group-addon.active:hover,.combobox-container .input-group-addon:active.focus,.combobox-container .input-group-addon:active:focus,.combobox-container .input-group-addon:active:hover,.open .dropdown-toggle.combobox-container .input-group-addon.focus,.open .dropdown-toggle.combobox-container .input-group-addon:focus,.open .dropdown-toggle.combobox-container .input-group-addon:hover{background-color:#e5e5e5;border-color:#a9a9a9}.combobox-container .input-group-addon.disabled,.combobox-container .input-group-addon.disabled.active,.combobox-container .input-group-addon.disabled:active,.combobox-container .input-group-addon.disabled:focus,.combobox-container .input-group-addon.disabled:hover,.combobox-container .input-group-addon[disabled],.combobox-container .input-group-addon[disabled].active,.combobox-container .input-group-addon[disabled]:active,.combobox-container .input-group-addon[disabled]:focus,.combobox-container .input-group-addon[disabled]:hover,fieldset[disabled] .combobox-container .input-group-addon,fieldset[disabled] .combobox-container .input-group-addon.active,fieldset[disabled] .combobox-container .input-group-addon:active,fieldset[disabled] .combobox-container .input-group-addon:focus,fieldset[disabled] .combobox-container .input-group-addon:hover{background-color:#f1f1f1;border-color:#bbb}.combobox-container .input-group-addon:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.treeview .list-group{border-top:0}.treeview .list-group-item{background:0 0;border-bottom:1px solid transparent!important;border-top:1px solid transparent!important;margin-bottom:0;padding:0 10px}.treeview .list-group-item:hover{background:#def3ff!important;border-color:#bee1f4!important}.treeview .list-group-item.node-selected{background:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.treeview span.icon{display:inline-block;font-size:13px;min-width:10px;text-align:center}.treeview span.icon>[class*=fa-angle]{font-size:15px}.treeview span.indent{margin-right:5px}.breadcrumb{padding-left:0}.breadcrumb>.active strong{font-weight:600}.breadcrumb>li{display:inline}.breadcrumb>li+li:before{color:#9c9c9c;content:"\f101";font-family:FontAwesome;font-size:11px;padding:0 9px 0 7px}.btn{-webkit-box-shadow:0 2px 3px rgba(3,3,3,.1);box-shadow:0 2px 3px rgba(3,3,3,.1)}.btn:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{background-color:#fafafa!important;background-image:none!important;border-color:#d1d1d1!important;color:#8b8d8f!important;opacity:1}.btn.disabled:active,.btn[disabled]:active,fieldset[disabled] .btn:active{-webkit-box-shadow:none;box-shadow:none}.btn.disabled.btn-link,.btn[disabled].btn-link,fieldset[disabled] .btn.btn-link{background-color:transparent!important;border:0}.btn-danger{background-color:#a30000;background-image:-webkit-linear-gradient(top,#c00 0,#a30000 100%);background-image:-o-linear-gradient(top,#c00 0,#a30000 100%);background-image:linear-gradient(to bottom,#c00 0,#a30000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffcc0000', endColorstr='#ffa30000', GradientType=0);border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.btn-danger:focus,.btn-danger:hover,.open .dropdown-toggle.btn-danger{background-color:#a30000;background-image:none;border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.open .dropdown-toggle.btn-danger{background-image:none}.btn-danger.active.focus,.btn-danger.active:focus,.btn-danger.active:hover,.btn-danger:active.focus,.btn-danger:active:focus,.btn-danger:active:hover,.open .dropdown-toggle.btn-danger.focus,.open .dropdown-toggle.btn-danger:focus,.open .dropdown-toggle.btn-danger:hover{background-color:#8a0000;border-color:#670000}.btn-danger.disabled,.btn-danger.disabled.active,.btn-danger.disabled:active,.btn-danger.disabled:focus,.btn-danger.disabled:hover,.btn-danger[disabled],.btn-danger[disabled].active,.btn-danger[disabled]:active,.btn-danger[disabled]:focus,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger,fieldset[disabled] .btn-danger.active,fieldset[disabled] .btn-danger:active,fieldset[disabled] .btn-danger:focus,fieldset[disabled] .btn-danger:hover{background-color:#a30000;border-color:#8b0000}.btn-default{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.btn-default:focus,.btn-default:hover,.open .dropdown-toggle.btn-default{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.open .dropdown-toggle.btn-default{background-image:none}.btn-default.active.focus,.btn-default.active:focus,.btn-default.active:hover,.btn-default:active.focus,.btn-default:active:focus,.btn-default:active:hover,.open .dropdown-toggle.btn-default.focus,.open .dropdown-toggle.btn-default:focus,.open .dropdown-toggle.btn-default:hover{background-color:#e5e5e5;border-color:#a9a9a9}.btn-default.disabled,.btn-default.disabled.active,.btn-default.disabled:active,.btn-default.disabled:focus,.btn-default.disabled:hover,.btn-default[disabled],.btn-default[disabled].active,.btn-default[disabled]:active,.btn-default[disabled]:focus,.btn-default[disabled]:hover,fieldset[disabled] .btn-default,fieldset[disabled] .btn-default.active,fieldset[disabled] .btn-default:active,fieldset[disabled] .btn-default:focus,fieldset[disabled] .btn-default:hover{background-color:#f1f1f1;border-color:#bbb}.btn-link,.btn-link:active{-webkit-box-shadow:none;box-shadow:none}.btn-primary{background-color:#0088ce;background-image:-webkit-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:-o-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:linear-gradient(to bottom,#39a5dc 0,#0088ce 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff39a5dc', endColorstr='#ff0088ce', GradientType=0);border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.btn-primary:focus,.btn-primary:hover,.open .dropdown-toggle.btn-primary{background-color:#0088ce;background-image:none;border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.open .dropdown-toggle.btn-primary{background-image:none}.btn-primary.active.focus,.btn-primary.active:focus,.btn-primary.active:hover,.btn-primary:active.focus,.btn-primary:active:focus,.btn-primary:active:hover,.open .dropdown-toggle.btn-primary.focus,.open .dropdown-toggle.btn-primary:focus,.open .dropdown-toggle.btn-primary:hover{background-color:#0077b5;border-color:#004e78}.btn-primary.disabled,.btn-primary.disabled.active,.btn-primary.disabled:active,.btn-primary.disabled:focus,.btn-primary.disabled:hover,.btn-primary[disabled],.btn-primary[disabled].active,.btn-primary[disabled]:active,.btn-primary[disabled]:focus,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary,fieldset[disabled] .btn-primary.active,fieldset[disabled] .btn-primary:active,fieldset[disabled] .btn-primary:focus,fieldset[disabled] .btn-primary:hover{background-color:#0088ce;border-color:#00659c}.btn-group-xs .btn,.btn-group-xs>.btn,.btn-xs{font-weight:400}.close{text-shadow:none;opacity:.6;filter:alpha(opacity=60)}.close:focus,.close:hover{opacity:.9;filter:alpha(opacity=90)}.ColVis_Button:active:focus{outline:0}.ColVis_catcher{position:absolute;z-index:999}.ColVis_collection{background-color:#fff;border:1px solid #bbb;border-radius:1px;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);background-clip:padding-box;list-style:none;margin:-1px 0 0 0;padding:5px 10px;width:150px;z-index:1000}.ColVis_collection label{font-weight:400;margin-bottom:5px;margin-top:5px;padding-left:20px}.ColVis_collectionBackground{background-color:#fff;height:100%;left:0;position:fixed;top:0;width:100%;z-index:998}.dataTables_header{background-color:#f5f5f5;border:1px solid #d1d1d1;border-bottom:none;padding:5px;position:relative;text-align:center}.dataTables_header .btn{-webkit-box-shadow:none;box-shadow:none}.dataTables_header .ColVis{position:absolute;right:5px;text-align:left;top:5px}.dataTables_header .ColVis+.dataTables_info{padding-right:30px}.dataTables_header .dataTables_filter{position:absolute}.dataTables_header .dataTables_filter input{border:1px solid #bbb;height:24px}@media (max-width:767px){.dataTables_header .dataTables_filter input{width:100px}}.dataTables_header .dataTables_info{padding:2px 0}@media (max-width:480px){.dataTables_header .dataTables_info{text-align:right}}.dataTables_header .dataTables_info b{font-weight:700}.dataTables_footer{background-color:#fff;border:1px solid #d1d1d1;border-top:none;overflow:hidden}.dataTables_paginate{background:#fafafa;float:right;margin:0}.dataTables_paginate .pagination{float:left;margin:0}.dataTables_paginate .pagination>li>span{border-color:#fff #d1d1d1 #f5f5f5;border-width:0 1px;font-size:16px;font-weight:400;padding:0;text-align:center;width:31px}.dataTables_paginate .pagination>li>span:focus,.dataTables_paginate .pagination>li>span:hover{filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination>li.last>span{border-right:none}.dataTables_paginate .pagination>li.disabled>span{background:#f5f5f5;border-left-color:#ededed;border-right-color:#ededed;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination-input{float:left;font-size:12px;line-height:1em;padding:4px 15px 0;text-align:right}.dataTables_paginate .pagination-input .paginate_input{border:1px solid #d1d1d1;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075);box-shadow:inset 0 1px 1px rgba(3,3,3,.075);font-size:12px;font-weight:600;height:19px;margin-right:8px;padding-right:3px;text-align:right;width:30px}.dataTables_paginate .pagination-input .paginate_of{position:relative}.dataTables_paginate .pagination-input .paginate_of b{margin-left:3px}.dataTables_wrapper{margin:20px 0}@media (max-width:767px){.dataTables_wrapper .table-responsive{margin-bottom:0}}.DTCR_clonedTable{background-color:rgba(255,255,255,.7);z-index:202}.DTCR_pointer{background-color:#0088ce;width:1px;z-index:201}table.datatable{margin-bottom:0;max-width:none!important}table.datatable thead .sorting,table.datatable thead .sorting_asc,table.datatable thead .sorting_asc_disabled,table.datatable thead .sorting_desc,table.datatable thead .sorting_desc_disabled{cursor:pointer}table.datatable thead .sorting_asc,table.datatable thead .sorting_desc{color:#0088ce!important;position:relative}table.datatable thead .sorting_asc:after,table.datatable thead .sorting_desc:after{content:"\f107";font-family:FontAwesome;font-size:10px;font-weight:400;height:9px;left:7px;line-height:12px;position:relative;top:2px;vertical-align:baseline;width:12px}table.datatable thead .sorting_asc:before,table.datatable thead .sorting_desc:before{background:#0088ce;content:'';height:2px;position:absolute;left:0;top:0;width:100%}table.datatable thead .sorting_asc:after{content:"\f106";top:-3px}table.datatable th:active{outline:0}.caret{font-family:FontAwesome;font-weight:400;height:9px;position:relative;vertical-align:baseline;width:12px}.caret:before{bottom:0;content:"\f107";left:0;line-height:12px;position:absolute;text-align:center;top:-1px;right:0}.dropup .caret:before{content:"\f106"}.dropdown-menu .divider{background-color:#ededed;height:1px;margin:4px 1px;overflow:hidden}.dropdown-menu>li>a{border-color:transparent;border-style:solid;border-width:1px 0;padding:1px 10px}.dropdown-menu>li>a:focus,.dropdown-menu>li>a:hover{border-color:#bee1f4;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>li>a:active{background-color:#0088ce;border-color:#0088ce;color:#fff!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.active>a,.dropdown-menu>.active>a:focus,.dropdown-menu>.active>a:hover{background-color:#0088ce!important;border-color:#0088ce!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-header{padding-left:10px;padding-right:10px;text-transform:uppercase}.btn-group>.dropdown-menu,.dropdown>.dropdown-menu,.input-group-btn>.dropdown-menu{margin-top:-1px}.dropup .dropdown-menu{margin-bottom:-1px}.dropdown-submenu{position:relative}.dropdown-submenu:hover>a{background-color:#def3ff;border-color:#bee1f4}.dropdown-submenu:hover>.dropdown-menu{display:block}.dropdown-submenu.pull-left{float:none!important}.dropdown-submenu.pull-left>.dropdown-menu{left:auto;margin-left:10px;right:100%}.dropdown-submenu>a{padding-right:20px!important}.dropdown-submenu>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:2px}.dropdown-submenu>.dropdown-menu{left:100%;margin-top:0;top:-6px}.dropup .dropdown-submenu>.dropdown-menu{bottom:-5px;top:auto}.open .dropdown-submenu.active>.dropdown-menu{display:block}.dropdown-kebab-pf .btn-link{color:#252525;font-size:16px;line-height:1;padding:4px 0}.dropdown-kebab-pf .btn-link:active,.dropdown-kebab-pf .btn-link:focus,.dropdown-kebab-pf .btn-link:hover{color:#0088ce}.dropdown-kebab-pf .dropdown-menu{left:-15px;margin-top:11px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right{left:auto;right:-15px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:after,.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:before{left:auto;right:6px}.dropdown-kebab-pf .dropdown-menu:after,.dropdown-kebab-pf .dropdown-menu:before{border-bottom-color:#bbb;border-bottom-style:solid;border-bottom-width:10px;border-left:10px solid transparent;border-right:10px solid transparent;content:"";display:inline-block;left:6px;position:absolute;top:-11px}.dropdown-kebab-pf .dropdown-menu:after{border-bottom-color:#fff;top:-10px}.dropdown-kebab-pf.dropup .dropdown-menu{margin-bottom:11px;margin-top:0}.dropdown-kebab-pf.dropup .dropdown-menu:after,.dropdown-kebab-pf.dropup .dropdown-menu:before{border-bottom:none;border-top-color:#bbb;border-top-style:solid;border-top-width:10px;bottom:-11px;top:auto}.dropdown-kebab-pf.dropup .dropdown-menu:after{border-top-color:#fff;bottom:-10px}@font-face{font-family:'Open Sans';font-style:normal;font-weight:400;src:local('Open Sans'),local('OpenSans'),url(../fonts/open-sans/OpenSans-Regular.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:300;src:local('OpenSans-Light'),local('Open Sans Light'),url(../fonts/open-sans/OpenSans-Light.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:600;src:local('Open Sans Semibold'),local('OpenSans-Semibold'),url(../fonts/open-sans/OpenSans-Semibold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:700;src:local('Open Sans Bold'),local('OpenSans-Bold'),url(../fonts/open-sans/OpenSans-Bold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:800;src:local('Open Sans Extrabold'),local('OpenSans-Extrabold'),url(../fonts/open-sans/OpenSans-ExtraBold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:300;src:local('Open Sans Light Italic'),local('OpenSansLight-Italic'),url(../fonts/open-sans/OpenSans-LightItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:400;src:local('Open Sans Italic'),local('OpenSans-Italic'),url(../fonts/open-sans/OpenSans-Italic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:600;src:local('Open Sans Semibold Italic'),local('OpenSans-SemiboldItalic'),url(../fonts/open-sans/OpenSans-SemiboldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:700;src:local('Open Sans Bold Italic'),local('OpenSans-BoldItalic'),url(../fonts/open-sans/OpenSans-BoldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:800;src:local('Open Sans Extrabold Italic'),local('OpenSans-ExtraboldItalic'),url(../fonts/open-sans/OpenSans-ExtraBoldItalic.ttf) format('truetype')}.chars-remaining-pf span{font-weight:600;padding-right:5px}.chars-warn-remaining-pf{color:#c00}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f}.form-control[disabled]:hover,.form-control[readonly]:hover,fieldset[disabled] .form-control:hover{border-color:#bbb}.form-control:hover{border-color:#7dc3e8}.has-error .form-control:hover{border-color:#900}.has-success .form-control:hover{border-color:#2b542c}.has-warning .form-control:hover{border-color:#bb6106}.has-error .checkbox,.has-error .checkbox-inline,.has-error .control-label,.has-error .radio,.has-error .radio-inline,.has-error.checkbox label,.has-error.checkbox-inline label,.has-error.radio label,.has-error.radio-inline label,.has-success .checkbox,.has-success .checkbox-inline,.has-success .control-label,.has-success .radio,.has-success .radio-inline,.has-success.checkbox label,.has-success.checkbox-inline label,.has-success.radio label,.has-success.radio-inline label,.has-warning .checkbox,.has-warning .checkbox-inline,.has-warning .control-label,.has-warning .radio,.has-warning .radio-inline,.has-warning.checkbox label,.has-warning.checkbox-inline label,.has-warning.radio label,.has-warning.radio-inline label{color:#363636}.help-block{margin-bottom:0}.input-group .input-group-btn .btn{-webkit-box-shadow:none;box-shadow:none}label{font-weight:600}.navbar-nav>li>.dropdown-menu.infotip{border-top-width:1px!important;margin-top:10px}@media (max-width:767px){.navbar-pf .navbar-nav .open .dropdown-menu.infotip{background-color:#fff!important;margin-top:0}}.infotip{min-width:235px;padding:0}.infotip .list-group{border-top:0;margin:0;padding:8px 0}.infotip .list-group .list-group-item{border:none;margin:0 15px 0 34px;padding:5px 0}.infotip .list-group .list-group-item>.i{color:#4d5258;font-size:13px;left:-20px;position:absolute;top:8px}.infotip .list-group .list-group-item>a{color:#4d5258;line-height:13px}.infotip .list-group .list-group-item>.close{float:right}.infotip .footer{background-color:#f5f5f5;padding:6px 15px}.infotip .footer a:hover{color:#0088ce}.infotip .arrow,.infotip .arrow:after{border-color:transparent;border-style:solid;display:block;height:0;position:absolute;width:0}.infotip .arrow{border-width:11px}.infotip .arrow:after{border-width:10px;content:""}.infotip.bottom .arrow,.infotip.bottom-left .arrow,.infotip.bottom-right .arrow{border-bottom-color:#999;border-bottom-color:#bbb;border-top-width:0;left:50%;margin-left:-11px;top:-11px}.infotip.bottom .arrow:after,.infotip.bottom-left .arrow:after,.infotip.bottom-right .arrow:after{border-top-width:0;border-bottom-color:#fff;content:" ";margin-left:-10px;top:1px}.infotip.bottom-left .arrow{left:20%}.infotip.bottom-right .arrow{left:80%}.infotip.top .arrow{border-bottom-width:0;border-top-color:#999;border-top-color:#bbb;bottom:-11px;left:50%;margin-left:-11px}.infotip.top .arrow:after{border-bottom-width:0;border-top-color:#f5f5f5;bottom:1px;content:" ";margin-left:-10px}.infotip.right .arrow{border-left-width:0;border-right-color:#999;border-right-color:#bbb;left:-11px;margin-top:-11px;top:50%}.infotip.right .arrow:after{bottom:-10px;border-left-width:0;border-right-color:#fff;content:" ";left:1px}.infotip.left .arrow{border-left-color:#999;border-left-color:#bbb;border-right-width:0;margin-top:-11px;right:-11px;top:50%}.infotip.left .arrow:after{border-left-color:#fff;border-right-width:0;bottom:-10px;content:" ";right:1px}.label{border-radius:0;font-size:100%;font-weight:600}h1 .label,h2 .label,h3 .label,h4 .label,h5 .label,h6 .label{font-size:75%}.list-group{border-top:1px solid #ededed}.list-group .list-group-item:first-child{border-top:0}.list-group-item{border-top:0;border-left:0;border-right:0;margin-bottom:0}.list-group-item-heading{font-weight:600}.list-group-item.active,.list-group-item.active:focus,.list-group-item.active:hover{border-top:solid 1px #39a5dc;margin-top:-1px;z-index:auto}.list-group-item.active:first-child{border-top:1px solid #39a5dc!important;margin-top:-1px}.login-pf{height:100%}.login-pf #brand{position:relative;top:-70px}.login-pf #brand img{display:block;height:18px;margin:0 auto;max-width:100%}@media (min-width:768px){.login-pf #brand img{margin:0;text-align:left}}.login-pf #badge{display:block;margin:20px auto 70px;position:relative;text-align:center}@media (min-width:768px){.login-pf #badge{float:right;margin-right:64px;margin-top:50px}}.login-pf body{background:#030303 url(../img/bg-login.jpg) repeat-x 50% 0;background-size:auto}@media (min-width:768px){.login-pf body{background-size:100% auto}}.login-pf .container{background-color:rgba(255,255,255,.055);clear:right;color:#fff;padding-bottom:40px;padding-top:20px;width:auto}@media (min-width:768px){.login-pf .container{bottom:13%;padding-left:80px;position:absolute;width:100%}}.login-pf .container [class^=alert]{background:0 0;color:#fff}.login-pf .container .details p:first-child{border-top:1px solid rgba(255,255,255,.3);padding-top:25px;margin-top:25px}@media (min-width:768px){.login-pf .container .details{border-left:1px solid rgba(255,255,255,.3);padding-left:40px}.login-pf .container .details p:first-child{border-top:0;padding-top:0;margin-top:0}}.login-pf .container .details p{margin-bottom:2px}.login-pf .container .form-horizontal .control-label{font-size:13px;font-weight:400;text-align:left}.login-pf .container .form-horizontal .form-group:last-child,.login-pf .container .form-horizontal .form-group:last-child .help-block:last-child{margin-bottom:0}.login-pf .container .help-block{color:#fff}@media (min-width:768px){.login-pf .container .login{padding-right:40px}}.login-pf .container .submit{text-align:right}.modal-header{background-color:#f5f5f5;border-bottom:none;padding:10px 18px}.modal-header .close{margin-top:2px}.modal-title{font-size:13px;font-weight:700}.modal-footer{border-top:none;margin-top:15px;padding:14px 15px 15px}.modal-footer>.btn{padding-left:10px;padding-right:10px}.modal-footer>.btn>.fa-angle-left{margin-right:5px}.modal-footer>.btn>.fa-angle-right{margin-left:5px}.navbar-pf{background:#030303;border:0;border-radius:0;border-top:3px solid #39a5dc;margin-bottom:0;min-height:0}.navbar-pf .navbar-brand{color:#f5f5f5;height:auto;padding:12px 0;margin:0 0 0 20px}.navbar-pf .navbar-brand img{display:block}.navbar-pf .navbar-collapse{border-top:0;-webkit-box-shadow:none;box-shadow:none;padding:0}.navbar-pf .navbar-header{border-bottom:1px solid #292929;float:none}.navbar-pf .navbar-nav{margin:0}.navbar-pf .navbar-nav>.active>a,.navbar-pf .navbar-nav>.active>a:focus,.navbar-pf .navbar-nav>.active>a:hover{background-color:#232323;color:#f5f5f5}.navbar-pf .navbar-nav>li>a{color:#d1d1d1;line-height:1;padding:10px 20px;text-shadow:none}.navbar-pf .navbar-nav>li>a:focus,.navbar-pf .navbar-nav>li>a:hover{color:#f5f5f5}.navbar-pf .navbar-nav>.open>a,.navbar-pf .navbar-nav>.open>a:focus,.navbar-pf .navbar-nav>.open>a:hover{background-color:#232323;color:#f5f5f5}@media (max-width:767px){.navbar-pf .navbar-nav .active .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent,.navbar-pf .navbar-nav .open .dropdown-menu{background-color:#171717!important;margin-left:0;padding-bottom:0;padding-top:0}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:hover{background-color:#1f1f1f!important;color:#f5f5f5}.navbar-pf .navbar-nav .active .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent>li>a,.navbar-pf .navbar-nav .open .dropdown-menu>li>a{background-color:transparent;border:0;color:#d1d1d1;outline:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu>li>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>li>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>li>a:hover{color:#f5f5f5}.navbar-pf .navbar-nav .active .dropdown-menu .divider,.navbar-pf .navbar-nav .active .navbar-persistent .divider,.navbar-pf .navbar-nav .open .dropdown-menu .divider{background-color:#292929;margin:0 1px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-header{padding-bottom:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open .dropdown-toggle{color:#f5f5f5}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.pull-left{float:none!important}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu>a:after,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu>a:after{display:none}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-header{padding-left:45px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu{border:0;bottom:auto;-webkit-box-shadow:none;box-shadow:none;display:block;float:none;margin:0;min-width:0;padding:0;position:relative;left:auto;right:auto;top:auto}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu>li>a{padding:5px 15px 5px 45px;line-height:20px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a{padding-left:60px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-menu{display:block}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after{display:inline-block!important;position:relative;right:auto;top:1px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu{display:none}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-submenu>a:after{display:none!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu{background-color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active small{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.disabled>a{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li>a.opt{border-bottom:1px solid transparent;border-top:1px solid transparent;color:#363636;padding-left:10px;padding-right:10px}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:focus small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:hover small{color:#9c9c9c}.navbar-pf .navbar-nav .context-bootstrap-select>.open>.dropdown-menu{padding-bottom:5px;padding-top:5px}}.navbar-pf .navbar-persistent{display:none}.navbar-pf .active>.navbar-persistent{display:block}.navbar-pf .navbar-primary{float:none}.navbar-pf .navbar-primary .context{border-bottom:1px solid #292929}.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group,.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group[class*=span]{margin:8px 20px 9px;width:auto}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a{position:relative}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{content:"\f107";display:inline-block;font-family:FontAwesome;font-weight:400}@media (max-width:767px){.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{height:10px;margin-left:4px;vertical-align:baseline}}.navbar-pf .navbar-toggle{border:0;margin:0;padding:10px 20px}.navbar-pf .navbar-toggle:focus,.navbar-pf .navbar-toggle:hover{background-color:transparent;outline:0}.navbar-pf .navbar-toggle:focus .icon-bar,.navbar-pf .navbar-toggle:hover .icon-bar{-webkit-box-shadow:0 0 3px #fff;box-shadow:0 0 3px #fff}.navbar-pf .navbar-toggle .icon-bar{background-color:#fff}.navbar-pf .navbar-utility{border-bottom:1px solid #292929}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:36px;position:relative}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:20px;position:absolute;top:10px}@media (max-width:767px){.navbar-pf .navbar-utility>li+li{border-top:1px solid #292929}}@media (min-width:768px){.navbar-pf .navbar-brand{padding:8px 0 7px}.navbar-pf .navbar-nav>li>a{padding-bottom:14px;padding-top:14px}.navbar-pf .navbar-persistent{font-size:14px}.navbar-pf .navbar-primary{font-size:14px;background-image:-webkit-linear-gradient(top,#1d1d1d 0,#030303 100%);background-image:-o-linear-gradient(top,#1d1d1d 0,#030303 100%);background-image:linear-gradient(to bottom,#1d1d1d 0,#030303 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff1d1d1d', endColorstr='#ff030303', GradientType=0)}.navbar-pf .navbar-primary.persistent-secondary .context .dropdown-menu{top:auto}.navbar-pf .navbar-primary.persistent-secondary .dropup .dropdown-menu{bottom:-5px;top:auto}.navbar-pf .navbar-primary.persistent-secondary>li{position:static}.navbar-pf .navbar-primary.persistent-secondary>li.active{margin-bottom:32px}.navbar-pf .navbar-primary.persistent-secondary>li.active>.navbar-persistent{display:block;left:0;position:absolute}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent{background:#f5f5f5;border-bottom:1px solid #d1d1d1;padding:0;width:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent a{text-decoration:none!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a:hover{color:#0088ce!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active .active>a{color:#f5f5f5}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu:hover>.dropdown-menu{display:none}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-menu{display:block;left:20px;margin-top:1px;top:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle{padding-right:35px!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle:after{position:absolute;right:20px;top:10px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a:after,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a{background-color:transparent;display:block;line-height:1;padding:9px 20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle{padding-right:35px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle:after{font-size:15px;position:absolute;right:20px;top:9px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a:hover{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li a{color:#4d5258}.navbar-pf .navbar-primary>li>a{border-bottom:1px solid transparent;border-top:1px solid transparent;position:relative;margin:-1px 0 0}.navbar-pf .navbar-primary>li>a:hover{background-color:#1d1d1d;border-top-color:#5c5c5c;color:#d1d1d1;background-image:-webkit-linear-gradient(top,#363636 0,#1d1d1d 100%);background-image:-o-linear-gradient(top,#363636 0,#1d1d1d 100%);background-image:linear-gradient(to bottom,#363636 0,#1d1d1d 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff363636', endColorstr='#ff1d1d1d', GradientType=0)}.navbar-pf .navbar-primary>.active>a,.navbar-pf .navbar-primary>.active>a:focus,.navbar-pf .navbar-primary>.active>a:hover,.navbar-pf .navbar-primary>.open>a,.navbar-pf .navbar-primary>.open>a:focus,.navbar-pf .navbar-primary>.open>a:hover{background-color:#303030;border-bottom-color:#303030;border-top-color:#696969;-webkit-box-shadow:none;box-shadow:none;color:#f5f5f5;background-image:-webkit-linear-gradient(top,#434343 0,#303030 100%);background-image:-o-linear-gradient(top,#434343 0,#303030 100%);background-image:linear-gradient(to bottom,#434343 0,#303030 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff434343', endColorstr='#ff303030', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select .filter-option{max-width:160px;text-overflow:ellipsis}.navbar-pf .navbar-primary li.context.dropdown{border-bottom:0}.navbar-pf .navbar-primary li.context.context-bootstrap-select,.navbar-pf .navbar-primary li.context>a{background-color:#1f1f1f;border-bottom-color:#3e3e3e;border-right:1px solid #3e3e3e;border-top-color:#3b3b3b;font-weight:600;background-image:-webkit-linear-gradient(top,#323232 0,#1f1f1f 100%);background-image:-o-linear-gradient(top,#323232 0,#1f1f1f 100%);background-image:linear-gradient(to bottom,#323232 0,#1f1f1f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff323232', endColorstr='#ff1f1f1f', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select:hover,.navbar-pf .navbar-primary li.context>a:hover{background-color:#323232;border-bottom-color:#4a4a4a;border-right-color:#4a4a4a;border-top-color:#4a4a4a;background-image:-webkit-linear-gradient(top,#3f3f3f 0,#323232 100%);background-image:-o-linear-gradient(top,#3f3f3f 0,#323232 100%);background-image:linear-gradient(to bottom,#3f3f3f 0,#323232 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff3f3f3f', endColorstr='#ff323232', GradientType=0)}.navbar-pf .navbar-primary li.context.open>a{background-color:#454545;border-bottom-color:#575757;border-right-color:#575757;border-top-color:#5a5a5a;background-image:-webkit-linear-gradient(top,#4c4c4c 0,#454545 100%);background-image:-o-linear-gradient(top,#4c4c4c 0,#454545 100%);background-image:linear-gradient(to bottom,#4c4c4c 0,#454545 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff4c4c4c', endColorstr='#ff454545', GradientType=0)}.navbar-pf .navbar-utility{border-bottom:0;font-size:11px;position:absolute;right:0;top:0}.navbar-pf .navbar-utility>.active>a,.navbar-pf .navbar-utility>.active>a:focus,.navbar-pf .navbar-utility>.active>a:hover,.navbar-pf .navbar-utility>.open>a,.navbar-pf .navbar-utility>.open>a:focus,.navbar-pf .navbar-utility>.open>a:hover{background:#363636;color:#d1d1d1}.navbar-pf .navbar-utility>li>a{border-left:1px solid #2b2b2b;color:#d1d1d1!important;padding:7px 10px}.navbar-pf .navbar-utility>li>a:hover{background:#232323;border-left-color:#373737}.navbar-pf .navbar-utility>li.open>a{border-left-color:#444;color:#f5f5f5!important}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:26px}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:10px;top:7px}.navbar-pf .navbar-utility .open .dropdown-menu{left:auto;right:0}.navbar-pf .navbar-utility .open .dropdown-menu .dropdown-menu{left:auto;right:100%}.navbar-pf .navbar-utility .open .dropdown-menu{border-top-width:0}.navbar-pf .open .dropdown-submenu>.dropdown-menu,.navbar-pf .open.bootstrap-select .dropdown-menu{border-top-width:1px!important}}@media (max-width:360px){.navbar-pf .navbar-brand{margin-left:10px;width:75%}.navbar-pf .navbar-brand img{height:auto;max-width:100%}.navbar-pf .navbar-toggle{padding-left:0}}.drawer-pf{background-color:#fafafa;border:1px solid #d1d1d1;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);overflow-y:auto;position:absolute;right:0;width:320px;z-index:2}.drawer-pf .panel{border-bottom:none;border-left:none;border-right:none}.drawer-pf .panel-group .panel-heading+.panel-collapse .panel-body{border-top:none;border-bottom:1px solid #d1d1d1;padding:0}.drawer-pf .panel-counter{display:block;font-style:italic;line-height:1.2;padding-left:18px;padding-top:5px}.drawer-pf .panel-heading{border-bottom:1px solid #d1d1d1}.drawer-pf .panel-group{bottom:0;margin-bottom:0;position:absolute;top:25px;width:100%}.drawer-pf .panel-title a{cursor:pointer;display:block}.drawer-pf.drawer-pf-expanded{left:270px;width:inherit}.drawer-pf.drawer-pf-expanded .drawer-pf-toggle-expand:before{content:"\f101"}.drawer-pf-toggle-expand{color:inherit;cursor:pointer;left:0;padding:2px 5px;position:absolute}.drawer-pf-toggle-expand:before{content:"\f100";font-family:FontAwesome}.drawer-pf-toggle-expand:focus,.drawer-pf-toggle-expand:hover{color:inherit;text-decoration:none}.drawer-pf-action .btn-link{color:#0088ce;padding:10px 0}.drawer-pf-action .btn-link:hover{color:#00659c}.drawer-pf-loading{color:#4d5258;font-size:14px;padding:20px 15px}.drawer-pf-notification{border-bottom:1px solid #d1d1d1;padding:15px}.drawer-pf-notification .date{border-right:1px solid #aaa;display:inline-block;line-height:1;margin-right:5px;padding-right:9px}.drawer-pf-notification .pficon{font-size:14px;margin-top:3px}.drawer-pf-notification:last-of-type{border-bottom:none}.drawer-pf-notification:hover{background-color:#def3ff}.drawer-pf-notification.unread .drawer-pf-notification-message{font-weight:700}.drawer-pf-notification.expanded-notification .date{border-right:none;padding-right:0}.drawer-pf-notification-info,.drawer-pf-notification-message{display:block;padding-left:27px;padding-right:19px}.expanded-notification .drawer-pf-notification-info,.expanded-notification .drawer-pf-notification-message{display:inline-block}.drawer-pf-notifications-non-clickable .drawer-pf-notification:hover{background-color:#fff}.drawer-pf-title{background-color:#fafafa;border-bottom:1px solid #d1d1d1;position:absolute;width:318px}.drawer-pf-title h3{font-size:12px;margin:0;padding:6px 15px}.navbar-pf-vertical .drawer-pf{height:calc(100vh - 80px);top:58px}.navbar-pf-vertical .nav .drawer-pf-trigger .drawer-pf-trigger-icon{border-left:1px solid #2b2b2b;border-right:1px solid #2b2b2b;padding-left:15px;padding-right:15px}.navbar-pf-vertical .nav .drawer-pf-trigger.open .drawer-pf-trigger-icon{background-color:#232323}.navbar-pf .drawer-pf{height:calc(100vh - 46px);top:26px}.navbar-pf .drawer-pf-trigger-icon{cursor:pointer}.pager li>a,.pager li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;font-weight:600;line-height:22px;padding:2px 14px}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>a:focus,.pager li>a:hover,.pager li>span.active,.pager li>span:active,.pager li>span:focus,.pager li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>span.active,.pager li>span:active{background-image:none}.open .dropdown-toggle.pager li>a.focus,.open .dropdown-toggle.pager li>a:focus,.open .dropdown-toggle.pager li>a:hover,.open .dropdown-toggle.pager li>span.focus,.open .dropdown-toggle.pager li>span:focus,.open .dropdown-toggle.pager li>span:hover,.pager li>a.active.focus,.pager li>a.active:focus,.pager li>a.active:hover,.pager li>a:active.focus,.pager li>a:active:focus,.pager li>a:active:hover,.pager li>span.active.focus,.pager li>span.active:focus,.pager li>span.active:hover,.pager li>span:active.focus,.pager li>span:active:focus,.pager li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pager li>a.disabled,.pager li>a.disabled.active,.pager li>a.disabled:active,.pager li>a.disabled:focus,.pager li>a.disabled:hover,.pager li>a[disabled],.pager li>a[disabled].active,.pager li>a[disabled]:active,.pager li>a[disabled]:focus,.pager li>a[disabled]:hover,.pager li>span.disabled,.pager li>span.disabled.active,.pager li>span.disabled:active,.pager li>span.disabled:focus,.pager li>span.disabled:hover,.pager li>span[disabled],.pager li>span[disabled].active,.pager li>span[disabled]:active,.pager li>span[disabled]:focus,.pager li>span[disabled]:hover,fieldset[disabled] .pager li>a,fieldset[disabled] .pager li>a.active,fieldset[disabled] .pager li>a:active,fieldset[disabled] .pager li>a:focus,fieldset[disabled] .pager li>a:hover,fieldset[disabled] .pager li>span,fieldset[disabled] .pager li>span.active,fieldset[disabled] .pager li>span:active,fieldset[disabled] .pager li>span:focus,fieldset[disabled] .pager li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pager li>a>.i,.pager li>span>.i{font-size:18px;vertical-align:top;margin:2px 0}.pager li>a:hover>a:focus{color:#4d5258}.pager li a:active{background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(3,3,3,.125);box-shadow:inset 0 3px 5px rgba(3,3,3,.125);outline:0}.pager .disabled>a,.pager .disabled>a:active,.pager .disabled>a:focus,.pager .disabled>a:hover,.pager .disabled>span{background:#f5f5f5;-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f;cursor:default}.pager .next>a>.i,.pager .next>span>.i{margin-left:5px}.pager .previous>a>.i,.pager .previous>span>.i{margin-right:5px}.pager-sm li>a,.pager-sm li>span{font-weight:400;line-height:16px;padding:1px 10px}.pager-sm li>a>.i,.pager-sm li>span>.i{font-size:12px}.pagination>li>a,.pagination>li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;cursor:default;font-weight:600;padding:2px 10px}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>a:focus,.pagination>li>a:hover,.pagination>li>span.active,.pagination>li>span:active,.pagination>li>span:focus,.pagination>li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>span.active,.pagination>li>span:active{background-image:none}.open .dropdown-toggle.pagination>li>a.focus,.open .dropdown-toggle.pagination>li>a:focus,.open .dropdown-toggle.pagination>li>a:hover,.open .dropdown-toggle.pagination>li>span.focus,.open .dropdown-toggle.pagination>li>span:focus,.open .dropdown-toggle.pagination>li>span:hover,.pagination>li>a.active.focus,.pagination>li>a.active:focus,.pagination>li>a.active:hover,.pagination>li>a:active.focus,.pagination>li>a:active:focus,.pagination>li>a:active:hover,.pagination>li>span.active.focus,.pagination>li>span.active:focus,.pagination>li>span.active:hover,.pagination>li>span:active.focus,.pagination>li>span:active:focus,.pagination>li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pagination>li>a.disabled,.pagination>li>a.disabled.active,.pagination>li>a.disabled:active,.pagination>li>a.disabled:focus,.pagination>li>a.disabled:hover,.pagination>li>a[disabled],.pagination>li>a[disabled].active,.pagination>li>a[disabled]:active,.pagination>li>a[disabled]:focus,.pagination>li>a[disabled]:hover,.pagination>li>span.disabled,.pagination>li>span.disabled.active,.pagination>li>span.disabled:active,.pagination>li>span.disabled:focus,.pagination>li>span.disabled:hover,.pagination>li>span[disabled],.pagination>li>span[disabled].active,.pagination>li>span[disabled]:active,.pagination>li>span[disabled]:focus,.pagination>li>span[disabled]:hover,fieldset[disabled] .pagination>li>a,fieldset[disabled] .pagination>li>a.active,fieldset[disabled] .pagination>li>a:active,fieldset[disabled] .pagination>li>a:focus,fieldset[disabled] .pagination>li>a:hover,fieldset[disabled] .pagination>li>span,fieldset[disabled] .pagination>li>span.active,fieldset[disabled] .pagination>li>span:active,fieldset[disabled] .pagination>li>span:focus,fieldset[disabled] .pagination>li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pagination>li>a>.i,.pagination>li>span>.i{font-size:15px;vertical-align:top;margin:2px 0}.pagination>li>a:active,.pagination>li>span:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.pagination>.active>a,.pagination>.active>a:focus,.pagination>.active>a:hover,.pagination>.active>span,.pagination>.active>span:focus,.pagination>.active>span:hover{background-color:#f1f1f1;border-color:#bbb;-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2);color:#4d5258;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination>.disabled>a,.pagination>.disabled>a:focus,.pagination>.disabled>a:hover,.pagination>.disabled>span,.pagination>.disabled>span:focus,.pagination>.disabled>span:hover{-webkit-box-shadow:none;box-shadow:none;cursor:default;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination-sm>li>a,.pagination-sm>li>span{padding:2px 6px;font-size:11px;line-height:1.5}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:1px;border-top-left-radius:1px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-bottom-right-radius:1px;border-top-right-radius:1px}.pagination-sm>li>a,.pagination-sm>li>span{font-weight:400}.pagination-sm>li>a>.i,.pagination-sm>li>span>.i{font-size:12px;margin-top:2px}.panel-title{font-weight:700}.panel-group .panel{color:#4d5258}.panel-group .panel+.panel{margin-top:-1px}.panel-group .panel-default{border-color:#bbb;border-top-color:#bbb}.panel-group .panel-heading{background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.panel-group .panel-heading+.panel-collapse .panel-body{border-top:1px solid #d1d1d1}.panel-group .panel-title{font-weight:500;line-height:1}.panel-group .panel-title>a{color:#4d5258;font-weight:600}.panel-group .panel-title>a:before{content:"\f107";display:inline-block;font-family:FontAwesome;font-size:13px;margin-right:5px;text-align:center;vertical-align:0;width:8px}.panel-group .panel-title>a:focus{outline:0;text-decoration:none}.panel-group .panel-title>a:hover{text-decoration:none}.panel-group .panel-title>a.collapsed:before{content:"\f105"}.popover{-webkit-box-shadow:0 2px 2px rgba(3,3,3,.08);box-shadow:0 2px 2px rgba(3,3,3,.08);padding:0}.popover-content{color:#4d5258;line-height:18px;padding:10px 14px}.popover-title{border-bottom:none;border-radius:0;color:#4d5258;font-size:13px;font-weight:700;min-height:34px}.popover-title .close{height:22px;position:absolute;right:8px;top:6px}.popover-title.closable{padding-right:30px}@-webkit-keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}@keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}.progress{-webkit-box-shadow:inset 0 0 1px rgba(3,3,3,.25);box-shadow:inset 0 0 1px rgba(3,3,3,.25)}.progress.progress-label-left,.progress.progress-label-top-right{overflow:visible;position:relative}.progress.progress-label-left{margin-left:40px}.progress.progress-sm{height:14px;margin-bottom:14px}.progress.progress-xs{height:6px;margin-bottom:6px}td>.progress:first-child:last-child{margin-bottom:0;margin-top:3px}.progress-bar{box-shadow:none}.progress-label-left .progress-bar span,.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{color:#363636;position:absolute;text-align:right}.progress-label-left .progress-bar span{font-size:14px;left:-40px;top:0;width:35px}.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{font-size:11px;overflow:hidden;right:0;text-overflow:ellipsis;white-space:nowrap}.progress-label-right .progress-bar span strong,.progress-label-top-right .progress-bar span strong{font-weight:600}.progress-label-right .progress-bar span{max-width:85px;top:0}.progress-label-top-right .progress-bar span{max-width:47%;top:-30px}.progress-label-left.progress-sm .progress-bar span,.progress-label-top-right.progress-sm .progress-bar span{font-size:12px}.progress-sm .progress-bar{line-height:14px}.progress-xs .progress-bar{line-height:6px}.progress-bar-remaining{background:0 0}.progress-container{position:relative}.progress-container.progress-description-left{padding-left:90px}.progress-container.progress-label-right{padding-right:90px}.progress-description{margin-bottom:10px;max-width:52%;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.progress-description .count{font-size:20px;font-weight:300;line-height:1;margin-right:5px}.progress-description .fa,.progress-description .pficon{font-size:14px;margin-right:3px}.progress-description-left .progress-description{left:0;margin-bottom:0;max-width:85px;position:absolute;top:0}.progress-description .tooltip{white-space:normal}.search-pf.has-button{border-collapse:separate;display:table}.search-pf.has-button .form-group{display:table-cell;width:100%}.search-pf.has-button .form-group .btn{-webkit-box-shadow:none;box-shadow:none;float:left;margin-left:-1px}.search-pf.has-button .form-group .btn.btn-lg{font-size:14.5px}.search-pf.has-button .form-group .btn.btn-sm{font-size:10.7px}.search-pf.has-button .form-group .form-control{float:left}.search-pf .has-clear .clear{background:0 0;background:rgba(255,255,255,0);border:0;height:25px;line-height:1;padding:0;position:absolute;right:1px;top:1px;width:28px}.search-pf .has-clear .clear:focus{outline:0}.search-pf .has-clear .form-control{padding-right:30px}.search-pf .has-clear .form-control::-ms-clear{display:none}.search-pf .has-clear .input-lg+.clear{height:31px;width:28px}.search-pf .has-clear .input-sm+.clear{height:20px;width:28px}.search-pf .has-clear .input-sm+.clear span{font-size:10px}.search-pf .has-clear .search-pf-input-group{position:relative}.sidebar-header{border-bottom:1px solid #ececec;padding-bottom:11px;margin:50px 0 20px}.sidebar-header .actions{margin-top:-2px}.sidebar-pf .sidebar-header+.list-group{border-top:0;margin-top:-10px}.sidebar-pf .sidebar-header+.list-group .list-group-item{background:0 0;border-color:#ececec;padding-left:0}.sidebar-pf .sidebar-header+.list-group .list-group-item-heading{font-size:12px}.sidebar-pf .nav-category h2{color:#9c9c9c;font-size:12px;font-weight:400;line-height:21px;margin:0;padding:8px 0}.sidebar-pf .nav-category+.nav-category{margin-top:10px}.sidebar-pf .nav-pills>li.active>a{background:#0088ce!important;border-color:#0088ce!important;color:#fff}@media (min-width:768px){.sidebar-pf .nav-pills>li.active>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}.sidebar-pf .nav-pills>li.active>a .fa{color:#fff}.sidebar-pf .nav-pills>li>a{border-bottom:1px solid transparent;border-radius:0;border-top:1px solid transparent;color:#363636;font-size:13px;line-height:21px;padding:1px 20px}.sidebar-pf .nav-pills>li>a:hover{background:#def3ff;border-color:#bee1f4}.sidebar-pf .nav-pills>li>a .fa{color:#6a7079;font-size:15px;margin-right:10px;text-align:center;vertical-align:middle;width:15px}.sidebar-pf .nav-stacked{margin-left:-20px;margin-right:-20px}.sidebar-pf .nav-stacked li+li{margin-top:0}.sidebar-pf .panel{background:0 0}.sidebar-pf .panel-body{padding:6px 20px}.sidebar-pf .panel-body .nav-pills>li>a{padding-left:37px}.sidebar-pf .panel-heading{padding:9px 20px}.sidebar-pf .panel-title{font-size:12px}.sidebar-pf .panel-title>a:before{display:inline-block;margin-left:1px;margin-right:4px;width:9px}.sidebar-pf .panel-title>a.collapsed:before{margin-left:3px;margin-right:2px}@media (min-width:767px){.sidebar-header-bleed-left{margin-left:-20px}.sidebar-header-bleed-left>h2{margin-left:20px}.sidebar-header-bleed-right{margin-right:-20px}.sidebar-header-bleed-right .actions{margin-right:20px}.sidebar-header-bleed-right>h2{margin-right:20px}.sidebar-header-bleed-right+.list-group{margin-right:-20px}.sidebar-pf .panel-group .panel-default,.sidebar-pf .treeview{border-left:0;border-right:0;margin-left:-20px;margin-right:-20px}.sidebar-pf .treeview{margin-top:5px}.sidebar-pf .treeview .list-group-item{padding-left:20px;padding-right:20px}.sidebar-pf .treeview .list-group-item.node-selected:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}@media (min-width:768px){.sidebar-pf{background:#fafafa}.sidebar-pf.sidebar-pf-left{border-right:1px solid #d1d1d1}.sidebar-pf.sidebar-pf-right{border-left:1px solid #d1d1d1}.sidebar-pf>.nav-category,.sidebar-pf>.nav-stacked{margin-top:5px}}@-webkit-keyframes rotation{from{-webkit-transform:rotate(0)}to{-webkit-transform:rotate(359deg)}}@keyframes rotation{from{transform:rotate(0)}to{transform:rotate(359deg)}}.spinner{-webkit-animation:rotation .6s infinite linear;animation:rotation .6s infinite linear;border-bottom:4px solid rgba(3,3,3,.25);border-left:4px solid rgba(3,3,3,.25);border-right:4px solid rgba(3,3,3,.25);border-radius:100%;border-top:4px solid rgba(3,3,3,.75);height:24px;margin:0 auto;position:relative;width:24px}.spinner.spinner-inline{display:inline-block;margin-right:3px}.spinner.spinner-lg{border-width:5px;height:30px;width:30px}.spinner.spinner-sm{border-width:3px;height:18px;width:18px}.spinner.spinner-xs{border-width:2px;height:12px;width:12px}.spinner.spinner-inverse{border-bottom-color:rgba(255,255,255,.25);border-left-color:rgba(255,255,255,.25);border-right-color:rgba(255,255,255,.25);border-top-color:rgba(255,255,255,.75)}.ie9 .spinner{background:url(../img/spinner.gif) no-repeat;border:0}.ie9 .spinner.spinner-inverse{background-image:url(../img/spinner-inverse.gif)}.ie9 .spinner.spinner-inverse-lg{background-image:url(../img/spinner-inverse-lg.gif)}.ie9 .spinner.spinner-inverse-sm{background-image:url(../img/spinner-inverse-sm.gif)}.ie9 .spinner.spinner-inverse-xs{background-image:url(../img/spinner-inverse-xs.gif)}.ie9 .spinner.spinner-lg{background-image:url(../img/spinner-lg.gif)}.ie9 .spinner.spinner-sm{background-image:url(../img/spinner-sm.gif)}.ie9 .spinner.spinner-xs{background-image:url(../img/spinner-xs.gif)}.prettyprint .atn,.prettyprint .com,.prettyprint .fun,.prettyprint .var{color:#3f9c35}.prettyprint .atv,.prettyprint .str{color:#a30000}.prettyprint .clo,.prettyprint .dec,.prettyprint .kwd,.prettyprint .opn,.prettyprint .pln,.prettyprint .pun{color:#363636}.prettyprint .lit,.prettyprint .tag,.prettyprint .typ{color:#00659c}.prettyprint ol.linenums{margin-bottom:0}.table>tbody>tr>td,.table>tbody>tr>th,.table>tfoot>tr>td,.table>tfoot>tr>th,.table>thead>tr>td,.table>thead>tr>th{padding:2px 10px 3px}.table>tbody>tr>td>a:hover,.table>tbody>tr>th>a:hover,.table>tfoot>tr>td>a:hover,.table>tfoot>tr>th>a:hover,.table>thead>tr>td>a:hover,.table>thead>tr>th>a:hover{text-decoration:none}.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>th{font-family:'Open Sans';font-style:normal;font-weight:600}.table>thead{background-clip:padding-box;background-color:#f5f5f5;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.table-bordered{border:1px solid #d1d1d1}.table-bordered>tbody>tr>td,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>td,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border:1px solid #d1d1d1}.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border-bottom-width:1px}.table-striped>tbody>tr:nth-of-type(even){background-color:#f5f5f5}.table-striped>tbody>tr:nth-of-type(odd){background-color:transparent}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#def3ff;border-bottom-color:#7dc3e8}.table-treegrid span.indent{margin-left:10px;margin-right:10px}.table-treegrid span.icon{display:inline-block;font-size:13px;margin-right:5px;min-width:10px;text-align:center}.table-treegrid span.collapse-icon,.table-treegrid span.expand-icon{cursor:pointer}.table-treegrid>tbody>tr.odd{background-color:#f5f5f5}.nav-tabs{font-size:14px}.nav-tabs>li>a{color:#4d5258;margin-right:-1px;padding-bottom:5px;padding-top:5px}.nav-tabs>li>a:active,.nav-tabs>li>a:focus,.nav-tabs>li>a:hover{background:0 0;border-color:#ededed;color:#252525}.nav-tabs>li>.dropdown-menu{border-top:0;border-color:#ededed}.nav-tabs>li>.dropdown-menu.pull-right{right:-1px}.nav-tabs+.nav-tabs-pf{font-size:12px}.nav-tabs+.nav-tabs-pf>li:first-child>a{padding-left:15px}.nav-tabs+.nav-tabs-pf>li:first-child>a:before{left:15px!important}.nav-tabs .open>a,.nav-tabs .open>a:focus,.nav-tabs .open>a:hover{background-color:transparent;border-color:#ededed}@media (min-width:768px){.nav-tabs-pf.nav-justified{border-bottom:1px solid #ededed}}.nav-tabs-pf.nav-justified>li:first-child>a{padding-left:15px}.nav-tabs-pf.nav-justified>li>a{border-bottom:0}.nav-tabs-pf.nav-justified>li>a:before{left:0!important;right:0!important}.nav-tabs-pf>li{margin-bottom:0}.nav-tabs-pf>li.active>a:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li.active>a,.nav-tabs-pf>li.active>a:active,.nav-tabs-pf>li.active>a:focus,.nav-tabs-pf>li.active>a:hover{background-color:transparent;border:0!important;color:#0088ce}.nav-tabs-pf>li.active>a:active:before,.nav-tabs-pf>li.active>a:before,.nav-tabs-pf>li.active>a:focus:before,.nav-tabs-pf>li.active>a:hover:before{background:#0088ce}.nav-tabs-pf>li:first-child>a{padding-left:0}.nav-tabs-pf>li:first-child>a:before{left:0!important}.nav-tabs-pf>li>a{border:0;line-height:1;margin-right:0;padding-bottom:10px;padding-top:10px}.nav-tabs-pf>li>a:active:before,.nav-tabs-pf>li>a:focus:before,.nav-tabs-pf>li>a:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li>.dropdown-menu{left:15px;margin-top:1px}.nav-tabs-pf>li>.dropdown-menu.pull-right{left:auto;right:15px}.nav-tabs-pf .open>a,.nav-tabs-pf .open>a:focus,.nav-tabs-pf .open>a:hover{background-color:transparent}.tooltip{font-size:12px;line-height:1.4}.tooltip-inner{padding:7px 12px;text-align:left}.h1,.h2,h1,h2{font-weight:300}.page-header .actions{margin-top:8px}.page-header .actions a>.pficon{margin-right:4px}@media (min-width:767px){.page-header-bleed-left{margin-left:-20px}.page-header-bleed-right{margin-right:-20px}.page-header-bleed-right .actions{margin-right:20px}}
+\ No newline at end of file
++ */.bootstrap-select.btn-group,.bootstrap-select.btn-group[class*=span]{float:none;display:inline-block;margin-bottom:10px;margin-left:0}.form-horizontal .bootstrap-select.btn-group,.form-inline .bootstrap-select.btn-group,.form-search .bootstrap-select.btn-group{margin-bottom:0}.bootstrap-select.form-control{margin-bottom:0;padding:0;border:none}.bootstrap-select.btn-group.pull-right,.bootstrap-select.btn-group[class*=span].pull-right,.row-fluid .bootstrap-select.btn-group[class*=span].pull-right{float:right}.input-append .bootstrap-select.btn-group{margin-left:-1px}.input-prepend .bootstrap-select.btn-group{margin-right:-1px}.bootstrap-select:not([class*=span]):not([class*=col-]):not([class*=form-control]){width:220px}.bootstrap-select{width:220px\9}.bootstrap-select.form-control:not([class*=span]){width:100%}.bootstrap-select>.btn{width:100%}.error .bootstrap-select .btn{border:1px solid #b94a48}.dropdown-menu{z-index:2000}.bootstrap-select.show-menu-arrow.open>.btn{z-index:2051}.bootstrap-select .btn:focus{outline:thin dotted #333!important;outline:5px auto -webkit-focus-ring-color!important;outline-offset:-2px}.bootstrap-select.btn-group .btn .filter-option{overflow:hidden;position:absolute;left:12px;right:25px;text-align:left}.bootstrap-select.btn-group .btn .caret{position:absolute;top:50%;right:12px;margin-top:-2px;vertical-align:middle}.bootstrap-select.btn-group .dropdown-menu li.disabled>a,.bootstrap-select.btn-group>.disabled{cursor:not-allowed}.bootstrap-select.btn-group>.disabled:focus{outline:0!important}.bootstrap-select.btn-group[class*=span] .btn{width:100%}.bootstrap-select.btn-group .dropdown-menu{min-width:100%;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}.bootstrap-select.btn-group .dropdown-menu.inner{position:static;border:0;padding:0;margin:0;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0;-webkit-box-shadow:none;-moz-box-shadow:none;box-shadow:none}.bootstrap-select.btn-group .dropdown-menu dt{display:block;padding:3px 20px;cursor:default}.bootstrap-select.btn-group .div-contain{overflow:hidden}.bootstrap-select.btn-group .dropdown-menu li{position:relative}.bootstrap-select.btn-group .dropdown-menu li>a.opt{position:relative;padding-left:35px}.bootstrap-select.btn-group .dropdown-menu li>a{cursor:pointer}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.btn-group.show-tick .dropdown-menu li.selected a i.check-mark{display:inline-block;position:absolute;right:15px;margin-top:2.5px}.bootstrap-select.btn-group .dropdown-menu li a i.check-mark{display:none}.bootstrap-select.btn-group.show-tick .dropdown-menu li a span.text{margin-right:34px}.bootstrap-select.btn-group .dropdown-menu li small{padding-left:.5em}.bootstrap-select.btn-group .dropdown-menu li.active:not(.disabled)>a small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:hover small{color:#64b1d8;color:rgba(255,255,255,.4)}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.show-menu-arrow .dropdown-toggle:before{content:'';display:inline-block;border-left:7px solid transparent;border-right:7px solid transparent;border-bottom:7px solid #CCC;border-bottom-color:rgba(0,0,0,.2);position:absolute;bottom:-4px;left:9px;display:none}.bootstrap-select.show-menu-arrow .dropdown-toggle:after{content:'';display:inline-block;border-left:6px solid transparent;border-right:6px solid transparent;border-bottom:6px solid #fff;position:absolute;bottom:-4px;left:10px;display:none}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:before{bottom:auto;top:-3px;border-top:7px solid #ccc;border-bottom:0;border-top-color:rgba(0,0,0,.2)}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:after{bottom:auto;top:-3px;border-top:6px solid #fff;border-bottom:0}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:before{right:12px;left:auto}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:after{right:13px;left:auto}.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:after,.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:before{display:block}.bootstrap-select.btn-group .no-results{padding:3px;background:#f5f5f5;margin:0 5px}.mobile-device{position:absolute;top:0;left:0;display:block!important;width:100%;height:100%!important;opacity:0}.bootstrap-select.fit-width{width:auto!important}.bootstrap-select.btn-group.fit-width .btn .filter-option{position:static}.bootstrap-select.btn-group.fit-width .btn .caret{position:static;top:auto;margin-top:-1px}.control-group.error .bootstrap-select .dropdown-toggle{border-color:#b94a48}.bootstrap-select-searchbox{padding:4px 8px}.bootstrap-select-searchbox input{margin-bottom:0}.alert{border-width:1px;padding-left:47px;padding-right:14px;position:relative}.alert .alert-link{color:#0088ce}.alert .alert-link:hover{color:#00659c}.alert>.btn.pull-right{margin-top:-3px}.alert>.pficon{font-size:22px;position:absolute;left:13px;top:10px}.alert .close{opacity:.85;filter:alpha(opacity=85)}.alert .close:focus,.alert .close:hover{opacity:1;filter:alpha(opacity=100)}.alert .pficon-info{color:#4d5258}.alert-dismissable{padding-right:28px}.alert-dismissable .close{right:-13px;top:1px}.badge{margin-left:6px}.nav-pills>li>a>.badge{margin-left:6px}.bootstrap-select.btn-group.form-control{margin-bottom:0}.bootstrap-select.btn-group .btn{-webkit-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.bootstrap-select.btn-group .btn:hover{border-color:#7dc3e8}.bootstrap-select.btn-group .btn .caret{margin-top:-4px}.bootstrap-select.btn-group .btn:focus{border-color:#0088ce;outline:0!important;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6);box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6)}.has-error .bootstrap-select.btn-group .btn{border-color:#c00}.has-error .bootstrap-select.btn-group .btn:focus{border-color:#900;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33}.has-success .bootstrap-select.btn-group .btn{border-color:#3c763d}.has-success .bootstrap-select.btn-group .btn:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168}.has-warning .bootstrap-select.btn-group .btn{border-color:#ec7a08}.has-warning .bootstrap-select.btn-group .btn:focus{border-color:#bb6106;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60}.bootstrap-select.btn-group .dropdown-menu>.active>a,.bootstrap-select.btn-group .dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.bootstrap-select.btn-group .dropdown-menu>.active>a small,.bootstrap-select.btn-group .dropdown-menu>.active>a:active small{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.disabled>a{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu .divider{background:#ededed!important;margin:4px 1px!important}.bootstrap-select.btn-group .dropdown-menu dt{color:#8b8d8f;font-weight:400;padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li>a.opt{padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu li a:focus small,.bootstrap-select.btn-group .dropdown-menu li a:hover small{color:#9c9c9c}.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:hover small{color:#9c9c9c}.combobox-container.combobox-selected .glyphicon-remove{display:inline-block}.combobox-container .caret{margin-left:0}.combobox-container .combobox::-ms-clear{display:none}.combobox-container .dropdown-menu{margin-top:-1px;width:100%}.combobox-container .glyphicon-remove{display:none;top:auto;width:12px}.combobox-container .glyphicon-remove:before{content:"\e60b";font-family:PatternFlyIcons-webfont}.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;position:relative}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.combobox-container .input-group-addon:focus,.combobox-container .input-group-addon:hover,.open .dropdown-toggle.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.open .dropdown-toggle.combobox-container .input-group-addon{background-image:none}.combobox-container .input-group-addon.active.focus,.combobox-container .input-group-addon.active:focus,.combobox-container .input-group-addon.active:hover,.combobox-container .input-group-addon:active.focus,.combobox-container .input-group-addon:active:focus,.combobox-container .input-group-addon:active:hover,.open .dropdown-toggle.combobox-container .input-group-addon.focus,.open .dropdown-toggle.combobox-container .input-group-addon:focus,.open .dropdown-toggle.combobox-container .input-group-addon:hover{background-color:#e5e5e5;border-color:#a9a9a9}.combobox-container .input-group-addon.disabled,.combobox-container .input-group-addon.disabled.active,.combobox-container .input-group-addon.disabled:active,.combobox-container .input-group-addon.disabled:focus,.combobox-container .input-group-addon.disabled:hover,.combobox-container .input-group-addon[disabled],.combobox-container .input-group-addon[disabled].active,.combobox-container .input-group-addon[disabled]:active,.combobox-container .input-group-addon[disabled]:focus,.combobox-container .input-group-addon[disabled]:hover,fieldset[disabled] .combobox-container .input-group-addon,fieldset[disabled] .combobox-container .input-group-addon.active,fieldset[disabled] .combobox-container .input-group-addon:active,fieldset[disabled] .combobox-container .input-group-addon:focus,fieldset[disabled] .combobox-container .input-group-addon:hover{background-color:#f1f1f1;border-color:#bbb}.combobox-container .input-group-addon:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.treeview .list-group{border-top:0}.treeview .list-group-item{background:0 0;border-bottom:1px solid transparent!important;border-top:1px solid transparent!important;margin-bottom:0;padding:0 10px}.treeview .list-group-item:hover{background:#def3ff!important;border-color:#bee1f4!important}.treeview .list-group-item.node-selected{background:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.treeview span.icon{display:inline-block;font-size:13px;min-width:10px;text-align:center}.treeview span.icon>[class*=fa-angle]{font-size:15px}.treeview span.indent{margin-right:5px}.breadcrumb{padding-left:0}.breadcrumb>.active strong{font-weight:600}.breadcrumb>li{display:inline}.breadcrumb>li+li:before{color:#9c9c9c;content:"\f101";font-family:FontAwesome;font-size:11px;padding:0 9px 0 7px}.btn{-webkit-box-shadow:0 2px 3px rgba(3,3,3,.1);box-shadow:0 2px 3px rgba(3,3,3,.1)}.btn:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{background-color:#fafafa!important;background-image:none!important;border-color:#d1d1d1!important;color:#8b8d8f!important;opacity:1}.btn.disabled:active,.btn[disabled]:active,fieldset[disabled] .btn:active{-webkit-box-shadow:none;box-shadow:none}.btn.disabled.btn-link,.btn[disabled].btn-link,fieldset[disabled] .btn.btn-link{background-color:transparent!important;border:0}.btn-danger{background-color:#a30000;background-image:-webkit-linear-gradient(top,#c00 0,#a30000 100%);background-image:-o-linear-gradient(top,#c00 0,#a30000 100%);background-image:linear-gradient(to bottom,#c00 0,#a30000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffcc0000', endColorstr='#ffa30000', GradientType=0);border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.btn-danger:focus,.btn-danger:hover,.open .dropdown-toggle.btn-danger{background-color:#a30000;background-image:none;border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.open .dropdown-toggle.btn-danger{background-image:none}.btn-danger.active.focus,.btn-danger.active:focus,.btn-danger.active:hover,.btn-danger:active.focus,.btn-danger:active:focus,.btn-danger:active:hover,.open .dropdown-toggle.btn-danger.focus,.open .dropdown-toggle.btn-danger:focus,.open .dropdown-toggle.btn-danger:hover{background-color:#8a0000;border-color:#670000}.btn-danger.disabled,.btn-danger.disabled.active,.btn-danger.disabled:active,.btn-danger.disabled:focus,.btn-danger.disabled:hover,.btn-danger[disabled],.btn-danger[disabled].active,.btn-danger[disabled]:active,.btn-danger[disabled]:focus,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger,fieldset[disabled] .btn-danger.active,fieldset[disabled] .btn-danger:active,fieldset[disabled] .btn-danger:focus,fieldset[disabled] .btn-danger:hover{background-color:#a30000;border-color:#8b0000}.btn-default{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.btn-default:focus,.btn-default:hover,.open .dropdown-toggle.btn-default{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.open .dropdown-toggle.btn-default{background-image:none}.btn-default.active.focus,.btn-default.active:focus,.btn-default.active:hover,.btn-default:active.focus,.btn-default:active:focus,.btn-default:active:hover,.open .dropdown-toggle.btn-default.focus,.open .dropdown-toggle.btn-default:focus,.open .dropdown-toggle.btn-default:hover{background-color:#e5e5e5;border-color:#a9a9a9}.btn-default.disabled,.btn-default.disabled.active,.btn-default.disabled:active,.btn-default.disabled:focus,.btn-default.disabled:hover,.btn-default[disabled],.btn-default[disabled].active,.btn-default[disabled]:active,.btn-default[disabled]:focus,.btn-default[disabled]:hover,fieldset[disabled] .btn-default,fieldset[disabled] .btn-default.active,fieldset[disabled] .btn-default:active,fieldset[disabled] .btn-default:focus,fieldset[disabled] .btn-default:hover{background-color:#f1f1f1;border-color:#bbb}.btn-link,.btn-link:active{-webkit-box-shadow:none;box-shadow:none}.btn-primary{background-color:#0088ce;background-image:-webkit-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:-o-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:linear-gradient(to bottom,#39a5dc 0,#0088ce 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff39a5dc', endColorstr='#ff0088ce', GradientType=0);border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.btn-primary:focus,.btn-primary:hover,.open .dropdown-toggle.btn-primary{background-color:#0088ce;background-image:none;border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.open .dropdown-toggle.btn-primary{background-image:none}.btn-primary.active.focus,.btn-primary.active:focus,.btn-primary.active:hover,.btn-primary:active.focus,.btn-primary:active:focus,.btn-primary:active:hover,.open .dropdown-toggle.btn-primary.focus,.open .dropdown-toggle.btn-primary:focus,.open .dropdown-toggle.btn-primary:hover{background-color:#0077b5;border-color:#004e78}.btn-primary.disabled,.btn-primary.disabled.active,.btn-primary.disabled:active,.btn-primary.disabled:focus,.btn-primary.disabled:hover,.btn-primary[disabled],.btn-primary[disabled].active,.btn-primary[disabled]:active,.btn-primary[disabled]:focus,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary,fieldset[disabled] .btn-primary.active,fieldset[disabled] .btn-primary:active,fieldset[disabled] .btn-primary:focus,fieldset[disabled] .btn-primary:hover{background-color:#0088ce;border-color:#00659c}.btn-group-xs .btn,.btn-group-xs>.btn,.btn-xs{font-weight:400}.close{text-shadow:none;opacity:.6;filter:alpha(opacity=60)}.close:focus,.close:hover{opacity:.9;filter:alpha(opacity=90)}.ColVis_Button:active:focus{outline:0}.ColVis_catcher{position:absolute;z-index:999}.ColVis_collection{background-color:#fff;border:1px solid #bbb;border-radius:1px;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);background-clip:padding-box;list-style:none;margin:-1px 0 0 0;padding:5px 10px;width:150px;z-index:1000}.ColVis_collection label{font-weight:400;margin-bottom:5px;margin-top:5px;padding-left:20px}.ColVis_collectionBackground{background-color:#fff;height:100%;left:0;position:fixed;top:0;width:100%;z-index:998}.dataTables_header{background-color:#f5f5f5;border:1px solid #d1d1d1;border-bottom:none;padding:5px;position:relative;text-align:center}.dataTables_header .btn{-webkit-box-shadow:none;box-shadow:none}.dataTables_header .ColVis{position:absolute;right:5px;text-align:left;top:5px}.dataTables_header .ColVis+.dataTables_info{padding-right:30px}.dataTables_header .dataTables_filter{position:absolute}.dataTables_header .dataTables_filter input{border:1px solid #bbb;height:24px}@media (max-width:767px){.dataTables_header .dataTables_filter input{width:100px}}.dataTables_header .dataTables_info{padding:2px 0}@media (max-width:480px){.dataTables_header .dataTables_info{text-align:right}}.dataTables_header .dataTables_info b{font-weight:700}.dataTables_footer{background-color:#fff;border:1px solid #d1d1d1;border-top:none;overflow:hidden}.dataTables_paginate{background:#fafafa;float:right;margin:0}.dataTables_paginate .pagination{float:left;margin:0}.dataTables_paginate .pagination>li>span{border-color:#fff #d1d1d1 #f5f5f5;border-width:0 1px;font-size:16px;font-weight:400;padding:0;text-align:center;width:31px}.dataTables_paginate .pagination>li>span:focus,.dataTables_paginate .pagination>li>span:hover{filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination>li.last>span{border-right:none}.dataTables_paginate .pagination>li.disabled>span{background:#f5f5f5;border-left-color:#ededed;border-right-color:#ededed;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination-input{float:left;font-size:12px;line-height:1em;padding:4px 15px 0;text-align:right}.dataTables_paginate .pagination-input .paginate_input{border:1px solid #d1d1d1;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075);box-shadow:inset 0 1px 1px rgba(3,3,3,.075);font-size:12px;font-weight:600;height:19px;margin-right:8px;padding-right:3px;text-align:right;width:30px}.dataTables_paginate .pagination-input .paginate_of{position:relative}.dataTables_paginate .pagination-input .paginate_of b{margin-left:3px}.dataTables_wrapper{margin:20px 0}@media (max-width:767px){.dataTables_wrapper .table-responsive{margin-bottom:0}}.DTCR_clonedTable{background-color:rgba(255,255,255,.7);z-index:202}.DTCR_pointer{background-color:#0088ce;width:1px;z-index:201}table.datatable{margin-bottom:0;max-width:none!important}table.datatable thead .sorting,table.datatable thead .sorting_asc,table.datatable thead .sorting_asc_disabled,table.datatable thead .sorting_desc,table.datatable thead .sorting_desc_disabled{cursor:pointer}table.datatable thead .sorting_asc,table.datatable thead .sorting_desc{color:#0088ce!important;position:relative}table.datatable thead .sorting_asc:after,table.datatable thead .sorting_desc:after{content:"\f107";font-family:FontAwesome;font-size:10px;font-weight:400;height:9px;left:7px;line-height:12px;position:relative;top:2px;vertical-align:baseline;width:12px}table.datatable thead .sorting_asc:before,table.datatable thead .sorting_desc:before{background:#0088ce;content:'';height:2px;position:absolute;left:0;top:0;width:100%}table.datatable thead .sorting_asc:after{content:"\f106";top:-3px}table.datatable th:active{outline:0}.caret{font-family:FontAwesome;font-weight:400;height:9px;position:relative;vertical-align:baseline;width:12px}.caret:before{bottom:0;content:"\f107";left:0;line-height:12px;position:absolute;text-align:center;top:-1px;right:0}.dropup .caret:before{content:"\f106"}.dropdown-menu .divider{background-color:#ededed;height:1px;margin:4px 1px;overflow:hidden}.dropdown-menu>li>a{border-color:transparent;border-style:solid;border-width:1px 0;padding:1px 10px}.dropdown-menu>li>a:focus,.dropdown-menu>li>a:hover{border-color:#bee1f4;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>li>a:active{background-color:#0088ce;border-color:#0088ce;color:#fff!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.active>a,.dropdown-menu>.active>a:focus,.dropdown-menu>.active>a:hover{background-color:#0088ce!important;border-color:#0088ce!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-header{padding-left:10px;padding-right:10px;text-transform:uppercase}.btn-group>.dropdown-menu,.dropdown>.dropdown-menu,.input-group-btn>.dropdown-menu{margin-top:-1px}.dropup .dropdown-menu{margin-bottom:-1px}.dropdown-submenu{position:relative}.dropdown-submenu:hover>a{background-color:#def3ff;border-color:#bee1f4}.dropdown-submenu:hover>.dropdown-menu{display:block}.dropdown-submenu.pull-left{float:none!important}.dropdown-submenu.pull-left>.dropdown-menu{left:auto;margin-left:10px;right:100%}.dropdown-submenu>a{padding-right:20px!important}.dropdown-submenu>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:2px}.dropdown-submenu>.dropdown-menu{left:100%;margin-top:0;top:-6px}.dropup .dropdown-submenu>.dropdown-menu{bottom:-5px;top:auto}.open .dropdown-submenu.active>.dropdown-menu{display:block}.dropdown-kebab-pf .btn-link{color:#252525;font-size:16px;line-height:1;padding:4px 0}.dropdown-kebab-pf .btn-link:active,.dropdown-kebab-pf .btn-link:focus,.dropdown-kebab-pf .btn-link:hover{color:#0088ce}.dropdown-kebab-pf .dropdown-menu{left:-15px;margin-top:11px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right{left:auto;right:-15px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:after,.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:before{left:auto;right:6px}.dropdown-kebab-pf .dropdown-menu:after,.dropdown-kebab-pf .dropdown-menu:before{border-bottom-color:#bbb;border-bottom-style:solid;border-bottom-width:10px;border-left:10px solid transparent;border-right:10px solid transparent;content:"";display:inline-block;left:6px;position:absolute;top:-11px}.dropdown-kebab-pf .dropdown-menu:after{border-bottom-color:#fff;top:-10px}.dropdown-kebab-pf.dropup .dropdown-menu{margin-bottom:11px;margin-top:0}.dropdown-kebab-pf.dropup .dropdown-menu:after,.dropdown-kebab-pf.dropup .dropdown-menu:before{border-bottom:none;border-top-color:#bbb;border-top-style:solid;border-top-width:10px;bottom:-11px;top:auto}.dropdown-kebab-pf.dropup .dropdown-menu:after{border-top-color:#fff;bottom:-10px}@font-face{font-family:'Open Sans';font-style:normal;font-weight:400;src:local('Open Sans'),local('OpenSans'),url(../fonts/open-sans/OpenSans-Regular.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:300;src:local('OpenSans-Light'),local('Open Sans Light'),url(../fonts/open-sans/OpenSans-Light.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:600;src:local('Open Sans Semibold'),local('OpenSans-Semibold'),url(../fonts/open-sans/OpenSans-Semibold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:700;src:local('Open Sans Bold'),local('OpenSans-Bold'),url(../fonts/open-sans/OpenSans-Bold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:800;src:local('Open Sans Extrabold'),local('OpenSans-Extrabold'),url(../fonts/open-sans/OpenSans-ExtraBold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:300;src:local('Open Sans Light Italic'),local('OpenSansLight-Italic'),url(../fonts/open-sans/OpenSans-LightItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:400;src:local('Open Sans Italic'),local('OpenSans-Italic'),url(../fonts/open-sans/OpenSans-Italic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:600;src:local('Open Sans Semibold Italic'),local('OpenSans-SemiboldItalic'),url(../fonts/open-sans/OpenSans-SemiboldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:700;src:local('Open Sans Bold Italic'),local('OpenSans-BoldItalic'),url(../fonts/open-sans/OpenSans-BoldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:800;src:local('Open Sans Extrabold Italic'),local('OpenSans-ExtraboldItalic'),url(../fonts/open-sans/OpenSans-ExtraBoldItalic.ttf) format('truetype')}.chars-remaining-pf span{font-weight:600;padding-right:5px}.chars-warn-remaining-pf{color:#c00}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f}.form-control[disabled]:hover,.form-control[readonly]:hover,fieldset[disabled] .form-control:hover{border-color:#bbb}.form-control:hover{border-color:#7dc3e8}.has-error .form-control:hover{border-color:#900}.has-success .form-control:hover{border-color:#2b542c}.has-warning .form-control:hover{border-color:#bb6106}.has-error .checkbox,.has-error .checkbox-inline,.has-error .control-label,.has-error .radio,.has-error .radio-inline,.has-error.checkbox label,.has-error.checkbox-inline label,.has-error.radio label,.has-error.radio-inline label,.has-success .checkbox,.has-success .checkbox-inline,.has-success .control-label,.has-success .radio,.has-success .radio-inline,.has-success.checkbox label,.has-success.checkbox-inline label,.has-success.radio label,.has-success.radio-inline label,.has-warning .checkbox,.has-warning .checkbox-inline,.has-warning .control-label,.has-warning .radio,.has-warning .radio-inline,.has-warning.checkbox label,.has-warning.checkbox-inline label,.has-warning.radio label,.has-warning.radio-inline label{color:#363636}.help-block{margin-bottom:0}.input-group .input-group-btn .btn{-webkit-box-shadow:none;box-shadow:none}label{font-weight:600}.navbar-nav>li>.dropdown-menu.infotip{border-top-width:1px!important;margin-top:10px}@media (max-width:767px){.navbar-pf .navbar-nav .open .dropdown-menu.infotip{background-color:#fff!important;margin-top:0}}.infotip{min-width:235px;padding:0}.infotip .list-group{border-top:0;margin:0;padding:8px 0}.infotip .list-group .list-group-item{border:none;margin:0 15px 0 34px;padding:5px 0}.infotip .list-group .list-group-item>.i{color:#4d5258;font-size:13px;left:-20px;position:absolute;top:8px}.infotip .list-group .list-group-item>a{color:#4d5258;line-height:13px}.infotip .list-group .list-group-item>.close{float:right}.infotip .footer{background-color:#f5f5f5;padding:6px 15px}.infotip .footer a:hover{color:#0088ce}.infotip .arrow,.infotip .arrow:after{border-color:transparent;border-style:solid;display:block;height:0;position:absolute;width:0}.infotip .arrow{border-width:11px}.infotip .arrow:after{border-width:10px;content:""}.infotip.bottom .arrow,.infotip.bottom-left .arrow,.infotip.bottom-right .arrow{border-bottom-color:#999;border-bottom-color:#bbb;border-top-width:0;left:50%;margin-left:-11px;top:-11px}.infotip.bottom .arrow:after,.infotip.bottom-left .arrow:after,.infotip.bottom-right .arrow:after{border-top-width:0;border-bottom-color:#fff;content:" ";margin-left:-10px;top:1px}.infotip.bottom-left .arrow{left:20%}.infotip.bottom-right .arrow{left:80%}.infotip.top .arrow{border-bottom-width:0;border-top-color:#999;border-top-color:#bbb;bottom:-11px;left:50%;margin-left:-11px}.infotip.top .arrow:after{border-bottom-width:0;border-top-color:#f5f5f5;bottom:1px;content:" ";margin-left:-10px}.infotip.right .arrow{border-left-width:0;border-right-color:#999;border-right-color:#bbb;left:-11px;margin-top:-11px;top:50%}.infotip.right .arrow:after{bottom:-10px;border-left-width:0;border-right-color:#fff;content:" ";left:1px}.infotip.left .arrow{border-left-color:#999;border-left-color:#bbb;border-right-width:0;margin-top:-11px;right:-11px;top:50%}.infotip.left .arrow:after{border-left-color:#fff;border-right-width:0;bottom:-10px;content:" ";right:1px}.label{border-radius:0;font-size:100%;font-weight:600}h1 .label,h2 .label,h3 .label,h4 .label,h5 .label,h6 .label{font-size:75%}.list-group{border-top:1px solid #ededed}.list-group .list-group-item:first-child{border-top:0}.list-group-item{border-top:0;border-left:0;border-right:0;margin-bottom:0}.list-group-item-heading{font-weight:600}.list-group-item.active,.list-group-item.active:focus,.list-group-item.active:hover{border-top:solid 1px #39a5dc;margin-top:-1px;z-index:auto}.list-group-item.active:first-child{border-top:1px solid #39a5dc!important;margin-top:-1px}.login-pf{height:100%}.login-pf #brand{position:relative;top:-70px}.login-pf #brand img{display:block;height:18px;margin:0 auto;max-width:100%}@media (min-width:768px){.login-pf #brand img{margin:0;text-align:left}}.login-pf #badge{display:block;margin:20px auto 70px;position:relative;text-align:center}@media (min-width:768px){.login-pf #badge{float:right;margin-right:64px;margin-top:50px}}.login-pf body{background:#1a1a1a url(../img/bg-login.jpg) repeat-x 50% 0;background-size:auto}@media (min-width:768px){.login-pf body{background-size:100% auto}}.login-pf .container{background-color:transparent;clear:right;color:#fff;padding-bottom:40px;padding-top:20px;width:auto}@media (min-width:768px){.login-pf .container{bottom:13%;padding-left:80px;position:absolute;width:100%}}.login-pf .container [class^=alert]{background:0 0;color:#fff}.login-pf .container .details p:first-child{border-top:1px solid rgba(255,255,255,.3);padding-top:25px;margin-top:25px}@media (min-width:768px){.login-pf .container .details{border-left:1px solid rgba(255,255,255,.3);padding-left:40px}.login-pf .container .details p:first-child{border-top:0;padding-top:0;margin-top:0}}.login-pf .container .details p{margin-bottom:2px}.login-pf .container .form-horizontal .control-label{font-size:13px;font-weight:400;text-align:left}.login-pf .container .form-horizontal .form-group:last-child,.login-pf .container .form-horizontal .form-group:last-child .help-block:last-child{margin-bottom:0}.login-pf .container .help-block{color:#fff}@media (min-width:768px){.login-pf .container .login{padding-right:40px}}.login-pf .container .submit{text-align:right}.modal-header{background-color:#f5f5f5;border-bottom:none;padding:10px 18px}.modal-header .close{margin-top:2px}.modal-title{font-size:13px;font-weight:700}.modal-footer{border-top:none;margin-top:15px;padding:14px 15px 15px}.modal-footer>.btn{padding-left:10px;padding-right:10px}.modal-footer>.btn>.fa-angle-left{margin-right:5px}.modal-footer>.btn>.fa-angle-right{margin-left:5px}.navbar-pf{background:#393F45;border:0;border-radius:0;border-top:3px solid #c00;margin-bottom:0;min-height:0}.navbar-pf .navbar-brand{color:#fff;height:auto;padding:12px 0;margin:0 0 0 20px}.navbar-pf .navbar-brand img{display:block}.navbar-pf .navbar-collapse{border-top:0;-webkit-box-shadow:none;box-shadow:none;padding:0}.navbar-pf .navbar-header{border-bottom:1px solid #53565b;float:none}.navbar-pf .navbar-nav{margin:0}.navbar-pf .navbar-nav>.active>a,.navbar-pf .navbar-nav>.active>a:focus,.navbar-pf .navbar-nav>.active>a:hover{background-color:#454C53;color:#fff}.navbar-pf .navbar-nav>li>a{color:#dbdada;line-height:1;padding:10px 20px;text-shadow:none}.navbar-pf .navbar-nav>li>a:focus,.navbar-pf .navbar-nav>li>a:hover{color:#fff}.navbar-pf .navbar-nav>.open>a,.navbar-pf .navbar-nav>.open>a:focus,.navbar-pf .navbar-nav>.open>a:hover{background-color:#454C53;color:#fff}@media (max-width:767px){.navbar-pf .navbar-nav .active .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent,.navbar-pf .navbar-nav .open .dropdown-menu{background-color:#3c434a!important;margin-left:0;padding-bottom:0;padding-top:0}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:hover{background-color:#424950!important;color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent>li>a,.navbar-pf .navbar-nav .open .dropdown-menu>li>a{background-color:transparent;border:0;color:#dbdada;outline:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu>li>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>li>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>li>a:hover{color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu .divider,.navbar-pf .navbar-nav .active .navbar-persistent .divider,.navbar-pf .navbar-nav .open .dropdown-menu .divider{background-color:#53565b;margin:0 1px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-header{padding-bottom:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open .dropdown-toggle{color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.pull-left{float:none!important}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu>a:after,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu>a:after{display:none}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-header{padding-left:45px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu{border:0;bottom:auto;-webkit-box-shadow:none;box-shadow:none;display:block;float:none;margin:0;min-width:0;padding:0;position:relative;left:auto;right:auto;top:auto}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu>li>a{padding:5px 15px 5px 45px;line-height:20px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a{padding-left:60px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-menu{display:block}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after{display:inline-block!important;position:relative;right:auto;top:1px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu{display:none}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-submenu>a:after{display:none!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu{background-color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active small{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.disabled>a{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li>a.opt{border-bottom:1px solid transparent;border-top:1px solid transparent;color:#363636;padding-left:10px;padding-right:10px}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:focus small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:hover small{color:#9c9c9c}.navbar-pf .navbar-nav .context-bootstrap-select>.open>.dropdown-menu{padding-bottom:5px;padding-top:5px}}.navbar-pf .navbar-persistent{display:none}.navbar-pf .active>.navbar-persistent{display:block}.navbar-pf .navbar-primary{float:none}.navbar-pf .navbar-primary .context{border-bottom:1px solid #53565b}.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group,.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group[class*=span]{margin:8px 20px 9px;width:auto}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a{position:relative}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{content:"\f107";display:inline-block;font-family:FontAwesome;font-weight:400}@media (max-width:767px){.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{height:10px;margin-left:4px;vertical-align:baseline}}.navbar-pf .navbar-toggle{border:0;margin:0;padding:10px 20px}.navbar-pf .navbar-toggle:focus,.navbar-pf .navbar-toggle:hover{background-color:transparent;outline:0}.navbar-pf .navbar-toggle:focus .icon-bar,.navbar-pf .navbar-toggle:hover .icon-bar{-webkit-box-shadow:0 0 3px #fff;box-shadow:0 0 3px #fff}.navbar-pf .navbar-toggle .icon-bar{background-color:#fff}.navbar-pf .navbar-utility{border-bottom:1px solid #53565b}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:36px;position:relative}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:20px;position:absolute;top:10px}@media (max-width:767px){.navbar-pf .navbar-utility>li+li{border-top:1px solid #53565b}}@media (min-width:768px){.navbar-pf .navbar-brand{padding:7px 0 8px}.navbar-pf .navbar-nav>li>a{padding-bottom:14px;padding-top:14px}.navbar-pf .navbar-persistent{font-size:14px}.navbar-pf .navbar-primary{font-size:14px;background-image:-webkit-linear-gradient(top,#474c50 0,#383f43 100%);background-image:-o-linear-gradient(top,#474c50 0,#383f43 100%);background-image:linear-gradient(to bottom,#474c50 0,#383f43 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff474c50', endColorstr='#ff383f43', GradientType=0)}.navbar-pf .navbar-primary.persistent-secondary .context .dropdown-menu{top:auto}.navbar-pf .navbar-primary.persistent-secondary .dropup .dropdown-menu{bottom:-5px;top:auto}.navbar-pf .navbar-primary.persistent-secondary>li{position:static}.navbar-pf .navbar-primary.persistent-secondary>li.active{margin-bottom:32px}.navbar-pf .navbar-primary.persistent-secondary>li.active>.navbar-persistent{display:block;left:0;position:absolute}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent{background:#f6f6f6;border-bottom:1px solid #cecdcd;padding:0;width:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent a{text-decoration:none!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a:hover{color:#0088ce!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active .active>a{color:#fff}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu:hover>.dropdown-menu{display:none}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-menu{display:block;left:20px;margin-top:1px;top:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle{padding-right:35px!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle:after{position:absolute;right:20px;top:10px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a:after,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a{background-color:transparent;display:block;line-height:1;padding:9px 20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle{padding-right:35px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle:after{font-size:15px;position:absolute;right:20px;top:9px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a:hover{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li a{color:#4d5258}.navbar-pf .navbar-primary>li>a{border-bottom:1px solid transparent;border-top:1px solid transparent;position:relative;margin:-1px 0 0}.navbar-pf .navbar-primary>li>a:hover{background-color:#4b5053;border-top-color:#949699;color:#dbdada;background-image:-webkit-linear-gradient(top,#5c6165 0,#4b5053 100%);background-image:-o-linear-gradient(top,#5c6165 0,#4b5053 100%);background-image:linear-gradient(to bottom,#5c6165 0,#4b5053 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5c6165', endColorstr='#ff4b5053', GradientType=0)}.navbar-pf .navbar-primary>.active>a,.navbar-pf .navbar-primary>.active>a:focus,.navbar-pf .navbar-primary>.active>a:hover,.navbar-pf .navbar-primary>.open>a,.navbar-pf .navbar-primary>.open>a:focus,.navbar-pf .navbar-primary>.open>a:hover{background-color:#64686c;border-bottom-color:#64686c;border-top-color:#949699;-webkit-box-shadow:none;box-shadow:none;color:#fff;background-image:-webkit-linear-gradient(top,#72757a 0,#64686c 100%);background-image:-o-linear-gradient(top,#72757a 0,#64686c 100%);background-image:linear-gradient(to bottom,#72757a 0,#64686c 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff72757a', endColorstr='#ff64686c', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select .filter-option{max-width:160px;text-overflow:ellipsis}.navbar-pf .navbar-primary li.context.dropdown{border-bottom:0}.navbar-pf .navbar-primary li.context.context-bootstrap-select,.navbar-pf .navbar-primary li.context>a{background-color:#505458;border-bottom-color:#65696d;border-right:1px solid #65696d;border-top-color:#64696d;font-weight:600;background-image:-webkit-linear-gradient(top,#585d61 0,#505458 100%);background-image:-o-linear-gradient(top,#585d61 0,#505458 100%);background-image:linear-gradient(to bottom,#585d61 0,#505458 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff585d61', endColorstr='#ff505458', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select:hover,.navbar-pf .navbar-primary li.context>a:hover{background-color:#5a5e62;border-bottom-color:#6e7276;border-right-color:#6e7276;border-top-color:#6c7276;background-image:-webkit-linear-gradient(top,#62676b 0,#5a5e62 100%);background-image:-o-linear-gradient(top,#62676b 0,#5a5e62 100%);background-image:linear-gradient(to bottom,#62676b 0,#5a5e62 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff62676b', endColorstr='#ff5a5e62', GradientType=0)}.navbar-pf .navbar-primary li.context.open>a{background-color:#65696d;border-bottom-color:#6e7276;border-right-color:#777a7e;border-top-color:#767a7e;background-image:-webkit-linear-gradient(top,#6b7175 0,#65696d 100%);background-image:-o-linear-gradient(top,#6b7175 0,#65696d 100%);background-image:linear-gradient(to bottom,#6b7175 0,#65696d 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff6b7175', endColorstr='#ff65696d', GradientType=0)}.navbar-pf .navbar-utility{border-bottom:0;font-size:11px;position:absolute;right:0;top:0}.navbar-pf .navbar-utility>.active>a,.navbar-pf .navbar-utility>.active>a:focus,.navbar-pf .navbar-utility>.active>a:hover,.navbar-pf .navbar-utility>.open>a,.navbar-pf .navbar-utility>.open>a:focus,.navbar-pf .navbar-utility>.open>a:hover{background:#5b6165;color:#fff}.navbar-pf .navbar-utility>li>a{border-left:1px solid #53565b;color:#fff!important;padding:7px 10px}.navbar-pf .navbar-utility>li>a:hover{background:#4a5053;border-left-color:#636466}.navbar-pf .navbar-utility>li.open>a{border-left-color:#6c6e70;color:#fff!important}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:26px}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:10px;top:7px}.navbar-pf .navbar-utility .open .dropdown-menu{left:auto;right:0}.navbar-pf .navbar-utility .open .dropdown-menu .dropdown-menu{left:auto;right:100%}.navbar-pf .navbar-utility .open .dropdown-menu{border-top-width:0}.navbar-pf .open .dropdown-submenu>.dropdown-menu,.navbar-pf .open.bootstrap-select .dropdown-menu{border-top-width:1px!important}}@media (max-width:360px){.navbar-pf .navbar-brand{margin-left:10px;width:75%}.navbar-pf .navbar-brand img{height:auto;max-width:100%}.navbar-pf .navbar-toggle{padding-left:0}}.drawer-pf{background-color:#fafafa;border:1px solid #d1d1d1;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);overflow-y:auto;position:absolute;right:0;width:320px;z-index:2}.drawer-pf .panel{border-bottom:none;border-left:none;border-right:none}.drawer-pf .panel-group .panel-heading+.panel-collapse .panel-body{border-top:none;border-bottom:1px solid #d1d1d1;padding:0}.drawer-pf .panel-counter{display:block;font-style:italic;line-height:1.2;padding-left:18px;padding-top:5px}.drawer-pf .panel-heading{border-bottom:1px solid #d1d1d1}.drawer-pf .panel-group{bottom:0;margin-bottom:0;position:absolute;top:25px;width:100%}.drawer-pf .panel-title a{cursor:pointer;display:block}.drawer-pf.drawer-pf-expanded{left:270px;width:inherit}.drawer-pf.drawer-pf-expanded .drawer-pf-toggle-expand:before{content:"\f101"}.drawer-pf-toggle-expand{color:inherit;cursor:pointer;left:0;padding:2px 5px;position:absolute}.drawer-pf-toggle-expand:before{content:"\f100";font-family:FontAwesome}.drawer-pf-toggle-expand:focus,.drawer-pf-toggle-expand:hover{color:inherit;text-decoration:none}.drawer-pf-action .btn-link{color:#0088ce;padding:10px 0}.drawer-pf-action .btn-link:hover{color:#00659c}.drawer-pf-loading{color:#4d5258;font-size:14px;padding:20px 15px}.drawer-pf-notification{border-bottom:1px solid #d1d1d1;padding:15px}.drawer-pf-notification .date{border-right:1px solid #aaa;display:inline-block;line-height:1;margin-right:5px;padding-right:9px}.drawer-pf-notification .pficon{font-size:14px;margin-top:3px}.drawer-pf-notification:last-of-type{border-bottom:none}.drawer-pf-notification:hover{background-color:#def3ff}.drawer-pf-notification.unread .drawer-pf-notification-message{font-weight:700}.drawer-pf-notification.expanded-notification .date{border-right:none;padding-right:0}.drawer-pf-notification-info,.drawer-pf-notification-message{display:block;padding-left:27px;padding-right:19px}.expanded-notification .drawer-pf-notification-info,.expanded-notification .drawer-pf-notification-message{display:inline-block}.drawer-pf-notifications-non-clickable .drawer-pf-notification:hover{background-color:#fff}.drawer-pf-title{background-color:#fafafa;border-bottom:1px solid #d1d1d1;position:absolute;width:318px}.drawer-pf-title h3{font-size:12px;margin:0;padding:6px 15px}.navbar-pf-vertical .drawer-pf{height:calc(100vh - 80px);top:58px}.navbar-pf-vertical .nav .drawer-pf-trigger .drawer-pf-trigger-icon{border-left:1px solid #53565b;border-right:1px solid #53565b;padding-left:15px;padding-right:15px}.navbar-pf-vertical .nav .drawer-pf-trigger.open .drawer-pf-trigger-icon{background-color:#4a5053}.navbar-pf .drawer-pf{height:calc(100vh - 46px);top:26px}.navbar-pf .drawer-pf-trigger-icon{cursor:pointer}.pager li>a,.pager li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;font-weight:600;line-height:22px;padding:2px 14px}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>a:focus,.pager li>a:hover,.pager li>span.active,.pager li>span:active,.pager li>span:focus,.pager li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>span.active,.pager li>span:active{background-image:none}.open .dropdown-toggle.pager li>a.focus,.open .dropdown-toggle.pager li>a:focus,.open .dropdown-toggle.pager li>a:hover,.open .dropdown-toggle.pager li>span.focus,.open .dropdown-toggle.pager li>span:focus,.open .dropdown-toggle.pager li>span:hover,.pager li>a.active.focus,.pager li>a.active:focus,.pager li>a.active:hover,.pager li>a:active.focus,.pager li>a:active:focus,.pager li>a:active:hover,.pager li>span.active.focus,.pager li>span.active:focus,.pager li>span.active:hover,.pager li>span:active.focus,.pager li>span:active:focus,.pager li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pager li>a.disabled,.pager li>a.disabled.active,.pager li>a.disabled:active,.pager li>a.disabled:focus,.pager li>a.disabled:hover,.pager li>a[disabled],.pager li>a[disabled].active,.pager li>a[disabled]:active,.pager li>a[disabled]:focus,.pager li>a[disabled]:hover,.pager li>span.disabled,.pager li>span.disabled.active,.pager li>span.disabled:active,.pager li>span.disabled:focus,.pager li>span.disabled:hover,.pager li>span[disabled],.pager li>span[disabled].active,.pager li>span[disabled]:active,.pager li>span[disabled]:focus,.pager li>span[disabled]:hover,fieldset[disabled] .pager li>a,fieldset[disabled] .pager li>a.active,fieldset[disabled] .pager li>a:active,fieldset[disabled] .pager li>a:focus,fieldset[disabled] .pager li>a:hover,fieldset[disabled] .pager li>span,fieldset[disabled] .pager li>span.active,fieldset[disabled] .pager li>span:active,fieldset[disabled] .pager li>span:focus,fieldset[disabled] .pager li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pager li>a>.i,.pager li>span>.i{font-size:18px;vertical-align:top;margin:2px 0}.pager li>a:hover>a:focus{color:#4d5258}.pager li a:active{background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(3,3,3,.125);box-shadow:inset 0 3px 5px rgba(3,3,3,.125);outline:0}.pager .disabled>a,.pager .disabled>a:active,.pager .disabled>a:focus,.pager .disabled>a:hover,.pager .disabled>span{background:#f5f5f5;-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f;cursor:default}.pager .next>a>.i,.pager .next>span>.i{margin-left:5px}.pager .previous>a>.i,.pager .previous>span>.i{margin-right:5px}.pager-sm li>a,.pager-sm li>span{font-weight:400;line-height:16px;padding:1px 10px}.pager-sm li>a>.i,.pager-sm li>span>.i{font-size:12px}.pagination>li>a,.pagination>li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;cursor:default;font-weight:600;padding:2px 10px}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>a:focus,.pagination>li>a:hover,.pagination>li>span.active,.pagination>li>span:active,.pagination>li>span:focus,.pagination>li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>span.active,.pagination>li>span:active{background-image:none}.open .dropdown-toggle.pagination>li>a.focus,.open .dropdown-toggle.pagination>li>a:focus,.open .dropdown-toggle.pagination>li>a:hover,.open .dropdown-toggle.pagination>li>span.focus,.open .dropdown-toggle.pagination>li>span:focus,.open .dropdown-toggle.pagination>li>span:hover,.pagination>li>a.active.focus,.pagination>li>a.active:focus,.pagination>li>a.active:hover,.pagination>li>a:active.focus,.pagination>li>a:active:focus,.pagination>li>a:active:hover,.pagination>li>span.active.focus,.pagination>li>span.active:focus,.pagination>li>span.active:hover,.pagination>li>span:active.focus,.pagination>li>span:active:focus,.pagination>li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pagination>li>a.disabled,.pagination>li>a.disabled.active,.pagination>li>a.disabled:active,.pagination>li>a.disabled:focus,.pagination>li>a.disabled:hover,.pagination>li>a[disabled],.pagination>li>a[disabled].active,.pagination>li>a[disabled]:active,.pagination>li>a[disabled]:focus,.pagination>li>a[disabled]:hover,.pagination>li>span.disabled,.pagination>li>span.disabled.active,.pagination>li>span.disabled:active,.pagination>li>span.disabled:focus,.pagination>li>span.disabled:hover,.pagination>li>span[disabled],.pagination>li>span[disabled].active,.pagination>li>span[disabled]:active,.pagination>li>span[disabled]:focus,.pagination>li>span[disabled]:hover,fieldset[disabled] .pagination>li>a,fieldset[disabled] .pagination>li>a.active,fieldset[disabled] .pagination>li>a:active,fieldset[disabled] .pagination>li>a:focus,fieldset[disabled] .pagination>li>a:hover,fieldset[disabled] .pagination>li>span,fieldset[disabled] .pagination>li>span.active,fieldset[disabled] .pagination>li>span:active,fieldset[disabled] .pagination>li>span:focus,fieldset[disabled] .pagination>li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pagination>li>a>.i,.pagination>li>span>.i{font-size:15px;vertical-align:top;margin:2px 0}.pagination>li>a:active,.pagination>li>span:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.pagination>.active>a,.pagination>.active>a:focus,.pagination>.active>a:hover,.pagination>.active>span,.pagination>.active>span:focus,.pagination>.active>span:hover{background-color:#f1f1f1;border-color:#bbb;-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2);color:#4d5258;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination>.disabled>a,.pagination>.disabled>a:focus,.pagination>.disabled>a:hover,.pagination>.disabled>span,.pagination>.disabled>span:focus,.pagination>.disabled>span:hover{-webkit-box-shadow:none;box-shadow:none;cursor:default;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination-sm>li>a,.pagination-sm>li>span{padding:2px 6px;font-size:11px;line-height:1.5}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:1px;border-top-left-radius:1px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-bottom-right-radius:1px;border-top-right-radius:1px}.pagination-sm>li>a,.pagination-sm>li>span{font-weight:400}.pagination-sm>li>a>.i,.pagination-sm>li>span>.i{font-size:12px;margin-top:2px}.panel-title{font-weight:700}.panel-group .panel{color:#4d5258}.panel-group .panel+.panel{margin-top:-1px}.panel-group .panel-default{border-color:#bbb;border-top-color:#bbb}.panel-group .panel-heading{background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.panel-group .panel-heading+.panel-collapse .panel-body{border-top:1px solid #d1d1d1}.panel-group .panel-title{font-weight:500;line-height:1}.panel-group .panel-title>a{color:#4d5258;font-weight:600}.panel-group .panel-title>a:before{content:"\f107";display:inline-block;font-family:FontAwesome;font-size:13px;margin-right:5px;text-align:center;vertical-align:0;width:8px}.panel-group .panel-title>a:focus{outline:0;text-decoration:none}.panel-group .panel-title>a:hover{text-decoration:none}.panel-group .panel-title>a.collapsed:before{content:"\f105"}.popover{-webkit-box-shadow:0 2px 2px rgba(3,3,3,.08);box-shadow:0 2px 2px rgba(3,3,3,.08);padding:0}.popover-content{color:#4d5258;line-height:18px;padding:10px 14px}.popover-title{border-bottom:none;border-radius:0;color:#4d5258;font-size:13px;font-weight:700;min-height:34px}.popover-title .close{height:22px;position:absolute;right:8px;top:6px}.popover-title.closable{padding-right:30px}@-webkit-keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}@keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}.progress{-webkit-box-shadow:inset 0 0 1px rgba(3,3,3,.25);box-shadow:inset 0 0 1px rgba(3,3,3,.25)}.progress.progress-label-left,.progress.progress-label-top-right{overflow:visible;position:relative}.progress.progress-label-left{margin-left:40px}.progress.progress-sm{height:14px;margin-bottom:14px}.progress.progress-xs{height:6px;margin-bottom:6px}td>.progress:first-child:last-child{margin-bottom:0;margin-top:3px}.progress-bar{box-shadow:none}.progress-label-left .progress-bar span,.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{color:#363636;position:absolute;text-align:right}.progress-label-left .progress-bar span{font-size:14px;left:-40px;top:0;width:35px}.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{font-size:11px;overflow:hidden;right:0;text-overflow:ellipsis;white-space:nowrap}.progress-label-right .progress-bar span strong,.progress-label-top-right .progress-bar span strong{font-weight:600}.progress-label-right .progress-bar span{max-width:85px;top:0}.progress-label-top-right .progress-bar span{max-width:47%;top:-30px}.progress-label-left.progress-sm .progress-bar span,.progress-label-top-right.progress-sm .progress-bar span{font-size:12px}.progress-sm .progress-bar{line-height:14px}.progress-xs .progress-bar{line-height:6px}.progress-bar-remaining{background:0 0}.progress-container{position:relative}.progress-container.progress-description-left{padding-left:90px}.progress-container.progress-label-right{padding-right:90px}.progress-description{margin-bottom:10px;max-width:52%;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.progress-description .count{font-size:20px;font-weight:300;line-height:1;margin-right:5px}.progress-description .fa,.progress-description .pficon{font-size:14px;margin-right:3px}.progress-description-left .progress-description{left:0;margin-bottom:0;max-width:85px;position:absolute;top:0}.progress-description .tooltip{white-space:normal}.search-pf.has-button{border-collapse:separate;display:table}.search-pf.has-button .form-group{display:table-cell;width:100%}.search-pf.has-button .form-group .btn{-webkit-box-shadow:none;box-shadow:none;float:left;margin-left:-1px}.search-pf.has-button .form-group .btn.btn-lg{font-size:14.5px}.search-pf.has-button .form-group .btn.btn-sm{font-size:10.7px}.search-pf.has-button .form-group .form-control{float:left}.search-pf .has-clear .clear{background:0 0;background:rgba(255,255,255,0);border:0;height:25px;line-height:1;padding:0;position:absolute;right:1px;top:1px;width:28px}.search-pf .has-clear .clear:focus{outline:0}.search-pf .has-clear .form-control{padding-right:30px}.search-pf .has-clear .form-control::-ms-clear{display:none}.search-pf .has-clear .input-lg+.clear{height:31px;width:28px}.search-pf .has-clear .input-sm+.clear{height:20px;width:28px}.search-pf .has-clear .input-sm+.clear span{font-size:10px}.search-pf .has-clear .search-pf-input-group{position:relative}.sidebar-header{border-bottom:1px solid #ececec;padding-bottom:11px;margin:50px 0 20px}.sidebar-header .actions{margin-top:-2px}.sidebar-pf .sidebar-header+.list-group{border-top:0;margin-top:-10px}.sidebar-pf .sidebar-header+.list-group .list-group-item{background:0 0;border-color:#ececec;padding-left:0}.sidebar-pf .sidebar-header+.list-group .list-group-item-heading{font-size:12px}.sidebar-pf .nav-category h2{color:#9c9c9c;font-size:12px;font-weight:400;line-height:21px;margin:0;padding:8px 0}.sidebar-pf .nav-category+.nav-category{margin-top:10px}.sidebar-pf .nav-pills>li.active>a{background:#0088ce!important;border-color:#0088ce!important;color:#fff}@media (min-width:768px){.sidebar-pf .nav-pills>li.active>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}.sidebar-pf .nav-pills>li.active>a .fa{color:#fff}.sidebar-pf .nav-pills>li>a{border-bottom:1px solid transparent;border-radius:0;border-top:1px solid transparent;color:#363636;font-size:13px;line-height:21px;padding:1px 20px}.sidebar-pf .nav-pills>li>a:hover{background:#def3ff;border-color:#bee1f4}.sidebar-pf .nav-pills>li>a .fa{color:#6a7079;font-size:15px;margin-right:10px;text-align:center;vertical-align:middle;width:15px}.sidebar-pf .nav-stacked{margin-left:-20px;margin-right:-20px}.sidebar-pf .nav-stacked li+li{margin-top:0}.sidebar-pf .panel{background:0 0}.sidebar-pf .panel-body{padding:6px 20px}.sidebar-pf .panel-body .nav-pills>li>a{padding-left:37px}.sidebar-pf .panel-heading{padding:9px 20px}.sidebar-pf .panel-title{font-size:12px}.sidebar-pf .panel-title>a:before{display:inline-block;margin-left:1px;margin-right:4px;width:9px}.sidebar-pf .panel-title>a.collapsed:before{margin-left:3px;margin-right:2px}@media (min-width:767px){.sidebar-header-bleed-left{margin-left:-20px}.sidebar-header-bleed-left>h2{margin-left:20px}.sidebar-header-bleed-right{margin-right:-20px}.sidebar-header-bleed-right .actions{margin-right:20px}.sidebar-header-bleed-right>h2{margin-right:20px}.sidebar-header-bleed-right+.list-group{margin-right:-20px}.sidebar-pf .panel-group .panel-default,.sidebar-pf .treeview{border-left:0;border-right:0;margin-left:-20px;margin-right:-20px}.sidebar-pf .treeview{margin-top:5px}.sidebar-pf .treeview .list-group-item{padding-left:20px;padding-right:20px}.sidebar-pf .treeview .list-group-item.node-selected:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}@media (min-width:768px){.sidebar-pf{background:#fafafa}.sidebar-pf.sidebar-pf-left{border-right:1px solid #d1d1d1}.sidebar-pf.sidebar-pf-right{border-left:1px solid #d1d1d1}.sidebar-pf>.nav-category,.sidebar-pf>.nav-stacked{margin-top:5px}}@-webkit-keyframes rotation{from{-webkit-transform:rotate(0)}to{-webkit-transform:rotate(359deg)}}@keyframes rotation{from{transform:rotate(0)}to{transform:rotate(359deg)}}.spinner{-webkit-animation:rotation .6s infinite linear;animation:rotation .6s infinite linear;border-bottom:4px solid rgba(3,3,3,.25);border-left:4px solid rgba(3,3,3,.25);border-right:4px solid rgba(3,3,3,.25);border-radius:100%;border-top:4px solid rgba(3,3,3,.75);height:24px;margin:0 auto;position:relative;width:24px}.spinner.spinner-inline{display:inline-block;margin-right:3px}.spinner.spinner-lg{border-width:5px;height:30px;width:30px}.spinner.spinner-sm{border-width:3px;height:18px;width:18px}.spinner.spinner-xs{border-width:2px;height:12px;width:12px}.spinner.spinner-inverse{border-bottom-color:rgba(255,255,255,.25);border-left-color:rgba(255,255,255,.25);border-right-color:rgba(255,255,255,.25);border-top-color:rgba(255,255,255,.75)}.ie9 .spinner{background:url(../img/spinner.gif) no-repeat;border:0}.ie9 .spinner.spinner-inverse{background-image:url(../img/spinner-inverse.gif)}.ie9 .spinner.spinner-inverse-lg{background-image:url(../img/spinner-inverse-lg.gif)}.ie9 .spinner.spinner-inverse-sm{background-image:url(../img/spinner-inverse-sm.gif)}.ie9 .spinner.spinner-inverse-xs{background-image:url(../img/spinner-inverse-xs.gif)}.ie9 .spinner.spinner-lg{background-image:url(../img/spinner-lg.gif)}.ie9 .spinner.spinner-sm{background-image:url(../img/spinner-sm.gif)}.ie9 .spinner.spinner-xs{background-image:url(../img/spinner-xs.gif)}.prettyprint .atn,.prettyprint .com,.prettyprint .fun,.prettyprint .var{color:#3f9c35}.prettyprint .atv,.prettyprint .str{color:#a30000}.prettyprint .clo,.prettyprint .dec,.prettyprint .kwd,.prettyprint .opn,.prettyprint .pln,.prettyprint .pun{color:#363636}.prettyprint .lit,.prettyprint .tag,.prettyprint .typ{color:#00659c}.prettyprint ol.linenums{margin-bottom:0}.table>tbody>tr>td,.table>tbody>tr>th,.table>tfoot>tr>td,.table>tfoot>tr>th,.table>thead>tr>td,.table>thead>tr>th{padding:2px 10px 3px}.table>tbody>tr>td>a:hover,.table>tbody>tr>th>a:hover,.table>tfoot>tr>td>a:hover,.table>tfoot>tr>th>a:hover,.table>thead>tr>td>a:hover,.table>thead>tr>th>a:hover{text-decoration:none}.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>th{font-family:'Open Sans';font-style:normal;font-weight:600}.table>thead{background-clip:padding-box;background-color:#f5f5f5;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.table-bordered{border:1px solid #d1d1d1}.table-bordered>tbody>tr>td,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>td,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border:1px solid #d1d1d1}.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border-bottom-width:1px}.table-striped>tbody>tr:nth-of-type(even){background-color:#f5f5f5}.table-striped>tbody>tr:nth-of-type(odd){background-color:transparent}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#def3ff;border-bottom-color:#7dc3e8}.table-treegrid span.indent{margin-left:10px;margin-right:10px}.table-treegrid span.icon{display:inline-block;font-size:13px;margin-right:5px;min-width:10px;text-align:center}.table-treegrid span.collapse-icon,.table-treegrid span.expand-icon{cursor:pointer}.table-treegrid>tbody>tr.odd{background-color:#f5f5f5}.nav-tabs{font-size:14px}.nav-tabs>li>a{color:#4d5258;margin-right:-1px;padding-bottom:5px;padding-top:5px}.nav-tabs>li>a:active,.nav-tabs>li>a:focus,.nav-tabs>li>a:hover{background:0 0;border-color:#ededed;color:#252525}.nav-tabs>li>.dropdown-menu{border-top:0;border-color:#ededed}.nav-tabs>li>.dropdown-menu.pull-right{right:-1px}.nav-tabs+.nav-tabs-pf{font-size:12px}.nav-tabs+.nav-tabs-pf>li:first-child>a{padding-left:15px}.nav-tabs+.nav-tabs-pf>li:first-child>a:before{left:15px!important}.nav-tabs .open>a,.nav-tabs .open>a:focus,.nav-tabs .open>a:hover{background-color:transparent;border-color:#ededed}@media (min-width:768px){.nav-tabs-pf.nav-justified{border-bottom:1px solid #ededed}}.nav-tabs-pf.nav-justified>li:first-child>a{padding-left:15px}.nav-tabs-pf.nav-justified>li>a{border-bottom:0}.nav-tabs-pf.nav-justified>li>a:before{left:0!important;right:0!important}.nav-tabs-pf>li{margin-bottom:0}.nav-tabs-pf>li.active>a:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li.active>a,.nav-tabs-pf>li.active>a:active,.nav-tabs-pf>li.active>a:focus,.nav-tabs-pf>li.active>a:hover{background-color:transparent;border:0!important;color:#0088ce}.nav-tabs-pf>li.active>a:active:before,.nav-tabs-pf>li.active>a:before,.nav-tabs-pf>li.active>a:focus:before,.nav-tabs-pf>li.active>a:hover:before{background:#0088ce}.nav-tabs-pf>li:first-child>a{padding-left:0}.nav-tabs-pf>li:first-child>a:before{left:0!important}.nav-tabs-pf>li>a{border:0;line-height:1;margin-right:0;padding-bottom:10px;padding-top:10px}.nav-tabs-pf>li>a:active:before,.nav-tabs-pf>li>a:focus:before,.nav-tabs-pf>li>a:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li>.dropdown-menu{left:15px;margin-top:1px}.nav-tabs-pf>li>.dropdown-menu.pull-right{left:auto;right:15px}.nav-tabs-pf .open>a,.nav-tabs-pf .open>a:focus,.nav-tabs-pf .open>a:hover{background-color:transparent}.tooltip{font-size:12px;line-height:1.4}.tooltip-inner{padding:7px 12px;text-align:left}.h1,.h2,h1,h2{font-weight:300}.page-header .actions{margin-top:8px}.page-header .actions a>.pficon{margin-right:4px}@media (min-width:767px){.page-header-bleed-left{margin-left:-20px}.page-header-bleed-right{margin-right:-20px}.page-header-bleed-right .actions{margin-right:20px}}
+\ No newline at end of file
+--
+2.26.2
+
+
+From bcc1a38148401ba766d98647a5aba69a0905214e Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Sun, 7 Oct 2018 12:25:40 +0300
+Subject: [PATCH 2/3] install/ui/less/brand.less: Change branding to IPA and
+ Identity Management
+
+---
+ install/ui/less/brand.less | 103 ++++++++++++++++++-------------------
+ 1 file changed, 50 insertions(+), 53 deletions(-)
+
+diff --git a/install/ui/less/brand.less b/install/ui/less/brand.less
+index c9030bb..7488eaf 100644
+--- a/install/ui/less/brand.less
++++ b/install/ui/less/brand.less
+@@ -20,58 +20,55 @@
+
+ // this file should be overridden with brand/platform specific content
+
+-@login-details-border: #777777;
++@img-badge-ie8-height: 44px;
++@img-badge-ie8-width: 137px;
++// @img-bg-login: "bg-login.png";
++// @img-bg-login-2: "bg-login-2.png";
++@login-bg-color: #1a1a1a;
++@login-container-bg-color: transparent;
++@login-container-bg-color-rgba: transparent;
++@navbar-pf-bg-color: #393F45;
++@navbar-pf-border-color: #cc0000;
++@navbar-pf-active-color: #fff;
++@navbar-pf-color: #dbdada;
++@navbar-pf-icon-bar-bg-color: #fff;
++@navbar-pf-navbar-header-border-color: #53565b;
++@navbar-pf-navbar-nav-active-bg-color: #454C53;
++@navbar-pf-navbar-nav-active-active-bg-color: #3c434a;
++@navbar-pf-navbar-nav-active-active-open-bg-color: #424950;
++@navbar-pf-navbar-navbar-brand-min-width: 300px;
++@navbar-pf-navbar-navbar-brand-padding: 7px 0 8px;
++@navbar-pf-navbar-navbar-persistent-bg-color: #f6f6f6;
++@navbar-pf-navbar-navbar-persistent-border-color: #cecdcd;
++@navbar-pf-navbar-primary-active-bg-color-start: #72757a;
++@navbar-pf-navbar-primary-active-bg-color-stop: #64686c;
++@navbar-pf-navbar-primary-active-border-color: #949699;
++@navbar-pf-navbar-primary-bg-color-start: #474c50;
++@navbar-pf-navbar-primary-bg-color-stop: #383f43;
++@navbar-pf-navbar-primary-hover-bg-color-start: #5c6165;
++@navbar-pf-navbar-primary-hover-bg-color-stop: #4b5053;
++@navbar-pf-navbar-primary-hover-border-color: #949699;
++@navbar-pf-navbar-primary-context-active-bg-color-start: #6b7175;
++@navbar-pf-navbar-primary-context-active-bg-color-stop: #65696d;
++@navbar-pf-navbar-primary-context-active-border-color: #6e7276;
++@navbar-pf-navbar-primary-context-active-border-right-color: #777a7e;
++@navbar-pf-navbar-primary-context-active-border-top-color: #767a7e;
++@navbar-pf-navbar-primary-context-bg-color-start: #585d61;
++@navbar-pf-navbar-primary-context-bg-color-stop: #505458;
++@navbar-pf-navbar-primary-context-border-color: #65696d;
++@navbar-pf-navbar-primary-context-border-top-color: #64696d;
++@navbar-pf-navbar-primary-context-hover-bg-color-start: #62676b;
++@navbar-pf-navbar-primary-context-hover-bg-color-stop: #5a5e62;
++@navbar-pf-navbar-primary-context-hover-border-color: #6e7276;
++@navbar-pf-navbar-primary-context-hover-border-top-color: #6c7276;
++@navbar-pf-navbar-utility-border-color: #53565b;
++@navbar-pf-navbar-utility-color: #fff;
++@navbar-pf-navbar-utility-hover-bg-color: #4a5053;
++@navbar-pf-navbar-utility-hover-border-color: #636466;
++@navbar-pf-navbar-utility-open-bg-color: #5b6165;
++@navbar-pf-navbar-utility-open-border-color: #6c6e70;
+
+-.login-pf {
+-
+- .login-pf-body {
+- padding-top: 50px;
+- }
+-
+- #badge img {
+- display: none;
+- }
+-
+- #brand {
+- position: absolute;
+- top: -135px;
+- img {
+- height: auto;
+- }
+- }
+-
+- .container {
+- padding-top: 40px;
+-
+- .details p:first-child {
+- border-top: 1px solid @login-details-border;
+- }
+- }
+-}
+-
+-// 768px == @screen-sm-min
+-@media (min-width: 768px) {
+- .navbar-pf .navbar-brand {
+- padding: 2px 0 3px;
+- }
+-
+- .login-pf .container .details {
+- p:first-child {
+- border-top: 0;
+- }
+- border-left: 1px solid @login-details-border;
+- }
+-}
+-
+-@media (max-height: 520px) {
+- .reset-login-pf-height;
+- .login-pf {
+- .login-pf-body {
+- padding-top: 0;
+- }
+- #badge {
+- margin-top: 0;
+- height: 70px;
+- }
+- }
++.info-page .navbar-header {
++ line-height: inherit;
++ margin-left: 20px;
+ }
+\ No newline at end of file
+--
+2.26.2
+
+
+From b9506f826164e757c9b4a694c9ca1bfda921f931 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Sun, 7 Oct 2018 12:25:40 +0300
+Subject: [PATCH 3/3] install/ui/less/patternfly.less: Change branding to IPA
+ and Identity Management
+
+---
+ install/ui/less/patternfly.less | 48 +++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+diff --git a/install/ui/less/patternfly.less b/install/ui/less/patternfly.less
+index a2e30c8..97a8d5c 100644
+--- a/install/ui/less/patternfly.less
++++ b/install/ui/less/patternfly.less
+@@ -129,3 +129,51 @@
+
+ // our overrides
+ @fa-font-path: "../fonts/fontawesome";
++
++@img-badge-ie8-height: 44px;
++@img-badge-ie8-width: 137px;
++// @img-bg-login: "bg-login.png";
++// @img-bg-login-2: "bg-login-2.png";
++@login-bg-color: #1a1a1a;
++@login-container-bg-color: transparent;
++@login-container-bg-color-rgba: transparent;
++@navbar-pf-bg-color: #393F45;
++@navbar-pf-border-color: #cc0000;
++@navbar-pf-active-color: #fff;
++@navbar-pf-color: #dbdada;
++@navbar-pf-icon-bar-bg-color: #fff;
++@navbar-pf-navbar-header-border-color: #53565b;
++@navbar-pf-navbar-nav-active-bg-color: #454C53;
++@navbar-pf-navbar-nav-active-active-bg-color: #3c434a;
++@navbar-pf-navbar-nav-active-active-open-bg-color: #424950;
++@navbar-pf-navbar-navbar-brand-min-width: 300px;
++@navbar-pf-navbar-navbar-brand-padding: 7px 0 8px;
++@navbar-pf-navbar-navbar-persistent-bg-color: #f6f6f6;
++@navbar-pf-navbar-navbar-persistent-border-color: #cecdcd;
++@navbar-pf-navbar-primary-active-bg-color-start: #72757a;
++@navbar-pf-navbar-primary-active-bg-color-stop: #64686c;
++@navbar-pf-navbar-primary-active-border-color: #949699;
++@navbar-pf-navbar-primary-bg-color-start: #474c50;
++@navbar-pf-navbar-primary-bg-color-stop: #383f43;
++@navbar-pf-navbar-primary-hover-bg-color-start: #5c6165;
++@navbar-pf-navbar-primary-hover-bg-color-stop: #4b5053;
++@navbar-pf-navbar-primary-hover-border-color: #949699;
++@navbar-pf-navbar-primary-context-active-bg-color-start: #6b7175;
++@navbar-pf-navbar-primary-context-active-bg-color-stop: #65696d;
++@navbar-pf-navbar-primary-context-active-border-color: #6e7276;
++@navbar-pf-navbar-primary-context-active-border-right-color: #777a7e;
++@navbar-pf-navbar-primary-context-active-border-top-color: #767a7e;
++@navbar-pf-navbar-primary-context-bg-color-start: #585d61;
++@navbar-pf-navbar-primary-context-bg-color-stop: #505458;
++@navbar-pf-navbar-primary-context-border-color: #65696d;
++@navbar-pf-navbar-primary-context-border-top-color: #64696d;
++@navbar-pf-navbar-primary-context-hover-bg-color-start: #62676b;
++@navbar-pf-navbar-primary-context-hover-bg-color-stop: #5a5e62;
++@navbar-pf-navbar-primary-context-hover-border-color: #6e7276;
++@navbar-pf-navbar-primary-context-hover-border-top-color: #6c7276;
++@navbar-pf-navbar-utility-border-color: #53565b;
++@navbar-pf-navbar-utility-color: #fff;
++@navbar-pf-navbar-utility-hover-bg-color: #4a5053;
++@navbar-pf-navbar-utility-hover-border-color: #636466;
++@navbar-pf-navbar-utility-open-bg-color: #5b6165;
++@navbar-pf-navbar-utility-open-border-color: #6c6e70;
+--
+2.26.2
+
diff --git a/SOURCES/freeipa-4.9.8.tar.gz.asc b/SOURCES/freeipa-4.9.8.tar.gz.asc
new file mode 100644
index 0000000..c14420c
--- /dev/null
+++ b/SOURCES/freeipa-4.9.8.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi
+00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe
+MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM
+XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q
+E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp
+q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6
+BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA
+CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C
+UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi
+q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy
+urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo
+w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg=
+=t9up
+-----END PGP SIGNATURE-----
diff --git a/SPECS/freeipa.spec b/SPECS/freeipa.spec
new file mode 100644
index 0000000..12c75a3
--- /dev/null
+++ b/SPECS/freeipa.spec
@@ -0,0 +1,3173 @@
+%define ipa_requires_gt() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} >= %%{epoch}:%%{version}-%%{release}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
+
+# ipatests enabled by default, can be disabled with --without ipatests
+%bcond_without ipatests
+# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
+# On RHEL 8 we should use --with ipa_join_xml
+%bcond_with ipa_join_xml
+
+# Linting is disabled by default, needed for upstream testing
+%bcond_with lint
+
+# Build documentation with sphinx
+%bcond_with doc
+
+# Build Python wheels
+%bcond_with wheels
+
+# 389-ds-base 1.4 no longer supports i686 platform, build only client
+# packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386
+%ifarch %{ix86}
+ %{!?ONLY_CLIENT:%global ONLY_CLIENT 1}
+%endif
+
+# Define ONLY_CLIENT to only make the ipa-client and ipa-python
+# subpackages
+%{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
+%if %{ONLY_CLIENT}
+ %global enable_server_option --disable-server
+%else
+ %global enable_server_option --enable-server
+%endif
+
+%if %{ONLY_CLIENT}
+ %global with_ipatests 0
+%endif
+
+# Whether to build ipatests
+%if %{with ipatests}
+ %global with_ipatests_option --with-ipatests
+%else
+ %global with_ipatests_option --without-ipatests
+%endif
+
+# Whether to use XML-RPC with ipa-join
+%if %{with ipa_join_xml}
+ %global with_ipa_join_xml_option --with-ipa-join-xml
+%else
+ %global with_ipa_join_xml_option --without-ipa-join-xml
+%endif
+
+# lint is not executed during rpmbuild
+# %%global with_lint 1
+%if %{with lint}
+ %global linter_options --enable-pylint --without-jslint --enable-rpmlint
+%else
+ %global linter_options --disable-pylint --without-jslint --disable-rpmlint
+%endif
+
+# Include SELinux subpackage
+%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8
+ %global with_selinux 1
+ %global selinuxtype targeted
+ %global modulename ipa
+%endif
+
+%if 0%{?rhel}
+%global package_name ipa
+%global alt_name freeipa
+%global krb5_version 1.19.1-15
+%global krb5_kdb_version 8.0
+# 0.7.16: https://github.com/drkjam/netaddr/issues/71
+%global python_netaddr_version 0.7.19
+# Require 4.7.0 which brings Python 3 bindings
+%global samba_version 4.15.2-2
+%global selinux_policy_version 3.14.3-52
+%global slapi_nis_version 0.56.4
+%global python_ldap_version 3.1.0-1
+%if 0%{?rhel} < 9
+# Bug 1929067 - PKI instance creation failed with new 389-ds-base build
+%global ds_version 1.4.3.16-12
+%else
+# DNA interval enabled
+%global ds_version 2.0.5-1
+%endif
+
+# Fix for TLS 1.3 PHA, RHBZ#1775158
+%global httpd_version 2.4.37-21
+%global bind_version 9.11.20-6
+
+%else
+# Fedora
+%global package_name freeipa
+%global alt_name ipa
+# Fix for CVE-2020-28196
+%global krb5_version 1.18.2-29
+# 0.7.16: https://github.com/drkjam/netaddr/issues/71
+%global python_netaddr_version 0.7.16
+# Require 4.7.0 which brings Python 3 bindings
+# Require 4.12 which has DsRGetForestTrustInformation access rights fixes
+%global samba_version 2:4.12.10
+
+# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
+%global selinux_policy_version 3.14.5-45
+%global slapi_nis_version 0.56.5
+
+%global krb5_kdb_version 8.0
+
+# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
+%global python_ldap_version 3.1.0-1
+
+# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700
+# and has DNA interval enabled
+%if 0%{?fedora} < 34
+%global ds_version 1.4.4.16-1
+%else
+%global ds_version 2.0.7-1
+%endif
+
+# Fix for TLS 1.3 PHA, RHBZ#1775146
+%global httpd_version 2.4.41-9
+
+%global bind_version 9.11.24-1
+# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
+# Some packages don't provide new dist aliases.
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
+%{?python_disable_dependency_generator}
+# Fedora
+%endif
+
+# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11
+# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9)
+%if 0%{?fedora} || 0%{?rhel} >= 9
+ %global openssl_pkcs11_version 0.4.10-6
+ %global softhsm_version 2.5.0-4
+%else
+ %global with_bind_pkcs11 1
+%endif
+
+%if 0%{?rhel} == 8
+# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
+%global pki_version 10.10.5
+%else
+# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
+%global pki_version 10.10.5
+%endif
+
+# RHEL 8.3+, F32+ has 0.79.13
+%global certmonger_version 0.79.7-3
+
+# RHEL 8.2+, F32+ has 3.58
+%global nss_version 3.44.0-4
+
+# RHEL 8.3+, F32+
+%global sssd_version 2.4.0
+
+%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
+%global kdcproxy_version 0.4-3
+
+%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9
+# systemd with resolved enabled
+# see https://pagure.io/freeipa/issue/8275
+%global systemd_version 246.6-3
+%else
+%global systemd_version 239
+%endif
+
+# augeas support for new chrony options
+# see https://pagure.io/freeipa/issue/8676
+# https://bugzilla.redhat.com/show_bug.cgi?id=1931787
+%if 0%{?fedora} >= 33
+%global augeas_version 1.12.0-6
+%else
+%if 0%{?rhel} >= 9
+%global augeas_version 1.12.1-0
+%else
+%global augeas_version 1.12.0-3
+%endif
+%endif
+
+%global plugin_dir %{_libdir}/dirsrv/plugins
+%global etc_systemd_dir %{_sysconfdir}/systemd/system
+%global gettext_domain ipa
+
+%define _hardened_build 1
+
+# Work-around fact that RPM SPEC parser does not accept
+# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
+%define IPA_VERSION 4.9.8
+# Release candidate version -- uncomment with one percent for RC versions
+#%%global rc_version %%nil
+%define AT_SIGN @
+# redefine IPA_VERSION only if its value matches the Autoconf placeholder
+%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
+ %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
+%endif
+
+%define NON_DEVELOPER_BUILD ("%{lua: print(rpm.expand('%{suffix:%IPA_VERSION}'):find('^dev'))}" == "nil")
+
+Name: %{package_name}
+Version: %{IPA_VERSION}
+Release: 7%{?rc_version:.%rc_version}%{?dist}
+Summary: The Identity, Policy and Audit system
+
+License: GPLv3+
+URL: http://www.freeipa.org/
+Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz
+# Only use detached signature for the distribution builds. If it is a developer build, skip it
+%if %{NON_DEVELOPER_BUILD}
+Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc
+%endif
+
+# RHEL spec file only: START: Change branding to IPA and Identity Management
+# Moved branding logos and background to redhat-logos-ipa-80.4:
+# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
+# product-name.png
+# RHEL spec file only: END: Change branding to IPA and Identity Management
+
+# RHEL spec file only: START
+%if %{NON_DEVELOPER_BUILD}
+%if 0%{?rhel} >= 8
+Patch0001: 0001-ipa-kdb-issue-PAC_REQUESTER_SID-only-for-TGTs.patch
+Patch0002: 0002-ipa-kdb-fix-requester-SID-check-according-to-MS-KILE.patch
+Patch0003: 0003-ipatests-Fix-test_ipa_cert_fix.py-TestCertFixReplica.patch
+Patch0004: 0004-Extend-test-to-see-if-replica-is-not-shown-when-runn.patch
+Patch0005: 0005-ipatests-Test-default-value-of-nsslapd-sizelimit.patch
+Patch0006: 0006-ipatests-Test-empty-cert-request-doesn-t-force-certm.patch
+Patch0007: 0007-Test-cases-for-ipa-replica-conncheck-command.patch
+Patch0008: 0008-PEP8-Fixes.patch
+Patch0009: 0009-ipatests-webui-Tests-for-subordinate-ids.patch
+Patch0010: 0010-Config-plugin-return-EmptyModlist-when-no-change-is-.patch
+Patch0011: 0011-config-plugin-add-a-test-ensuring-EmptyModlist-is-re.patch
+Patch0012: 0012-ipatests-webui-Use-safe-loader-for-loading-YAML-conf.patch
+Patch0013: 0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch
+Patch0014: 0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch
+Patch0015: 0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch
+Patch0016: 0016-ipatests-add-case-for-hardened-only-ticket-policy.patch
+Patch0017: 0017-Don-t-always-override-the-port-in-import_included_pr.patch
+Patch0018: 0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch
+Patch0019: 0019-Enable-the-ccache-sweep-timer-during-installation.patch
+Patch0020: 0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch
+Patch0021: 0021-ipa_cldap-fix-memory-leak.patch
+Patch0022: 0022-ipatests-remove-additional-check-for-failed-units_rhbz#2053025.patch
+Patch0023: 0023-ipatests-fix-TestOTPToken-rhbz#2053025.patch
+Patch0024: 0024-ipatests-Tests-for-Autoprivate-group.patch
+Patch0025: 0025-mark-xfail-for-test_idoverride_with_auto_private_gro.patch
+Patch0026: 0026-Mark-xfail-test_gidnumber_not_corresponding_existing.patch
+Patch0027: 0027-KRB-instance-make-provision-to-work-with-crypto-poli.patch
+Patch0028: 0028-tests-ensure-AD-SUPPORT-subpolicy-is-active.patch
+Patch0029: 0029-ipatests-extend-AES-keyset-to-SHA2-based-ones.patch
+Patch0030: 0030-freeipa.spec-bump-crypto-policies-dependency-for-Cen.patch
+Patch0031: 0031-Kerberos-instance-default-to-AES256-SHA2-for-master-.patch
+Patch0032: 0032-test_otp-do-not-use-paramiko-unless-it-is-really-nee.patch
+Patch0033: 0033-test_krbtpolicy-skip-SPAKE-related-tests-in-FIPS-mod.patch
+Patch0034: 0034-Support-AES-for-KRA-archival-wrapping.patch
+Patch0035: 0035-Set-AES-as-default-for-KRA-archival-wrapping.patch
+Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
+%endif
+%endif
+# RHEL spec file only: END
+
+# For the timestamp trick in patch application
+BuildRequires: diffstat
+
+BuildRequires: openldap-devel
+# For KDB DAL version, make explicit dependency so that increase of version
+# will cause the build to fail due to unsatisfied dependencies.
+# DAL version change may cause code crash or memory leaks, it is better to fail early.
+BuildRequires: krb5-kdb-version = %{krb5_kdb_version}
+BuildRequires: krb5-kdb-devel-version = %{krb5_kdb_version}
+BuildRequires: krb5-devel >= %{krb5_version}
+BuildRequires: pkgconfig(krb5)
+%if %{with ipa_join_xml}
+# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
+BuildRequires: xmlrpc-c-devel >= 1.27.4
+%else
+BuildRequires: libcurl-devel
+BuildRequires: jansson-devel
+%endif
+BuildRequires: popt-devel
+BuildRequires: gcc
+BuildRequires: make
+BuildRequires: pkgconfig
+BuildRequires: pkgconf
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: make
+BuildRequires: libtool
+BuildRequires: gettext
+BuildRequires: gettext-devel
+BuildRequires: python3-devel
+BuildRequires: python3-setuptools
+BuildRequires: systemd >= %{systemd_version}
+# systemd-tmpfiles which is executed from make install requires apache user
+BuildRequires: httpd
+BuildRequires: nspr-devel
+BuildRequires: openssl-devel
+BuildRequires: libini_config-devel
+BuildRequires: cyrus-sasl-devel
+%if ! %{ONLY_CLIENT}
+BuildRequires: 389-ds-base-devel >= %{ds_version}
+BuildRequires: samba-devel >= %{samba_version}
+BuildRequires: libtalloc-devel
+BuildRequires: libtevent-devel
+BuildRequires: libuuid-devel
+BuildRequires: libpwquality-devel
+BuildRequires: libsss_idmap-devel
+BuildRequires: libsss_certmap-devel
+BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
+BuildRequires: nodejs(abi)
+# use old dependency on RHEL 8 for now
+%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9
+BuildRequires: python3-rjsmin
+%else
+BuildRequires: uglify-js
+%endif
+BuildRequires: libverto-devel
+BuildRequires: libunistring-devel
+# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
+# 0.13.0-2: fix for missing dependency on python-six
+BuildRequires: python3-lesscpy >= 0.13.0-2
+BuildRequires: cracklib-dicts
+# ONLY_CLIENT
+%endif
+
+#
+# Build dependencies for makeapi/makeaci
+#
+BuildRequires: python3-cffi
+BuildRequires: python3-dns
+BuildRequires: python3-ldap >= %{python_ldap_version}
+BuildRequires: python3-libsss_nss_idmap
+BuildRequires: python3-netaddr >= %{python_netaddr_version}
+BuildRequires: python3-pyasn1
+BuildRequires: python3-pyasn1-modules
+BuildRequires: python3-six
+BuildRequires: python3-psutil
+
+#
+# Build dependencies for wheel packaging and PyPI upload
+#
+%if %{with wheels}
+BuildRequires: dbus-glib-devel
+BuildRequires: libffi-devel
+BuildRequires: python3-tox
+%if 0%{?fedora} <= 28
+BuildRequires: python3-twine
+%else
+BuildRequires: twine
+%endif
+BuildRequires: python3-wheel
+# with_wheels
+%endif
+
+%if %{with doc}
+BuildRequires: python3-sphinx
+BuildRequires: python3-m2r
+%endif
+
+#
+# Build dependencies for lint and fastcheck
+#
+%if %{with lint}
+
+# python3-pexpect might not be available in RHEL9
+%if 0%{?fedora} || 0%{?rhel} < 9
+BuildRequires: python3-pexpect
+%endif
+
+# jsl is orphaned in Fedora 34+
+%if 0%{?fedora} < 34
+BuildRequires: jsl
+%endif
+
+BuildRequires: git
+BuildRequires: nss-tools
+BuildRequires: rpmlint
+BuildRequires: softhsm
+
+BuildRequires: keyutils
+BuildRequires: python3-augeas
+BuildRequires: python3-cffi
+BuildRequires: python3-cryptography >= 1.6
+BuildRequires: python3-dateutil
+BuildRequires: python3-dbus
+BuildRequires: python3-dns >= 1.15
+BuildRequires: python3-docker
+BuildRequires: python3-gssapi >= 1.2.0
+BuildRequires: python3-jinja2
+BuildRequires: python3-jwcrypto >= 0.4.2
+BuildRequires: python3-ldap >= %{python_ldap_version}
+BuildRequires: python3-ldap >= %{python_ldap_version}
+BuildRequires: python3-lib389 >= %{ds_version}
+BuildRequires: python3-libipa_hbac
+BuildRequires: python3-libsss_nss_idmap
+BuildRequires: python3-lxml
+BuildRequires: python3-netaddr >= %{python_netaddr_version}
+BuildRequires: python3-netifaces
+BuildRequires: python3-paste
+BuildRequires: python3-pki >= %{pki_version}
+BuildRequires: python3-polib
+BuildRequires: python3-pyasn1
+BuildRequires: python3-pyasn1-modules
+BuildRequires: python3-pycodestyle
+# .wheelconstraints.in limits pylint version in Azure and tox tests
+BuildRequires: python3-pylint
+BuildRequires: python3-pytest-multihost
+BuildRequires: python3-pytest-sourceorder
+BuildRequires: python3-qrcode-core >= 5.0.0
+BuildRequires: python3-samba
+BuildRequires: python3-six
+BuildRequires: python3-sss
+BuildRequires: python3-sss-murmur
+BuildRequires: python3-sssdconfig >= %{sssd_version}
+BuildRequires: python3-systemd
+BuildRequires: python3-yaml
+BuildRequires: python3-yubico
+# with_lint
+%endif
+
+#
+# Build dependencies for unit tests
+#
+%if ! %{ONLY_CLIENT}
+BuildRequires: libcmocka-devel
+# Required by ipa_kdb_tests
+BuildRequires: krb5-server >= %{krb5_version}
+# ONLY_CLIENT
+%endif
+
+# Build dependencies for SELinux policy
+%if %{with selinux}
+BuildRequires: selinux-policy-devel >= %{selinux_policy_version}
+%endif
+
+%description
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+
+
+%if ! %{ONLY_CLIENT}
+
+%package server
+Summary: The IPA authentication server
+Requires: %{name}-server-common = %{version}-%{release}
+Requires: %{name}-client = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python3-ipaserver = %{version}-%{release}
+Requires: python3-ldap >= %{python_ldap_version}
+Requires: 389-ds-base >= %{ds_version}
+Requires: openldap-clients > 2.4.35-4
+Requires: nss-tools >= %{nss_version}
+Requires(post): krb5-server >= %{krb5_version}
+Requires(post): krb5-server >= %{krb5_base_version}
+Requires: krb5-kdb-version = %{krb5_kdb_version}
+Requires: krb5-pkinit-openssl >= %{krb5_version}
+Requires: cyrus-sasl-gssapi%{?_isa}
+Requires: chrony
+Requires: httpd >= %{httpd_version}
+Requires(preun): python3
+Requires(postun): python3
+Requires: python3-gssapi >= 1.2.0-5
+Requires: python3-systemd
+Requires: python3-mod_wsgi
+Requires: mod_auth_gssapi >= 1.5.0
+Requires: mod_ssl >= %{httpd_version}
+Requires: mod_session >= %{httpd_version}
+# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
+Requires: mod_lookup_identity >= 0.9.9
+Requires: acl
+Requires: systemd-units >= %{systemd_version}
+Requires(pre): systemd-units >= %{systemd_version}
+Requires(post): systemd-units >= %{systemd_version}
+Requires(preun): systemd-units >= %{systemd_version}
+Requires(postun): systemd-units >= %{systemd_version}
+Requires(pre): shadow-utils
+Requires: selinux-policy >= %{selinux_policy_version}
+Requires(post): selinux-policy-base >= %{selinux_policy_version}
+Requires: slapi-nis >= %{slapi_nis_version}
+Requires: pki-ca >= %{pki_version}
+Requires: pki-kra >= %{pki_version}
+# pki-acme package was split out in pki-10.10.0
+Requires: (pki-acme >= %{pki_version} if pki-ca >= 10.10.0)
+Requires: policycoreutils >= 2.1.12-5
+Requires: tar
+Requires(pre): certmonger >= %{certmonger_version}
+Requires(pre): 389-ds-base >= %{ds_version}
+Requires: fontawesome-fonts
+Requires: open-sans-fonts
+%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9
+# https://pagure.io/freeipa/issue/8632
+Requires: openssl > 1.1.1i
+%else
+Requires: openssl
+%endif
+Requires: softhsm >= 2.0.0rc1-1
+Requires: p11-kit
+Requires: %{etc_systemd_dir}
+Requires: gzip
+Requires: oddjob
+# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
+Requires: gssproxy >= 0.7.0-2
+Requires: sssd-dbus >= %{sssd_version}
+Requires: libpwquality
+Requires: cracklib-dicts
+# NDR libraries are internal in Samba and change with version without changing SONAME
+%ipa_requires_gt samba-client-libs
+
+Provides: %{alt_name}-server = %{version}
+Conflicts: %{alt_name}-server
+Obsoletes: %{alt_name}-server < %{version}
+
+# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
+# entire SELinux policy is stored in the system policy
+Obsoletes: freeipa-server-selinux < 3.3.0
+
+# upgrade path from monolithic -server to -server + -server-dns
+Obsoletes: %{name}-server <= 4.2.0
+
+# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
+# member.
+Conflicts: nss-pam-ldapd < 0.8.4
+
+# RHEL spec file only: START: Do not build tests
+%if 0%{?rhel} == 8
+# ipa-tests subpackage was moved to separate srpm
+Conflicts: ipa-tests < 3.3.3-9
+%endif
+# RHEL spec file only: END: Do not build tests
+
+%description server
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are installing an IPA server, you need to install this package.
+
+
+%package -n python3-ipaserver
+Summary: Python libraries used by IPA server
+BuildArch: noarch
+%{?python_provide:%python_provide python3-ipaserver}
+Requires: %{name}-server-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+# we need pre-requires since earlier versions may break upgrade
+Requires(pre): python3-ldap >= %{python_ldap_version}
+Requires: python3-augeas
+Requires: augeas-libs >= %{augeas_version}
+Requires: python3-dbus
+Requires: python3-dns >= 1.15
+Requires: python3-gssapi >= 1.2.0
+Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-kdcproxy >= %{kdcproxy_version}
+Requires: python3-lxml
+Requires: python3-pki >= %{pki_version}
+Requires: python3-pyasn1 >= 0.3.2-2
+Requires: python3-sssdconfig >= %{sssd_version}
+Requires: python3-psutil
+Requires: rpm-libs
+# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support
+%if 0%{?rhel}
+Requires: python3-urllib3 >= 1.24.2-3
+%else
+Requires: python3-urllib3 >= 1.25.7
+%endif
+
+%description -n python3-ipaserver
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are installing an IPA server, you need to install this package.
+
+
+%package server-common
+Summary: Common files used by IPA server
+BuildArch: noarch
+Requires: %{name}-client-common = %{version}-%{release}
+Requires: httpd >= %{httpd_version}
+Requires: systemd-units >= %{systemd_version}
+%if 0%{?rhel} >= 8 && ! 0%{?eln}
+Requires: system-logos-ipa >= 80.4
+%endif
+
+Provides: %{alt_name}-server-common = %{version}
+Conflicts: %{alt_name}-server-common
+Obsoletes: %{alt_name}-server-common < %{version}
+
+%description server-common
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are installing an IPA server, you need to install this package.
+
+
+%package server-dns
+Summary: IPA integrated DNS server with support for automatic DNSSEC signing
+BuildArch: noarch
+Requires: %{name}-server = %{version}-%{release}
+Requires: bind-dyndb-ldap >= 11.2-2
+Requires: bind >= %{bind_version}
+Requires: bind-utils >= %{bind_version}
+# bind-dnssec-utils is required by the OpenDNSSec integration
+# https://pagure.io/freeipa/issue/9026
+Requires: bind-dnssec-utils >= %{bind_version}
+%if %{with bind_pkcs11}
+Requires: bind-pkcs11 >= %{bind_version}
+%else
+Requires: softhsm >= %{softhsm_version}
+Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
+%endif
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
+# RHEL 8.3+ and Fedora 32+ have 2.1
+Requires: opendnssec >= 2.1.6-5
+%{?systemd_requires}
+
+Provides: %{alt_name}-server-dns = %{version}
+Conflicts: %{alt_name}-server-dns
+Obsoletes: %{alt_name}-server-dns < %{version}
+
+# upgrade path from monolithic -server to -server + -server-dns
+Obsoletes: %{name}-server <= 4.2.0
+
+%description server-dns
+IPA integrated DNS server with support for automatic DNSSEC signing.
+Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
+
+
+%package server-trust-ad
+Summary: Virtual package to install packages required for Active Directory trusts
+Requires: %{name}-server = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+
+Requires: samba >= %{samba_version}
+Requires: samba-winbind
+Requires: libsss_idmap
+Requires: sssd-winbind-idmap
+%if 0%{?rhel}
+Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
+%endif
+Requires(post): python3
+Requires: python3-samba
+Requires: python3-libsss_nss_idmap
+Requires: python3-sss
+
+# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
+# on the installes where server-trust-ad subpackage is installed because
+# IPA AD trusts cannot be used at the same time with the locator plugin
+# since Winbindd will be configured in a different mode
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+Requires(preun): %{_sbindir}/update-alternatives
+
+Provides: %{alt_name}-server-trust-ad = %{version}
+Conflicts: %{alt_name}-server-trust-ad
+Obsoletes: %{alt_name}-server-trust-ad < %{version}
+
+%description server-trust-ad
+Cross-realm trusts with Active Directory in IPA require working Samba 4
+installation. This package is provided for convenience to install all required
+dependencies at once.
+
+# ONLY_CLIENT
+%endif
+
+
+%package client
+Summary: IPA authentication for use on clients
+Requires: %{name}-client-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python3-gssapi >= 1.2.0-5
+Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-ldap >= %{python_ldap_version}
+Requires: python3-sssdconfig >= %{sssd_version}
+Requires: cyrus-sasl-gssapi%{?_isa}
+Requires: chrony
+Requires: krb5-workstation >= %{krb5_version}
+Requires: authselect >= 0.4-2
+Requires: curl
+# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
+# All Fedora 28+ and RHEL8+ contain the service in hostname package
+Requires: hostname
+Requires: libcurl >= 7.21.7-2
+%if %{with ipa_join_xml}
+Requires: xmlrpc-c >= 1.27.4
+%else
+Requires: jansson
+%endif
+Requires: sssd-ipa >= %{sssd_version}
+Requires: certmonger >= %{certmonger_version}
+Requires: nss-tools >= %{nss_version}
+Requires: bind-utils
+Requires: oddjob-mkhomedir
+Requires: libsss_autofs
+Requires: autofs
+Requires: libnfsidmap
+Requires: nfs-utils
+Requires: sssd-tools >= %{sssd_version}
+Requires(post): policycoreutils
+
+# https://pagure.io/freeipa/issue/8530
+Recommends: libsss_sudo
+Recommends: sudo
+Requires: (libsss_sudo if sudo)
+
+Provides: %{alt_name}-client = %{version}
+Conflicts: %{alt_name}-client
+Obsoletes: %{alt_name}-client < %{version}
+
+Provides: %{alt_name}-admintools = %{version}
+Conflicts: %{alt_name}-admintools
+Obsoletes: %{alt_name}-admintools < 4.4.1
+
+Obsoletes: %{name}-admintools < 4.4.1
+Provides: %{name}-admintools = %{version}-%{release}
+
+%if 0%{?rhel} == 8
+# Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module
+Conflicts: crypto-policies < 20200629-1
+%endif
+
+%if 0%{?rhel} == 9
+# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and
+# AD-SUPPORT-LEGACY policy modules
+Conflicts: crypto-policies < 20220223-1
+%endif
+
+%description client
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If your network uses IPA for authentication, this package should be
+installed on every client machine.
+This package provides command-line tools for IPA administrators.
+
+%package client-samba
+Summary: Tools to configure Samba on IPA client
+Group: System Environment/Base
+Requires: %{name}-client = %{version}-%{release}
+Requires: python3-samba
+Requires: samba-client
+Requires: samba-winbind
+Requires: samba-common-tools
+Requires: samba
+Requires: sssd-winbind-idmap
+Requires: tdb-tools
+Requires: cifs-utils
+
+%description client-samba
+This package provides command-line tools to deploy Samba domain member
+on the machine enrolled into a FreeIPA environment
+
+%package client-epn
+Summary: Tools to configure Expiring Password Notification in IPA
+Group: System Environment/Base
+Requires: %{name}-client = %{version}-%{release}
+Requires: systemd-units >= %{systemd_version}
+Requires(post): systemd-units >= %{systemd_version}
+Requires(preun): systemd-units >= %{systemd_version}
+Requires(postun): systemd-units >= %{systemd_version}
+
+%description client-epn
+This package provides a service to collect and send expiring password
+notifications via email (SMTP).
+
+%package -n python3-ipaclient
+Summary: Python libraries used by IPA client
+BuildArch: noarch
+%{?python_provide:%python_provide python3-ipaclient}
+Requires: %{name}-client-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python3-ipalib = %{version}-%{release}
+Requires: python3-augeas
+Requires: augeas-libs >= %{augeas_version}
+Requires: python3-dns >= 1.15
+Requires: python3-jinja2
+
+%description -n python3-ipaclient
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If your network uses IPA for authentication, this package should be
+installed on every client machine.
+
+%package client-common
+Summary: Common files used by IPA client
+BuildArch: noarch
+
+Provides: %{alt_name}-client-common = %{version}
+Conflicts: %{alt_name}-client-common
+Obsoletes: %{alt_name}-client-common < %{version}
+# python2-ipa* packages are no longer available in 4.8.
+Obsoletes: python2-ipaclient < 4.8.0-1
+Obsoletes: python2-ipalib < 4.8.0-1
+Obsoletes: python2-ipaserver < 4.8.0-1
+Obsoletes: python2-ipatests < 4.8.0-1
+
+
+%description client-common
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If your network uses IPA for authentication, this package should be
+installed on every client machine.
+
+
+%package python-compat
+Summary: Compatiblity package for Python libraries used by IPA
+BuildArch: noarch
+Obsoletes: %{name}-python < 4.2.91
+Provides: %{name}-python = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python3-ipalib = %{version}-%{release}
+
+Provides: %{alt_name}-python-compat = %{version}
+Conflicts: %{alt_name}-python-compat
+Obsoletes: %{alt_name}-python-compat < %{version}
+
+Obsoletes: %{alt_name}-python < 4.2.91
+Provides: %{alt_name}-python = %{version}
+
+%description python-compat
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+This is a compatibility package to accommodate %{name}-python split into
+python3-ipalib and %{name}-common. Packages still depending on
+%{name}-python should be fixed to depend on python2-ipaclient or
+%{name}-common instead.
+
+
+%package -n python3-ipalib
+Summary: Python3 libraries used by IPA
+BuildArch: noarch
+%{?python_provide:%python_provide python3-ipalib}
+Provides: python3-ipapython = %{version}-%{release}
+%{?python_provide:%python_provide python3-ipapython}
+Provides: python3-ipaplatform = %{version}-%{release}
+%{?python_provide:%python_provide python3-ipaplatform}
+Requires: %{name}-common = %{version}-%{release}
+# we need pre-requires since earlier versions may break upgrade
+Requires(pre): python3-ldap >= %{python_ldap_version}
+Requires: gnupg2
+Requires: keyutils
+Requires: python3-cffi
+Requires: python3-cryptography >= 1.6
+Requires: python3-dateutil
+Requires: python3-dbus
+Requires: python3-dns >= 1.15
+Requires: python3-gssapi >= 1.2.0
+Requires: python3-jwcrypto >= 0.4.2
+Requires: python3-libipa_hbac
+Requires: python3-netaddr >= %{python_netaddr_version}
+Requires: python3-netifaces >= 0.10.4
+Requires: python3-pyasn1 >= 0.3.2-2
+Requires: python3-pyasn1-modules >= 0.3.2-2
+Requires: python3-pyusb
+Requires: python3-qrcode-core >= 5.0.0
+Requires: python3-requests
+Requires: python3-six
+Requires: python3-sss-murmur
+Requires: python3-yubico >= 1.3.2-7
+%if 0%{?rhel} && 0%{?rhel} == 8
+Requires: platform-python-setuptools
+%else
+Requires: python3-setuptools
+%endif
+
+%description -n python3-ipalib
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are using IPA with Python 3, you need to install this package.
+
+
+%package common
+Summary: Common files used by IPA
+BuildArch: noarch
+Conflicts: %{name}-python < 4.2.91
+
+Provides: %{alt_name}-common = %{version}
+Conflicts: %{alt_name}-common
+Obsoletes: %{alt_name}-common < %{version}
+
+Conflicts: %{alt_name}-python < %{version}
+
+%if %{with selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not
+# pulled into containers and other systems that do not use SELinux. The
+# policy defines types and file contexts for client and server.
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
+%description common
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are using IPA, you need to install this package.
+
+
+%if %{with ipatests}
+
+%package -n python3-ipatests
+Summary: IPA tests and test tools
+BuildArch: noarch
+%{?python_provide:%python_provide python3-ipatests}
+Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-ipaserver = %{version}-%{release}
+Requires: iptables
+Requires: python3-cryptography >= 1.6
+%if 0%{?fedora}
+# These packages do not exist on RHEL and for ipatests use
+# they are installed on the controller through other means
+Requires: ldns-utils
+Requires: python3-pexpect
+# update-crypto-policies
+Requires: crypto-policies-scripts
+Requires: python3-polib
+Requires: python3-pytest >= 3.9.1
+Requires: python3-pytest-multihost >= 0.5
+Requires: python3-pytest-sourceorder
+Requires: sshpass
+%endif
+Requires: python3-sssdconfig >= %{sssd_version}
+Requires: tar
+Requires: xz
+Requires: openssh-clients
+%if 0%{?rhel}
+AutoReqProv: no
+%endif
+
+%description -n python3-ipatests
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+This package contains tests that verify IPA functionality under Python 3.
+
+# with ipatests
+%endif
+
+
+%if %{with selinux}
+# SELinux subpackage
+%package selinux
+Summary: FreeIPA SELinux policy
+BuildArch: noarch
+Requires: selinux-policy-%{selinuxtype}
+Requires(post): selinux-policy-%{selinuxtype}
+%{?selinux_requires}
+
+%description selinux
+Custom SELinux policy module for FreeIPA
+# with selinux
+%endif
+
+
+%prep
+# Update timestamps on the files touched by a patch, to avoid non-equal
+# .pyc/.pyo files across the multilib peers within a build, where "Level"
+# is the patch prefix option (e.g. -p1)
+# Taken from specfile for sssd and python-simplejson
+UpdateTimestamps() {
+ Level=$1
+ PatchFile=$2
+
+ # Locate the affected files:
+ for f in $(diffstat $Level -l $PatchFile); do
+ # Set the files to have the same timestamp as that of the patch:
+ touch -c -r $PatchFile $f
+ done
+}
+
+%setup -n freeipa-%{version}%{?rc_version} -q
+
+# To allow proper application patches to the stripped po files, strip originals
+pushd po
+for i in *.po ; do
+ msgattrib --translated --no-fuzzy --no-location -s $i > $i.tmp || exit 1
+ mv $i.tmp $i || exit 1
+done
+popd
+
+for p in %patches ; do
+ %__patch -p1 -i $p
+ UpdateTimestamps -p1 $p
+done
+
+%build
+# PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
+export PATH=/usr/bin:/usr/sbin:$PATH
+
+export PYTHON=%{__python3}
+autoreconf -ivf
+%configure --with-vendor-suffix=-%{release} \
+ %{enable_server_option} \
+ %{with_ipatests_option} \
+ %{with_ipa_join_xml_option} \
+ %{linter_options}
+
+# run build in default dir
+# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
+%make_build -Onone
+
+
+%check
+make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir}
+
+
+%install
+# Please put as much logic as possible into make install. It allows:
+# - easier porting to other distributions
+# - rapid devel & install cycle using make install
+# (instead of full RPM build and installation each time)
+#
+# All files and directories created by spec install should be marked as ghost.
+# (These are typically configuration files created by IPA installer.)
+# All other artifacts should be created by make install.
+
+%make_install
+
+# don't package ipasphinx for now
+rm -rf %{buildroot}%{python3_sitelib}/ipasphinx*
+
+%if %{with ipatests}
+mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version}
+mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version}
+mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version}
+ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3
+ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3
+ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3
+ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests
+ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config
+ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task
+# with_ipatests
+%endif
+
+# remove files which are useful only for make uninstall
+find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
+
+%if 0%{?rhel}
+# RHEL spec file only: START
+# Moved branding logos and background to redhat-logos-ipa-80.4:
+# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
+# product-name.png
+rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png
+rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg
+rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
+rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png
+%endif
+# RHEL spec file only: END
+
+%find_lang %{gettext_domain}
+
+%if ! %{ONLY_CLIENT}
+# Remove .la files from libtool - we don't want to package
+# these files
+rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la
+rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la
+rm %{buildroot}/%{plugin_dir}/libipa_winsync.la
+rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la
+rm %{buildroot}/%{plugin_dir}/libipa_uuid.la
+rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la
+rm %{buildroot}/%{plugin_dir}/libipa_lockout.la
+rm %{buildroot}/%{plugin_dir}/libipa_cldap.la
+rm %{buildroot}/%{plugin_dir}/libipa_dns.la
+rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la
+rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la
+rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
+rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
+rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la
+rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
+rm %{buildroot}/%{plugin_dir}/libtopology.la
+rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
+rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
+
+# So we can own our Apache configuration
+mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
+
+mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
+touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+
+# ONLY_CLIENT
+%endif
+
+/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
+/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
+
+%if ! %{ONLY_CLIENT}
+mkdir -p %{buildroot}%{_sysconfdir}/cron.d
+# ONLY_CLIENT
+%endif
+
+%if ! %{ONLY_CLIENT}
+
+%post server
+# NOTE: systemd specific section
+ /bin/systemctl --system daemon-reload 2>&1 || :
+# END
+if [ $1 -gt 1 ] ; then
+ /bin/systemctl condrestart certmonger.service 2>&1 || :
+fi
+/bin/systemctl reload-or-try-restart dbus
+/bin/systemctl reload-or-try-restart oddjobd
+
+%tmpfiles_create ipa.conf
+
+%posttrans server
+# don't execute upgrade and restart of IPA when server is not installed
+%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1
+
+if [ $? -eq 0 ]; then
+ # This is necessary for Fedora system upgrades which by default
+ # work with the network being offline
+ /bin/systemctl start network-online.target
+
+ # Restart IPA processes. This must be also run in postrans so that plugins
+ # and software is in consistent state. This will also perform the
+ # system upgrade.
+ # NOTE: systemd specific section
+
+ /bin/systemctl is-enabled ipa.service >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ /bin/systemctl restart ipa.service >/dev/null
+ fi
+
+ /bin/systemctl is-enabled ipa-ccache-sweep.timer >/dev/null 2>&1
+ if [ $? -eq 1 ]; then
+ /bin/systemctl enable ipa-ccache-sweep.timer>/dev/null
+ fi
+fi
+# END
+
+
+%preun server
+if [ $1 = 0 ]; then
+# NOTE: systemd specific section
+ /bin/systemctl --quiet stop ipa.service || :
+ /bin/systemctl --quiet disable ipa.service || :
+ /bin/systemctl reload-or-try-restart dbus
+ /bin/systemctl reload-or-try-restart oddjobd
+# END
+fi
+
+
+%pre server
+# Stop ipa_kpasswd if it exists before upgrading so we don't have a
+# zombie process when we're done.
+if [ -e /usr/sbin/ipa_kpasswd ]; then
+# NOTE: systemd specific section
+ /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
+# END
+fi
+
+
+%pre server-common
+# create users and groups
+# create kdcproxy group and user
+getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy
+getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy
+# create ipaapi group and user
+getent group ipaapi >/dev/null || groupadd -f -r ipaapi
+getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi
+# add apache to ipaaapi group
+id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi
+
+
+%post server-dns
+%systemd_post ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service
+
+%preun server-dns
+%systemd_preun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service
+
+%postun server-dns
+%systemd_postun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service
+
+
+%postun server-trust-ad
+if [ "$1" -ge "1" ]; then
+ if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
+ %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null
+ fi
+fi
+
+
+%post server-trust-ad
+%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
+ winbind_krb5_locator.so /dev/null 90
+/bin/systemctl reload-or-try-restart dbus
+/bin/systemctl reload-or-try-restart oddjobd
+
+
+%posttrans server-trust-ad
+%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1
+if [ $? -eq 0 ]; then
+# NOTE: systemd specific section
+ /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
+# END
+fi
+
+
+%preun server-trust-ad
+if [ $1 -eq 0 ]; then
+ %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
+ /bin/systemctl reload-or-try-restart dbus
+ /bin/systemctl reload-or-try-restart oddjobd
+fi
+
+# ONLY_CLIENT
+%endif
+
+%preun client-epn
+%systemd_preun ipa-epn.service
+%systemd_preun ipa-epn.timer
+
+%postun client-epn
+%systemd_postun ipa-epn.service
+%systemd_postun ipa-epn.timer
+
+%post client-epn
+%systemd_post ipa-epn.service
+%systemd_post ipa-epn.timer
+
+%post client
+if [ $1 -gt 1 ] ; then
+ # Has the client been configured?
+ restore=0
+ test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+ if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
+ if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then
+ echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
+ cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
+ mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
+ fi
+ fi
+
+ if [ $restore -ge 2 ]; then
+ if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then
+ sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew
+ mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
+ cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
+ cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
+ fi
+
+ %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
+ %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
+ SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
+ if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
+ sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
+ fi
+ fi
+fi
+
+
+%if %{with selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+semodule -d ipa_custodia &> /dev/null || true;
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+ %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+ semodule -e ipa_custodia &> /dev/null || true;
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+# with_selinux
+%endif
+
+
+%triggerin client -- openssh-server < 8.2
+# Has the client been configured?
+restore=0
+test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+ if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
+ sed -r '
+ /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
+ ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
+
+ if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then
+ sed -ri '
+ s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+ s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then
+ sed -ri '
+ s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+ s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then
+ sed -ri '
+ s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
+ s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ fi
+
+ mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+ chmod 600 /etc/ssh/sshd_config
+
+ /bin/systemctl condrestart sshd.service 2>&1 || :
+ fi
+fi
+
+
+%triggerin client -- openssh-server >= 8.2
+# Has the client been configured?
+restore=0
+test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+ # If the snippet already exists, skip
+ if [ ! -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then
+ # Take the values from /etc/ssh/sshd_config and put them in 04-ipa.conf
+ grep -E '^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)' /etc/ssh/sshd_config 2>/dev/null > /etc/ssh/sshd_config.d/04-ipa.conf
+ # Remove the values from sshd_conf
+ sed -ri '
+ /^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)[ \t]/ d
+ ' /etc/ssh/sshd_config
+
+ /bin/systemctl condrestart sshd.service 2>&1 || :
+ fi
+ # If the snippet has been created, ensure that it is included
+ # either by /etc/ssh/sshd_config.d/*.conf or directly
+ if [ -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then
+ if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/\*\.conf' /etc/ssh/sshd_config 2> /dev/null ; then
+ if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/04-ipa\.conf' /etc/ssh/sshd_config 2> /dev/null ; then
+ # Include the snippet
+ echo "Include /etc/ssh/sshd_config.d/04-ipa.conf" > /etc/ssh/sshd_config.ipanew
+ cat /etc/ssh/sshd_config >> /etc/ssh/sshd_config.ipanew
+ mv -fZ --backup=existing --suffix .ipaold /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+ fi
+ fi
+ fi
+fi
+
+
+%if ! %{ONLY_CLIENT}
+
+%files server
+%doc README.md Contributors.txt
+%license COPYING
+%{_sbindir}/ipa-backup
+%{_sbindir}/ipa-restore
+%{_sbindir}/ipa-ca-install
+%{_sbindir}/ipa-kra-install
+%{_sbindir}/ipa-server-install
+%{_sbindir}/ipa-replica-conncheck
+%{_sbindir}/ipa-replica-install
+%{_sbindir}/ipa-replica-manage
+%{_sbindir}/ipa-csreplica-manage
+%{_sbindir}/ipa-server-certinstall
+%{_sbindir}/ipa-server-upgrade
+%{_sbindir}/ipa-ldap-updater
+%{_sbindir}/ipa-otptoken-import
+%{_sbindir}/ipa-compat-manage
+%{_sbindir}/ipa-nis-manage
+%{_sbindir}/ipa-managed-entries
+%{_sbindir}/ipactl
+%{_sbindir}/ipa-advise
+%{_sbindir}/ipa-cacert-manage
+%{_sbindir}/ipa-winsync-migrate
+%{_sbindir}/ipa-pkinit-manage
+%{_sbindir}/ipa-crlgen-manage
+%{_sbindir}/ipa-cert-fix
+%{_sbindir}/ipa-acme-manage
+%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
+%{_libexecdir}/certmonger/ipa-server-guard
+%dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-ccache-sweeper
+%{_libexecdir}/ipa/ipa-custodia
+%{_libexecdir}/ipa/ipa-custodia-check
+%{_libexecdir}/ipa/ipa-httpd-kdcproxy
+%{_libexecdir}/ipa/ipa-httpd-pwdreader
+%{_libexecdir}/ipa/ipa-pki-retrieve-key
+%{_libexecdir}/ipa/ipa-pki-wait-running
+%{_libexecdir}/ipa/ipa-otpd
+%{_libexecdir}/ipa/ipa-print-pac
+%{_libexecdir}/ipa/ipa-subids
+%dir %{_libexecdir}/ipa/custodia
+%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
+%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
+%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
+%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
+%dir %{_libexecdir}/ipa/oddjob
+%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
+%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
+%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
+%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
+%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
+%dir %{_libexecdir}/ipa/certmonger
+%attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
+# NOTE: systemd specific section
+%attr(644,root,root) %{_unitdir}/ipa.service
+%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
+%attr(644,root,root) %{_unitdir}/ipa-otpd@.service
+%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service
+%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer
+# END
+%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
+%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
+%attr(755,root,root) %{plugin_dir}/libipa_winsync.so
+%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so
+%attr(755,root,root) %{plugin_dir}/libipa_uuid.so
+%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so
+%attr(755,root,root) %{plugin_dir}/libipa_lockout.so
+%attr(755,root,root) %{plugin_dir}/libipa_dns.so
+%attr(755,root,root) %{plugin_dir}/libipa_range_check.so
+%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
+%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so
+%attr(755,root,root) %{plugin_dir}/libtopology.so
+%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
+%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
+%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
+%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
+%{_mandir}/man1/ipa-replica-conncheck.1*
+%{_mandir}/man1/ipa-replica-install.1*
+%{_mandir}/man1/ipa-replica-manage.1*
+%{_mandir}/man1/ipa-csreplica-manage.1*
+%{_mandir}/man1/ipa-server-certinstall.1*
+%{_mandir}/man1/ipa-server-install.1*
+%{_mandir}/man1/ipa-server-upgrade.1*
+%{_mandir}/man1/ipa-ca-install.1*
+%{_mandir}/man1/ipa-kra-install.1*
+%{_mandir}/man1/ipa-compat-manage.1*
+%{_mandir}/man1/ipa-nis-manage.1*
+%{_mandir}/man1/ipa-managed-entries.1*
+%{_mandir}/man1/ipa-ldap-updater.1*
+%{_mandir}/man8/ipactl.8*
+%{_mandir}/man1/ipa-backup.1*
+%{_mandir}/man1/ipa-restore.1*
+%{_mandir}/man1/ipa-advise.1*
+%{_mandir}/man1/ipa-otptoken-import.1*
+%{_mandir}/man1/ipa-cacert-manage.1*
+%{_mandir}/man1/ipa-winsync-migrate.1*
+%{_mandir}/man1/ipa-pkinit-manage.1*
+%{_mandir}/man1/ipa-crlgen-manage.1*
+%{_mandir}/man1/ipa-cert-fix.1*
+%{_mandir}/man1/ipa-acme-manage.1*
+
+
+%files -n python3-ipaserver
+%doc README.md Contributors.txt
+%license COPYING
+%{python3_sitelib}/ipaserver
+%{python3_sitelib}/ipaserver-*.egg-info
+
+
+%files server-common
+%doc README.md Contributors.txt
+%license COPYING
+%ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
+%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
+# NOTE: systemd specific section
+%{_tmpfilesdir}/ipa.conf
+%attr(644,root,root) %{_unitdir}/ipa-custodia.service
+%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
+# END
+%{_usr}/share/ipa/wsgi.py*
+%{_usr}/share/ipa/kdcproxy.wsgi
+%{_usr}/share/ipa/ipaca*.ini
+%{_usr}/share/ipa/*.ldif
+%exclude %{_datadir}/ipa/ipa-cldap-conf.ldif
+%{_usr}/share/ipa/*.uldif
+%{_usr}/share/ipa/*.template
+%dir %{_usr}/share/ipa/advise
+%dir %{_usr}/share/ipa/advise/legacy
+%{_usr}/share/ipa/advise/legacy/*.template
+%dir %{_usr}/share/ipa/profiles
+%{_usr}/share/ipa/profiles/README
+%{_usr}/share/ipa/profiles/*.cfg
+%dir %{_usr}/share/ipa/html
+%{_usr}/share/ipa/html/ssbrowser.html
+%{_usr}/share/ipa/html/unauthorized.html
+%dir %{_usr}/share/ipa/migration
+%{_usr}/share/ipa/migration/index.html
+%{_usr}/share/ipa/migration/migration.py*
+%dir %{_usr}/share/ipa/ui
+%{_usr}/share/ipa/ui/index.html
+%{_usr}/share/ipa/ui/reset_password.html
+%{_usr}/share/ipa/ui/sync_otp.html
+%{_usr}/share/ipa/ui/*.ico
+%{_usr}/share/ipa/ui/*.css
+%dir %{_usr}/share/ipa/ui/css
+%{_usr}/share/ipa/ui/css/*.css
+%dir %{_usr}/share/ipa/ui/js
+%dir %{_usr}/share/ipa/ui/js/dojo
+%{_usr}/share/ipa/ui/js/dojo/dojo.js
+%dir %{_usr}/share/ipa/ui/js/libs
+%{_usr}/share/ipa/ui/js/libs/*.js
+%dir %{_usr}/share/ipa/ui/js/freeipa
+%{_usr}/share/ipa/ui/js/freeipa/app.js
+%{_usr}/share/ipa/ui/js/freeipa/core.js
+%dir %{_usr}/share/ipa/ui/js/plugins
+%dir %{_usr}/share/ipa/ui/images
+%if 0%{?rhel}
+%{_usr}/share/ipa/ui/images/facet-*.png
+# Moved branding logos and background to redhat-logos-ipa-80.4:
+# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
+# product-name.png
+%else
+%{_usr}/share/ipa/ui/images/*.jpg
+%{_usr}/share/ipa/ui/images/*.png
+%endif
+%dir %{_usr}/share/ipa/wsgi
+%{_usr}/share/ipa/wsgi/plugins.py*
+%dir %{_sysconfdir}/ipa
+%dir %{_sysconfdir}/ipa/html
+%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
+%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
+%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
+%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
+%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
+%ghost %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
+%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
+%ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
+%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf
+%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-options-ext.conf
+%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con
+%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini
+%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con
+%dir %{_usr}/share/ipa/updates/
+%{_usr}/share/ipa/updates/*
+%dir %{_localstatedir}/lib/ipa
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy
+%attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
+%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
+%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds
+%ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish
+%ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa
+%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
+%dir %{_usr}/share/ipa/schema.d
+%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README
+%attr(0644,root,root) %{_usr}/share/ipa/gssapi.login
+%{_usr}/share/ipa/ipakrb5.aug
+
+%files server-dns
+%doc README.md Contributors.txt
+%license COPYING
+%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
+%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
+%{_libexecdir}/ipa/ipa-dnskeysyncd
+%{_libexecdir}/ipa/ipa-dnskeysync-replica
+%{_libexecdir}/ipa/ipa-ods-exporter
+%{_sbindir}/ipa-dns-install
+%{_mandir}/man1/ipa-dns-install.1*
+%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
+%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
+%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+
+%files server-trust-ad
+%doc README.md Contributors.txt
+%license COPYING
+%{_sbindir}/ipa-adtrust-install
+%{_usr}/share/ipa/smb.conf.empty
+%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
+%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
+%{_datadir}/ipa/ipa-cldap-conf.ldif
+%{_mandir}/man1/ipa-adtrust-install.1*
+%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
+%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
+%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
+
+# ONLY_CLIENT
+%endif
+
+
+%files client
+%doc README.md Contributors.txt
+%license COPYING
+%{_sbindir}/ipa-client-install
+%{_sbindir}/ipa-client-automount
+%{_sbindir}/ipa-certupdate
+%{_sbindir}/ipa-getkeytab
+%{_sbindir}/ipa-rmkeytab
+%{_sbindir}/ipa-join
+%{_bindir}/ipa
+%config %{_sysconfdir}/bash_completion.d
+%config %{_sysconfdir}/sysconfig/certmonger
+%{_mandir}/man1/ipa.1*
+%{_mandir}/man1/ipa-getkeytab.1*
+%{_mandir}/man1/ipa-rmkeytab.1*
+%{_mandir}/man1/ipa-client-install.1*
+%{_mandir}/man1/ipa-client-automount.1*
+%{_mandir}/man1/ipa-certupdate.1*
+%{_mandir}/man1/ipa-join.1*
+%dir %{_libexecdir}/ipa/acme
+%{_libexecdir}/ipa/acme/certbot-dns-ipa
+
+%files client-samba
+%doc README.md Contributors.txt
+%license COPYING
+%{_sbindir}/ipa-client-samba
+%{_mandir}/man1/ipa-client-samba.1*
+
+
+%files client-epn
+%doc README.md Contributors.txt
+%dir %{_sysconfdir}/ipa/epn
+%license COPYING
+%{_sbindir}/ipa-epn
+%{_mandir}/man1/ipa-epn.1*
+%{_mandir}/man5/epn.conf.5*
+%attr(644,root,root) %{_unitdir}/ipa-epn.service
+%attr(644,root,root) %{_unitdir}/ipa-epn.timer
+%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
+%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
+
+%files -n python3-ipaclient
+%doc README.md Contributors.txt
+%license COPYING
+%dir %{python3_sitelib}/ipaclient
+%{python3_sitelib}/ipaclient/*.py
+%{python3_sitelib}/ipaclient/__pycache__/*.py*
+%dir %{python3_sitelib}/ipaclient/install
+%{python3_sitelib}/ipaclient/install/*.py
+%{python3_sitelib}/ipaclient/install/__pycache__/*.py*
+%dir %{python3_sitelib}/ipaclient/plugins
+%{python3_sitelib}/ipaclient/plugins/*.py
+%{python3_sitelib}/ipaclient/plugins/__pycache__/*.py*
+%dir %{python3_sitelib}/ipaclient/remote_plugins
+%{python3_sitelib}/ipaclient/remote_plugins/*.py
+%{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py*
+%dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
+%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
+%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
+%{python3_sitelib}/ipaclient-*.egg-info
+
+
+%files client-common
+%doc README.md Contributors.txt
+%license COPYING
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
+%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf
+%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
+# old dbm format
+%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
+%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
+%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
+# new sql format
+%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db
+%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db
+%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt
+%ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
+%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
+%dir %{_localstatedir}/lib/ipa-client
+%dir %{_localstatedir}/lib/ipa-client/pki
+%dir %{_localstatedir}/lib/ipa-client/sysrestore
+%{_mandir}/man5/default.conf.5*
+%dir %{_usr}/share/ipa/client
+%{_usr}/share/ipa/client/*.template
+
+
+%files python-compat
+%doc README.md Contributors.txt
+%license COPYING
+
+
+%files common -f %{gettext_domain}.lang
+%doc README.md Contributors.txt
+%license COPYING
+%dir %{_usr}/share/ipa
+%dir %{_libexecdir}/ipa
+
+%files -n python3-ipalib
+%doc README.md Contributors.txt
+%license COPYING
+
+%{python3_sitelib}/ipapython/
+%{python3_sitelib}/ipalib/
+%{python3_sitelib}/ipaplatform/
+%{python3_sitelib}/ipapython-*.egg-info
+%{python3_sitelib}/ipalib-*.egg-info
+%{python3_sitelib}/ipaplatform-*.egg-info
+
+
+%if %{with ipatests}
+
+
+%files -n python3-ipatests
+%doc README.md Contributors.txt
+%license COPYING
+%{python3_sitelib}/ipatests
+%{python3_sitelib}/ipatests-*.egg-info
+%{_bindir}/ipa-run-tests-3
+%{_bindir}/ipa-test-config-3
+%{_bindir}/ipa-test-task-3
+%{_bindir}/ipa-run-tests-%{python3_version}
+%{_bindir}/ipa-test-config-%{python3_version}
+%{_bindir}/ipa-test-task-%{python3_version}
+%{_bindir}/ipa-run-tests
+%{_bindir}/ipa-test-config
+%{_bindir}/ipa-test-task
+%{_mandir}/man1/ipa-run-tests.1*
+%{_mandir}/man1/ipa-test-config.1*
+%{_mandir}/man1/ipa-test-task.1*
+
+# with ipatests
+%endif
+
+
+%if %{with selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+# with selinux
+%endif
+
+%changelog
+* Mon Mar 21 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-7
+- Resolves: rhbz#2057471 Consequences of FIPS crypto policy tightening in RHEL 9
+ - KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
+ - tests: ensure AD-SUPPORT subpolicy is active
+ - ipatests: extend AES keyset to SHA2-based ones
+ - freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream
+ - Kerberos instance: default to AES256-SHA2 for master key encryption
+ - test_otp: do not use paramiko unless it is really needed
+ - test_krbtpolicy: skip SPAKE-related tests in FIPS mode
+ - Support AES for KRA archival wrapping
+ - Set AES as default for KRA archival wrapping
+
+* Thu Feb 24 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-6
+- Resolves: rhbz#2057467 Backport latest test fixes in python3-ipatests
+ - ipatests: Tests for Autoprivate group.
+ - mark xfail for test_idoverride_with_auto_private_group[hybrid]
+ - Mark xfail test_gidnumber_not_corresponding_existing_group[true,hybrid]
+
+* Mon Feb 14 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.8-5
+- Resolves: rhbz#2053025
+ - add IPA test suite fixes
+
+* Mon Feb 14 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.8-4
+- Resolves: rhbz#2053586 IPA LDAP plugin ipa-cldap memory leak
+ - fix memory leak in CLDAP responder
+
+* Fri Feb 11 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-3
+- Resolves: rhbz#2050540 Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes
+ - Don't always override the port in import_included_profiles
+- Resolves: rhbz#2051582 Enable ipa-ccache-sweep.timer during server installation
+ - Test ipa-ccache-sweep.timer enabled by default during installation
+ - Enable the ccache sweep timer during installation
+- Resolves: rhbz#2051844 ipa-join tests are failing due to changes in expected output
+ - Remove ipa-join errors from behind the debug option
+
+* Thu Feb 03 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-2
+- Resolves: rhbz#2040619 - Changing default pac type to 'nfs:NONE and MS-PAC' doesnot display error 'ipa: ERROR: no modifications to be performed'
+ - Config plugin: return EmptyModlist when no change is applied
+ - config plugin: add a test ensuring EmptyModlist is returned
+- Resolves: rhbz#2048510 - [rhel-9.0] Backport latest test fixes in python3-ipatests
+ - ipatests: webui: Tests for subordinate ids.
+ - ipatests: webui: Use safe-loader for loading YAML configuration file
+ - ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown
+ - Test cases for ipa-replica-conncheck command
+ - PEP8 Fixes
+ - ipatests: Test empty cert request doesn't force certmonger to segfault
+ - ipatests: Test default value of nsslapd-sizelimit.
+ - Extend test to see if replica is not shown when running `ipa-replica-manage list -v <FQDN>`
+ - Added test automation for SHA384withRSA CSR support
+- Resolves: rhbz#2049104 - User can't log in after ipa-user-mod --user-auth-type=hardened
+ - ipa-kdb: do not remove keys for hardened auth-enabled users
+ - ipatests: add case for hardened-only ticket policy
+- Resolves: rhbz#2049174 - KRA GetStatus service blocked by IPA proxy
+ - ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus
+
+* Thu Dec 02 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-1
+- Resolves: rhbz#2015608 - [Rebase] Rebase ipa to latest 4.9.x release RHEL9
+- Resolves: rhbz#1825010 - Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1'
+- Resolves: rhbz#1966289 - Info about searchrecordslimit set search limit to 10,000 after upgrade
+- Resolves: rhbz#1980356 - reinstalling samba client causes winbindd coredump
+- Resolves: rhbz#1986054 - fix automountlocation-tofiles output
+- Resolves: rhbz#2020205 - Missing bind-pkcs11-utils causing failures in OpenDNSSec
+- Resolves: rhbz#2021445 - CVE-2020-25719 ipa: samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets
+ - ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
+ - ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates
+
+* Tue Oct 5 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-9
+- Resolves: rhbz#2010701 ipa-server-install fails while 'configuring certificate server instance'
+ - Parse getStatus as JSON not XML
+ - Parse cert chain as JSON not XML
+ - Specify PKI installation log paths
+ - Make Dogtag return XML for ipa cert-find
+
+* Fri Sep 17 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-8
+- Resolves: rhbz#2005864 ipa cert-request replaces user certificate instead of adding
+ - Don't store entries with a usercertificate in the LDAP cache
+ - ipatests: Test that a user can be issued multiple certificates
+
+* Fri Sep 10 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-7
+- Resolves: rhbz#2003005 AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server
+ - selinux policy: allow custodia to access /proc/cpuinfo
+- Resolves: rhbz#2003004 extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
+ - extdom: return LDAP_NO_SUCH_OBJECT if domains differ
+- Resolves: rhbz#2003003 subid: subid-match displays the DN of the owner, not its UID.
+ - subid: subid-match: display the owner's ID not DN
+- Resolves: rhbz#2013116 ipa migrate-ds command fails to warn when compat plugin is enabled
+ - migrate-ds: workaround to detect compat tree
+
+* Thu Aug 26 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-6
+- Resolves: rhbz#1998098 - Backport latest test fixes in python3-ipatests
+ - ipatests: Test unsecure nsupdate.
+ - ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser
+ - ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files
+ - ipatests: test to renew certs on replica using ipa-cert-fix
+ - ipatests: wait while http/ldap/pkinit cert get renew on replica
+ - ipatests: refactor test_ipa_cert_fix with tasks
+ - ipatests: use whole date for journalctl --since
+* Tue Aug 17 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-5
+- Resolves: rhbz#1988383 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided
+ - ipa-getkeytab: add option to discover servers using DNS SRV
+ - ipa-getkeytab: fix compiler warnings
+ - ipatests: test ipa-getkeytab server option
+- Resolves: rhbz#1986329 ipa-server install failure without DNS
+ - Fix ldapupdate.get_sub_dict() for missing named user
+- Resolves: rhbz#1980734 Remove python3-pexpect as dependency for ipatests pkg
+ - freeipa.spec.in: remove python3-pexpect from Requires
+- Resolves: rhbz#1992538 Backport recent test fixes in python3-ipatests
+ - ipatests: use whole date when calling journalctl --since
+ - ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
+ - ipatests: test_ipahealthcheck: print a message if a system is healthy
+ - ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency
+ - webui tests: close notification when revoking cert
+ - ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg
+ - webui tests: fix algo for finding available idrange
+ - ipatests: smbclient "-k" => "--use-kerberos=desired"
+ - test_acme: refactor with tasks
+ - test_acme: make password renewal more robust
+ - tasks.py: fix flake8-reported issues
+ - ipatests: Test for OTP when the LDAP connection timed out.
+ - ipatests: verify that getcert output includes the issued date
+ - ipatests: Look for warning into stderr instead of stdout
+ - ipatests: use krb5_trace in TestIpaAdTrustInstall
+ - ipatests: Test ldapsearch with base scope works with compat tree.
+ - ipatests: skip test_basesearch_compat_tree on fedora.
+ - ipatests: Refactor test_check_otpd_after_idle_timeout
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.9.6-4.1
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+ Related: rhbz#1991688
+
+* Fri Jul 23 2021 Rob Crittenden <rcritten@redhat.com> - 4.9.6-4
+- Use new method in check to prevent removal of last KRA (#1985072)
+- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL (#1982952)
+- Fix index definition for memberOf (#1952028)
+
+* Thu Jul 15 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-3
+- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services
+- Resolves: rhbz#1982212 ipa-trust-add fails with "not enough quota"
+- Resolves: rhbz#1952028 [RFE] Add support for managing subuids and subgids in FreeIPA
+- Resolves: rhbz#1981789 [man page] contradiction in ipa-server-upgrade command's man page and usage
+
+* Fri Jul 9 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-2
+- Resolves: rhbz#1955440 ipa installation fails to configure chrony
+- Resolves: rhbz#1976761 Package python3-ipatests (from CRB repo) Requires python3-coverage
+- Resolves: rhbz#1979609 Unable to set ipaUserAuthType with stageuser-add
+- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services
+
+* Wed Jun 30 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-1
+- Resolves: rhbz#1969351 Rebase IPA to latest 4.9.x version
+- Resolves: rhbz#1976288 ansible-freeipa automember test fails with `automember_add_condition: testgroup: 'objectclass'` due to ldap cache
+- Resolves: rhbz#1975139 Upgrade error: Add failure missing required attribute "objectclass"
+- Resolves: rhbz#1973024 CA_less ipa-server-install fails if CA cert subject contains non ascii chars
+- Resolves: rhbz#1966101 [RFE] - IDM - Allow specifying permanent logging settings for BIND
+- Resolves: rhbz#1962570 IPA in c9s should not require redhat-logos-ipa as a runtime package
+- Resolves: rhbz#1957736 [RFE] IPA to allow configuring auto-private-groups at idrange level
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 4.9.3-2.1
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+ Related: rhbz#1971065
+
+* Tue Apr 20 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.3-2
+- RHEL 9 Beta mass rebuild. Resolves: rhbz#1951304
+
+* Wed Mar 31 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.3-1
+- Upstream release FreeIPA 4.9.3
+
+* Fri Feb 26 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-4
+- Rebuild against 389-ds and PKI to fix https://github.com/389ds/389-ds-base/issues/4609
+
+* Tue Feb 23 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-3
+- Only use python-platform on RHEL 8
+
+* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-2
+- Fix ipatests dependency to python3-pexpect
+
+* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-1
+- Upstream release FreeIPA 4.9.2
+
+* Wed Jan 27 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.1-1
+- Upstream release FreeIPA 4.9.1
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.9.0-2.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jan 20 2021 Rob Crittenden <rcritten@redhat.com> - 4.9.0-2
+- Set client keytab location for 389ds (RHBZ#1918075)
+
+* Wed Dec 23 17:05:00 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-1
+- FreeIPA 4.9.0 final release
+
+* Wed Dec 16 07:52:00 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.6.rc3
+- Refactor DNSSEC paths creation code (upstream PR#5340)
+
+* Thu Dec 10 20:06:03 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.5.rc3
+- FreeIPA 4.9.0 release candidate 3
+- Enforce C.UTF-8 locale in systemd service units
+- Fold up fixes from Rawhide and RHEL 8.4 testing
+
+* Wed Dec 9 20:06:03 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.4.rc2
+- Fix upgrade script for CA rule rewrites
+- Fix permissions for /run/ipa/ccaches
+
+* Fri Dec 4 22:17:00 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.3.rc2
+- Correct SELinux policy requirements
+
+* Fri Dec 4 13:41:28 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.2.rc2
+- FreeIPA 4.9.0 release candidate 2
+
+* Thu Nov 19 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.1.rc1
+- Use correct bind PKCS11 engine dependencies
+- Fix SELinux build requirement
+- Fix linting requirements
+
+* Wed Nov 18 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.rc1
+- FreeIPA 4.9.0 release candidate 1
+- Synchronize spec file with upstream and RHEL
+
+* Wed Oct 28 2020 Adam Williamson <awilliam@redhat.com> - 4.8.10-7
+- Backport #5212 for deployment failures with 389-ds-base 1.4.4.6+
+
+* Tue Oct 13 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-6
+- Handle sshd_config upgrade properly
+ Fixes: rhbz#1887928
+
+* Tue Sep 29 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-5
+- Properly handle upgrade case when systemd-resolved is enabled
+
+* Mon Sep 28 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-4
+- Fix permissions for /etc/systemd/resolved.conf.d/zzz-ipa.conf
+- Add NetworkManager and systemd-resolved configuration files to backup
+
+* Sun Sep 27 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-3
+- Fix dependency between freeipa-selinux and freeipa-common
+- Resolves: rhbz#1883005
+
+* Sat Sep 26 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-2
+- Support upgrade F32 -> F33 with systemd-resolved
+
+* Sat Sep 26 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-1
+- Upstream release FreeIPA 4.8.10
+
+* Fri Aug 21 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.9-2
+- Backport fix for detecting older installations on upgrade
+
+* Thu Aug 20 2020 François Cami <fcami@redhat.com> - 4.8.9-1
+- Upstream release FreeIPA 4.8.9
+
+* Mon Aug 03 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.7-5
+- Make use of unshare+chroot in ipa-extdom-extop unittests to work against glibc 2.32
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.7-4
+- Second attempt - Rebuilt for
+ https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Thu Jul 30 2020 Merlin Mathesius <mmathesi@redhat.com> - 4.8.7-3
+- Conditional fixes for ELN to set krb5-kdb version appropriately
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jun 10 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.7-1
+- Upstream release FreeIPA 4.8.7
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 4.8.6-2
+- Rebuilt for Python 3.9
+
+* Fri Mar 27 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.6-1
+- Upstream release FreeIPA 4.8.6
+
+* Sat Mar 21 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.5-2
+- Roll up post-release fixes from upstream
+- Move freeipa-selinux to be a dependency of freeipa-common
+
+* Wed Mar 18 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.5-1
+- Upstream release FreeIPA 4.8.5
+- Depend on selinux-policy-devel 3.14.6-9 for build due to a makefile issue in
+ SELinux external policy support
+
+* Tue Mar 03 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-8
+- Support opendnssec 2.1
+- Resolves: #1809492
+
+* Mon Feb 17 2020 François Cami <fcami@redhat.com> - 4.8.4-7
+- Fix audit_as_req() callback usage
+- Resolves: #1803786
+
+* Sat Feb 01 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-6
+- Fix constraint delegation for krb5 1.18 update
+- Resolves: #1797096
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Jan 28 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-4
+- Rebuild against krb5 1.18 beta
+
+* Sun Jan 26 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-3
+- Rebuild against Samba 4.12RC1
+
+* Mon Dec 16 2019 Adam Williamson <awilliam@redhat.com> - 4.8.4-2
+- Backport PR #4045 to fix overlapping DNS zone check bugs
+
+* Sat Dec 14 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-1
+- New upstream release 4.8.4
+
+* Tue Nov 26 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.3-1
+- New upstream release 4.8.3
+- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf()
+- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
+
+* Tue Nov 12 2019 Rob Crittenden <rcritten@redhat.com> - 4.8.2-1
+- New upstream release 4.8.2
+- Replace %%{_libdir} macro in BuildRequires (#1746882)
+- Restore user-nsswitch.conf before calling authselect (#1746557)
+- ipa service-find does not list cifs service created by
+ ipa-client-samba (#1731433)
+- Occasional 'whoami.data is undefined' error in FreeIPA web UI
+ (#1699109)
+- ipa-kra-install fails due to fs.protected_regular=1 (#1698384)
+
+* Sun Oct 20 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.1-5
+- Don't create log files from helper scripts
+- Fixes: rhbz#1754189
+
+* Tue Oct 08 2019 Christian Heimes <cheimes@redhat.com> - 4.8.1-4
+- Fix compatibility issue with preexec_fn in Python 3.8
+- Fixes: rhbz#1759290
+
+* Tue Oct 1 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.1-3
+- Fix ipasam for compatibility with Samba 4.11
+- Fixes: rhbz#1757089
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 4.8.1-2
+- Rebuilt for Python 3.8
+
+* Wed Aug 14 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.1-1
+- New upstream release 4.8.1
+- Fixes: rhbz#1732528
+- Fixes: rhbz#1732524
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Jul 03 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.0-1
+- New upstream release 4.8.0
+- New subpackage: freeipa-client-samba
+
+* Sat May 11 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-6
+- Upgrade: handle situation when trusts were configured but not established yet
+ Fixed: rhbz#1708808
+
+* Fri May 3 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-5
+- Add krb5-kdb-server dependency provided by krb5-server >= 1.17-17
+
+* Fri May 3 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-4
+- Rebuild to drop upper limit for Kerberos package
+ After krb5-server will provide krb5-kdb-version, we'll switch to it
+
+* Wed May 1 2019 Adam Williamson <awilliam@redhat.com> - 4.7.90.pre1-3
+- Backport PR #3104 to fix a font path error
+
+* Wed May 1 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-2
+- Revert MINSSF defaults because realmd cannot join FreeIPA right now
+ as it uses anonymous LDAP connection for the discovery and validation
+
+* Mon Apr 29 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-1
+- First release candidate for FreeIPA 4.8.0
+
+* Sat Apr 06 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-8
+- Fixed: rhbz#1696963 (Failed to install replica)
+
+* Sat Apr 06 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-7
+- Support Samba 4.10
+- Support 389-ds 1.4.1.2-2.fc30 or later
+
+* Thu Feb 28 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-6
+- Support new nfs-utils behavior (#1668836)
+- ipa-client-automount now works without /etc/sysconfig/nfs
+
+* Tue Feb 19 2019 François Cami <fcami@redhat.com> - 4.7.2-5
+- Fix FTBS due to Samba having removed talloc_strackframe.h
+ and memory.h (#1678670)
+- Fix CA setup when fs.protected_regular=1 (#1677027)
+
+* Mon Feb 11 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-4
+- Disable python dependency generator in Rawhide as not all required packages support it yet
+- Require python-kdcproxy 0.4.1 or later on Rawhide
+
+* Fri Feb 8 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-3
+- Fix compile issues after a mass rebuild using upstream patches
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.7.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Dec 03 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-1
+- Upstream release FreeIPA 4.7.2
+
+* Wed Nov 28 2018 Adam Williamson <awilliam@redhat.com> - 4.7.1-4
+- Update PR #2610 patch to tiran's modified version
+
+* Tue Nov 27 2018 Adam Williamson <awilliam@redhat.com> - 4.7.1-3
+- Backport PR #2610 to fix for authselect 1.0.2+ (see #1645708)
+
+* Sun Nov 11 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.1-2
+- Rebuild for krb5-1.17 (#1648673)
+- Bump required SSSD version to 2.0.0-4 to get back pysss.getgrouplist() API
+
+* Fri Oct 5 2018 Rob Crittenden <rcritten@redhat.com> - 4.7.1-1
+- Update to upstream 4.7.1
+
+* Tue Sep 25 2018 Christian Heimes <cheimes@redhat.com> - 4.7.0-5
+- Remove Python 2 support from Fedora 30
+- https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal
+
+* Tue Sep 4 2018 Thomas Woerner <twoerner@redhat.com> - 4.7.0-4
+- Enable python2 client packages for f30 for now again
+
+* Tue Sep 4 2018 Thomas Woerner <twoerner@redhat.com> - 4.7.0-3
+- Force generation of aclocal.m4 and configuration scripts
+- Fix only client build for Fedora>=28 and RHEL>7
+- Bring back special patch handling for Fedora
+
+* Mon Sep 3 2018 Thomas Woerner <twoerner@redhat.com> - 4.7.0-2
+- Restore SELinux context of session_dir /etc/httpd/alias (pagure#7662)
+- Restore SELinux context of template_dir /var/log/dirsrv/slapd-X (pagure#7662)
+- Add "389-ds-base-legacy-tools" to requires
+- Refactor os-release and platform information (#1609475)
+- Don't check for systemd service (#1609475)
+- Switched to upstream spec file with small adaptions
+
+* Thu Jul 26 2018 Thomas Woerner <twoerner@redhat.com> - 4.7.0-1
+- Update to upstream 4.7.0
+- New BuildRequires for nodejs and uglify-js
+- New Requires for 389-ds-base-legacy-tools in server (RHBZ#1606541)
+- Do not build python2-ipaserver and python2-ipatests for Fedora 29 and up
+- Do not build any python2 packages for Fedora 30
+- Added ipatest man pages to python3-ipatests packages also
+- Added ipatest bindir links to python3-ipatests for Fedora up to 28
+- Dropped explicit copy of freeipa.template, install is doing this now
+- Added upstream fix: (f3faecb) Fix $-style format string in ipa_ldap_init
+- Added upstream fix: (4b592fe,1a7baa2) Added reason to raise of errors.NotFound
+
+* Mon Jul 16 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre2-11
+- Use version-aware macros for Python
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.90.pre2-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 4.6.90.pre2-9
+- Rebuilt for Python 3.7
+
+* Wed Jun 27 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-8
+- Build UI using py3-lesscpy
+
+* Tue Jun 19 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-7
+- *-domainname.service moved to the hostname package in F29 (#1592355)
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 4.6.90.pre2-6
+- Rebuilt for Python 3.7
+
+* Fri Jun 15 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-5
+- Change BuildRequires from python-lesscpy to python3-lesscpy
+
+* Fri Jun 15 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-4.1
+- Rename service fedora-domainname.service to nis-domainname.service
+ (#1588192)
+- Fix bad date in changelog
+
+* Wed May 16 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre2-3
+- Fine tune packaging of server templates so that it doesn't include
+ freeipa.template which always go to freeipa-client-common
+
+* Tue May 15 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-2
+- Exclude /usr/share from client-only builds
+
+* Tue May 15 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-1
+- Update to upstream 4.6.90.pre2
+
+* Wed May 02 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-7
+- Fix upgrade when named.conf does not exist
+- Resolves rhbz#1573671
+- Requires newer slapi-nis to avoid hitting rhbz#1573636
+
+* Wed Mar 21 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-6.1
+- Change upgrade code to use DIR-based ccache and no kinit (#1558818)
+- Require pki-symkey until pki-core has proper dependencies
+
+* Wed Mar 21 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-6
+- Change upgrade code to use DIR-based ccache and no kinit (#1558818)
+
+* Tue Mar 20 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-5
+- Apply upstream fix for #1558354
+- Run upgrade under file-based ccache (#1558818)
+- Fix OTP token issuance due to regression in https://pagure.io/389-ds-base/issue/49617
+
+* Tue Mar 20 2018 Adam Williamson <awilliam@redhat.com> - 4.6.90.pre1-4
+- Fix upgrades harder (extension of -3 patch) (#1558354)
+
+* Tue Mar 20 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-3
+- Fix upgrade from F27 to F28 (#1558354)
+
+* Mon Mar 19 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre1-2
+- Patch to fix GUI login for non-admin users (#1557609)
+
+* Fri Mar 16 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre1-1
+- Update to upstream 4.6.90.pre1
+
+* Tue Feb 20 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.3-5
+- Disable i686 server builds because 389-ds no longer provides
+ builds on that arch. (#1544386)
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.6.3-4
+- Escape macros in %%changelog
+
+* Thu Feb 8 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.3-3
+- Don't fail on upgrades if KRA is not installed
+- Remove Conflicts between mod_wsgi and python3-mod_wsgi
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Jan 31 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.3-1
+- Update to upstream 4.6.3
+
+* Wed Jan 03 2018 Lumír Balhar <lbalhar@redhat.com> - 4.6.1-5
+- Fix directory ownership in python3 subpackage
+
+* Tue Oct 17 2017 Rob Crittenden <rcritten@redhat.com> - 4.6.1-4
+- Update workaround patch to prevent SELinux execmem AVC (#1491508)
+
+* Mon Oct 16 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.1-3
+- Another attempt at fix for bug #1491053
+
+* Fri Oct 06 2017 Tomas Krizek <tkrizek@redhat.com> - 4.6.1-2
+- Rebuild against krb5-1.16
+
+* Fri Sep 22 2017 Tomas Krizek <tkrizek@redhat.com> - 4.6.1-1
+- Fixes #1491053 Firefox reports insecure TLS configuration when visiting
+ FreeIPA web UI after standard server deployment
+
+* Wed Sep 13 2017 Adam Williamson <awilliam@redhat.com> - 4.6.0-3
+- Fixes #1490762 Ipa-server-install update dse.ldif with wrong SELinux context
+- Fixes #1491056 FreeIPA enrolment via kickstart fails
+
+* Wed Sep 06 2017 Adam Williamson <awilliam@redhat.com> - 4.6.0-2
+- Fixes #1488640 "unknown command 'undefined'" error when changing password in web UI
+- BuildRequires diffstat (for the use in patch application)
+
+* Mon Sep 04 2017 Tomas Krizek <tkrizek@redhat.com> - 4.6.0-1
+- Rebase to upstream 4.6.0
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.5.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.5.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jul 21 2017 Tomas Krizek <tkrizek@redhat.com> - 4.5.3-1
+- Update to upstream 4.5.3 - see https://www.freeipa.org/page/Releases/4.5.3
+
+* Thu Jul 13 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.5.2-4
+- Make sure tmpfiles.d snippet for replica is in place after install
+
+* Mon Jul 10 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.5.2-3
+- Fix build with Samba 4.7.0-RC1
+- Increase java stack for rhino calls to get around crashes on ppc64-le
+
+* Tue Jun 20 2017 Tomas Krizek <tkrizek@redhat.com> - 4.5.2-2
+- Patch: Fix IP address checks
+- Patch: python-netifaces fix
+
+* Sun Jun 18 2017 Tomas Krizek <tkrizek@redhat.com> - 4.5.2-1
+- Update to upstream 4.5.2 - see https://www.freeipa.org/page/Releases/4.5.2
+
+* Thu May 25 2017 Tomas Krizek <tkrizek@redhat.com> - 4.5.1-1
+- Update to upstream 4.5.1 - see https://www.freeipa.org/page/Releases/4.5.1
+- Fixes #1168266 UI drops "Enknown Error" when the ipa record in /etc/hosts changes
+
+* Tue May 23 2017 Tomas Krizek <tkrizek@redhat.com> - 4.4.4-2
+- Fixes #1448049 Subpackage freeipa-server-common has unmet dependencies on Rawhide
+- Fixes #1430247 FreeIPA server deployment runs ipa-custodia on Python 3, should use Python 2
+- Fixes #1446744 python2-ipaclient subpackage does not own %%{python_sitelib}/ipaclient/plugins
+- Fixes #1440525 surplus 'the' in output of `ipa-adtrust-install`
+- Fixes #1411810 ipa-replica-install fails with 406 Client Error
+- Fixes #1405814 ipa plugins: ERROR an internal error occured
+
+* Fri Mar 24 2017 Tomas Krizek <tkrizek@redhat.com> - 4.4.4-1
+- Update to upstream 4.4.4 - see https://www.freeipa.org/page/Releases/4.4.4
+- Add upstream signature file for tarball
+
+* Wed Mar 1 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.4.3-8
+- Use different method to keep /usr/bin/ipa on Python 2
+- Fixes #1426847
+
+* Mon Feb 27 2017 Tomas Krizek <tkrizek@redhat.com> - 4.4.3-7
+- Fixes #1413137 CVE-2017-2590 ipa: Insufficient permission check for
+ ca-del, ca-disable and ca-enable commands
+
+* Mon Feb 27 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.4.3-6
+- Rebuild to pick up system-python dependency change
+- Fixes #1426847 - Cannot upgrade freeipa-client on rawhide
+
+* Wed Feb 15 2017 Tomas Krizek <tkrizek@redhat.com> - 4.4.3-5
+- Fixes #1403352 - bind-dyndb-ldap: support new named.conf API in BIND 9.11
+- Fixes #1412739 - ipa-kdb: support DAL version 6.1
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Sat Jan 21 2017 Igor Gnatenko <ignatenko@redhat.com> - 4.4.3-3
+- Rebuild for xmlrpc-c
+
+* Thu Dec 22 2016 Miro Hrončok <mhroncok@redhat.com> - 4.4.3-2
+- Rebuild for Python 3.6
+
+* Fri Dec 16 2016 Pavel Vomacka <pvomacka@redhat.com> - 4.4.3-1
+- Update to upstream 4.4.3 - see http://www.freeipa.org/page/Releases/4.4.3
+
+* Wed Dec 14 2016 Pavel Vomacka <pvomacka@redhat.com> - 4.4.2-4
+- Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod
+- Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services
+ by abusing password policy
+
+* Tue Nov 29 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.2-3
+- Fixes 1389866 krb5-server: ipadb_change_pwd(): kdb5_util killed by SIGSEGV
+
+* Fri Oct 21 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.2-2
+- Rebuild against krb5-1.15
+
+* Thu Oct 13 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.2-1
+- Update to upstream 4.4.2 - see http://www.freeipa.org/page/Releases/4.4.2
+
+* Thu Sep 01 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.4.1-1
+- Update to upstream 4.4.1 - see http://www.freeipa.org/page/Releases/4.4.1
+
+* Fri Aug 19 2016 Petr Vobornik <pvoborni@redhat.com> - 4.3.2-2
+- Fixes 1365669 - The ipa-server-upgrade command failed when named-pkcs11 does
+ not happen to run during dnf upgrade
+- Fixes 1367883 - CVE-2016-5404 freeipa: ipa: Insufficient privileges check
+ in certificate revocation
+- Fixes 1364338 - Freeipa cannot be build on fedora 25
+
+* Fri Jul 22 2016 Petr Vobornik <pvoborni@redhat.com> - 4.3.2-1
+- Update to upstream 4.3.2 - see http://www.freeipa.org/page/Releases/4.3.2
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.3.1-2
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Thu Mar 24 2016 Petr Vobornik <pvoborni@redhat.com> - 4.3.1-1
+- Update to upstream 4.3.1 - see http://www.freeipa.org/page/Releases/4.3.1
+
+* Thu Feb 04 2016 Petr Vobornik <pvoborni@redhat.com> - 4.3.0-3
+- Fix build with Samba 4.4
+- Update SELinux requires to fix connection check during installation
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 4.3.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Dec 18 2015 Petr Vobornik <pvoborni@redhat.com> - 4.3.0-1
+- Update to upstream 4.3.0 - see http://www.freeipa.org/page/Releases/4.3.0
+
+* Mon Dec 07 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.3-2
+- Workarounds for SELinux execmem violations in cryptography
+
+* Mon Nov 02 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.3-1
+- Update to upstream 4.2.3 - see http://www.freeipa.org/page/Releases/4.2.3
+- fix #1274905
+
+* Wed Oct 21 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.2-2
+- Depend on samba-common-tools for the trust-ad subpackage after
+ samba package split
+- Rebuild against krb5 1.14 to fix bug #1273957
+
+* Thu Oct 8 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.2-1
+- Update to upstream 4.2.2 - see http://www.freeipa.org/page/Releases/4.2.2
+
+* Mon Sep 7 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.1-1
+- Update to upstream 4.2.1 - see http://www.freeipa.org/page/Releases/4.2.1
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.1.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue May 12 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.4-4
+- Fix typo in the patch to fix bug #1219834
+
+* Mon May 11 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.4-3
+- Fix FreeIPA trusts to AD feature with Samba 4.2 (#1219834)
+
+* Mon Mar 30 2015 Petr Vobornik <pvoborni@redhat.com> - 4.1.4-2
+- Replace mod_auth_kerb usage with mod_auth_gssapi
+
+* Thu Mar 26 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.4-1
+- Update to upstream 4.1.4 - see http://www.freeipa.org/page/Releases/4.1.4
+- fix CVE-2015-1827 (#1206047)
+- Require slapi-nis 0.54.2 and newer for CVE-2015-0283 fixes
+
+* Tue Mar 17 2015 Petr Vobornik <pvoborni@redhat.com> - 4.1.3-3
+- Timeout ipa-client install if ntp server is unreachable #4842
+- Skip time sync during client install when using --no-ntp #4842
+
+* Wed Mar 04 2015 Petr Vobornik <pvoborni@redhat.com> - 4.1.3-2
+- Add missing sssd python dependencies
+- https://bugzilla.redhat.com/show_bug.cgi?id=1197218
+
+* Wed Feb 18 2015 Petr Vobornik <pvoborni@redhat.com> - 4.1.3-1
+- Update to upstream 4.1.3 - see http://www.freeipa.org/page/Releases/4.1.3
+
+* Mon Jan 19 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.2-2
+- Fix broken build after Samba ABI change and rename of libpdb to libsamba-passdb
+- Use python-dateutil15 until we validate python-dateutil 2.x
+
+* Tue Nov 25 2014 Petr Vobornik <pvoborni@redhat.com> - 4.1.2-1
+- Update to upstream 4.1.2 - see http://www.freeipa.org/page/Releases/4.1.2
+- fix CVE-2014-7850
+
+* Thu Nov 20 2014 Simo Sorce <simo@redhat.com> - 4.1.1-2
+- Patch blokers and feature freze exceptions
+- Resolves: bz1165674
+- Resolves: bz1165856 (CVE-2014-7850)
+- Fixes DNS install issue that prevents the server from working
+
+* Thu Nov 06 2014 Petr Vobornik <pvoborni@redhat.com> - 4.1.1-1
+- Update to upstream 4.1.1 - see http://www.freeipa.org/page/Releases/4.1.1
+- fix CVE-2014-7828
+
+* Wed Oct 22 2014 Petr Vobornik <pvoborni@redhat.com> - 4.1.0-2
+- fix armv7hl stack oversize build failure
+- fix https://fedorahosted.org/freeipa/ticket/4660
+
+* Tue Oct 21 2014 Petr Vobornik <pvoborni@redhat.com> - 4.1.0-1
+- Update to upstream 4.1.0 - see http://www.freeipa.org/page/Releases/4.1.0
+
+* Fri Sep 12 2014 Petr Viktorin <pviktori@redhat.com> - 4.0.3-1
+- Update to upstream 4.0.3 - see http://www.freeipa.org/page/Releases/4.0.3
+
+* Fri Sep 05 2014 Petr Viktorin <pviktori@redhat.com> - 4.0.2-1
+- Update to upstream 4.0.1 - see http://www.freeipa.org/page/Releases/4.0.2
+
+* Tue Sep 02 2014 Pádraig Brady <pbrady@redhat.com> - 4.0.1-3
+- rebuild for libunistring soname bump
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Fri Jul 25 2014 Martin Kosek <mkosek@redhat.com> 4.0.1-1
+- Update to upstream 4.0.1
+
+* Mon Jul 07 2014 Petr Viktorin <pviktori@redhat.com> 4.0.0-1
+- Update to upstream 4.0.0
+- Remove the server-strict package
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.3.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed May 21 2014 Petr Vobornik <pvoborni@redhat.com> 3.3.5-3
+- Increase Java stack size for Web UI build on aarch64
+
+* Wed Apr 16 2014 Peter Robinson <pbrobinson@fedoraproject.org> 3.3.5-2
+- Add rhino as dependency to fix FTBFS
+
+* Fri Mar 28 2014 Martin Kosek <mkosek@redhat.com> - 3.3.5-1
+- Update to upstream 3.3.5
+
+* Tue Feb 11 2014 Martin Kosek <mkosek@redhat.com> - 3.3.4-3
+- Move ipa-otpd socket directory to /var/run/krb5kdc
+- Require krb5-server 1.11.5-3 supporting the new directory
+- ipa_lockout plugin did not work with users's without krbPwdPolicyReference
+
+* Wed Jan 29 2014 Martin Kosek <mkosek@redhat.com> - 3.3.4-2
+- Fix hardened build
+
+* Tue Jan 28 2014 Martin Kosek <mkosek@redhat.com> - 3.3.4-1
+- Update to upstream 3.3.4
+- Install CA anchor into standard location (#928478)
+- ipa-client-install part of ipa-server-install fails on reinstall (#1044994)
+- Remove mod_ssl workaround (RHEL bug #1029046)
+- Enable syncrepl plugin to support bind-dyndb-ldap 4.0
+
+* Fri Jan 3 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-5
+- Build crashed with rhino exception on s390 architectures (#1040576)
+
+* Thu Dec 12 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-4
+- Build crashed with rhino exception on PPC architectures (#1040576)
+
+* Tue Dec 3 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-3
+- Fix -Werror=format-security errors (#1037070)
+
+* Mon Nov 4 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-2
+- ipa-server-install crashed when freeipa-server-trust-ad subpackage was not
+ installed
+
+* Fri Nov 1 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-1
+- Update to upstream 3.3.3
+
+* Fri Oct 4 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-1
+- Update to upstream 3.3.2
+
+* Thu Aug 29 2013 Petr Viktorin <pviktori@redhat.com> - 3.3.1-1
+- Bring back Fedora-only changes
+
+* Thu Aug 29 2013 Petr Viktorin <pviktori@redhat.com> - 3.3.1-0
+- Update to upstream 3.3.1
+
+* Wed Aug 14 2013 Alexander Bokovoy <abokovoy@redhat.com> - 3.3.0-2
+- Remove freeipa-systemd-upgrade as non-systemd installs are not supported
+ anymore by Fedora project
+
+* Wed Aug 7 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-1
+- Update to upstream 3.3.0
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.2.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Wed Jul 17 2013 Martin Kosek <mkosek@redhat.com> - 3.2.2-1
+- Update to upstream 3.2.2
+- Drop freeipa-server-selinux subpackage
+- Drop redundant directory /var/cache/ipa/sessions
+- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost
+- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency
+ issues when there are still old parts of software (like entitlements plugin)
+
+* Fri Jun 7 2013 Martin Kosek <mkosek@redhat.com> - 3.2.1-1
+- Update to upstream 3.2.1
+
+* Tue May 14 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-2
+- Add OTP patches
+- Add patch to set KRB5CCNAME for 389-ds-base
+
+* Fri May 10 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-1
+- Update to upstream 3.2.0 GA
+- ipa-client-install fails if /etc/ipa does not exist (#961483)
+- Certificate status is not visible in Service and Host page (#956718)
+- ipa-client-install removes needed options from ldap.conf (#953991)
+- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957)
+- Add triggerin scriptlet to support OpenSSH 6.2 (#953617)
+- Require nss 3.14.3-12.0 to address certutil certificate import
+ errors (#953485)
+- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6
+ environments. (#953464)
+- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453)
+- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432)
+- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for
+ socket based connections (#960222)
+- Require libsss_nss_idmap-python
+- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to
+ member is now done automatically and having it in the config file raises
+ an error.
+- Add backup and restore tools, directory.
+- require at least systemd 38 which provides the journal (we no longer
+ need to require syslog.target)
+- Update Requires on policycoreutils to 2.1.14-37
+- Update Requires on selinux-policy to 3.12.1-42
+- Update Requires on 389-ds-base to 1.3.1.0
+- Remove a Requires for java-atk-wrapper
+
+* Tue Apr 23 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.4.beta1
+- Remove release from krb5-server in strict sub-package to allow for rebuilds.
+
+* Mon Apr 22 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.3.beta1
+- Add a Requires for java-atk-wrapper until we can determine which package
+ should be pulling it in, dogtag or tomcat.
+
+* Tue Apr 16 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.2.beta1
+- Update to upstream 3.2.0 Beta 1
+
+* Tue Apr 2 2013 Martin Kosek <mkosek@redhat.com> - 3.2.0-0.1.pre1
+- Update to upstream 3.2.0 Prerelease 1
+- Use upstream reference spec file as a base for Fedora spec file
+
+* Sat Mar 30 2013 Kevin Fenzi <kevin@scrye.com> 3.1.2-4
+- Rebuild for broken deps
+- Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1
+
+* Sat Feb 23 2013 Kevin Fenzi <kevin@scrye.com> - 3.1.2-3
+- Rebuild for broken deps in rawhide
+- Fix 389-ds-base strict dep to be 1.3.0.3
+
+* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Wed Jan 23 2013 Rob Crittenden <rcritten@redhat.com> - 3.1.2-1
+- Update to upstream 3.1.2
+- CVE-2012-4546: Incorrect CRLs publishing
+- CVE-2012-5484: MITM Attack during Join process
+- CVE-2013-0199: Cross-Realm Trust key leak
+- Updated strict dependencies to 389-ds-base = 1.3.0.2 and
+ pki-ca = 10.0.1
+
+* Thu Dec 20 2012 Martin Kosek <mkosek@redhat.com> - 3.1.0-2
+- Remove redundat Requires versions that are already in Fedora 17
+- Replace python-crypto Requires with m2crypto
+- Add missing Requires(post) for client and server-trust-ad subpackages
+- Restart httpd service when server-trust-ad subpackage is installed
+- Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes
+
+* Mon Dec 10 2012 Rob Crittenden <rcritten@redhat.com> - 3.1.0-1
+- Updated to upstream 3.1.0 GA
+- Set minimum for sssd to 1.9.2
+- Set minimum for pki-ca to 10.0.0-1
+- Set minimum for 389-ds-base to 1.3.0
+- Set minimum for selinux-policy to 3.11.1-60
+- Remove unneeded dogtag package requires
+
+* Tue Oct 23 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-3
+- Update Requires on krb5-server to 1.11
+
+* Fri Oct 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-2
+- Configure CA replication to use TLS instead of SSL
+
+* Fri Oct 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-1
+- Updated to upstream 3.0.0 GA
+- Set minimum for samba to 4.0.0-153.
+- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so
+ plugin to /dev/null since they cannot be used when trusts are configured
+- Restrict krb5-server to 1.10.
+- Update BR for 389-ds-base to 1.3.0
+- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca
+- Add Requires on zip for generating FF browser extension
+
+* Fri Oct 5 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.10
+- Updated to upstream 3.0.0 rc 2
+- Include new FF configuration extension
+- Set minimum Requires of selinux-policy to 3.11.1-33
+- Set minimum Requires dogtag to 10.0.0-0.43.b1
+- Add new optional strict sub-package to allow users to limit other
+ package upgrades.
+
+* Tue Oct 2 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-0.9
+- Require samba packages instead of obsoleted samba4 packages
+
+* Fri Sep 21 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.8
+- Updated to upstream 3.0.0 rc 1
+- Update BR for 389-ds-base to 1.2.11.14
+- Update BR for krb5 to 1.10
+- Update BR for samba4-devel to 4.0.0-139 (rc1)
+- Add BR for python-polib
+- Update BR and Requires on sssd to 1.9.0
+- Update Requires on policycoreutils to 2.1.12-5
+- Update Requires on 389-ds-base to 1.2.11.14
+- Update Requires on selinux-policy to 3.11.1-21
+- Update Requires on dogtag to 10.0.0-0.33.a1
+- Update Requires on certmonger to 0.60
+- Update Requires on tomcat to 7.0.29
+- Update minimum version of bind to 9.9.1-10.P3
+- Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1
+- Remove Requires on authconfig from python sub-package
+
+* Wed Sep 5 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.7
+- Rebuild against samba4 beta8
+
+* Fri Aug 31 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.6
+- Rebuild against samba4 beta7
+
+* Wed Aug 22 2012 Alexander Bokovoy <abokovoy@redhat.com> - 3.0.0-0.5
+- Adopt to samba4 beta6 (libsecurity -> libsamba-security)
+- Add dependency to samba4-winbind
+
+* Fri Aug 17 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.4
+- Updated to upstream 3.0.0 beta 2
+
+* Mon Aug 6 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-0.3
+- Updated to current upstream state of 3.0.0 beta 2 development
+
+* Mon Jul 23 2012 Alexander Bokovoy <abokovy@redhat.com> - 3.0.0-0.2
+- Rebuild against samba4 beta4
+
+* Mon Jul 2 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.1
+- Updated to upstream 3.0.0 beta 1
+
+* Thu May 3 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-1
+- Updated to upstream 2.2.0 GA
+- Update minimum n-v-r of certmonger to 0.53
+- Update minimum n-v-r of slapi-nis to 0.40
+- Add Requires in client to oddjob-mkhomedir and python-krbV
+- Update minimum selinux-policy to 3.10.0-110
+
+* Mon Mar 19 2012 Rob Crittenden <rcritten@redhat.com> - 2.1.90-0.2
+- Update to upstream 2.2.0 beta 1 (2.1.90.rc1)
+- Set minimum n-v-r for pki-ca and pki-silent to 9.0.18.
+- Add Conflicts on mod_ssl
+- Update minimum n-v-r of 389-ds-base to 1.2.10.4
+- Update minimum n-v-r of sssd to 1.8.0
+- Update minimum n-v-r of slapi-nis to 0.38
+- Update minimum n-v-r of pki-* to 9.0.18
+- Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1
+- Update conflicts on bind to < 9.9.0-1
+- Drop requires on krb5-server-ldap
+- Add patch to remove escaping arguments to pkisilent
+
+* Mon Feb 06 2012 Rob Crittenden <rcritten@redhat.com> - 2.1.90-0.1
+- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)
+
+* Wed Feb 01 2012 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-5
+- Force to use 389-ds 1.2.10-0.8.a7 or above
+- Improve upgrade script to handle systemd 389-ds change
+- Fix freeipa to work with python-ldap 2.4.6
+
+* Wed Jan 11 2012 Martin Kosek <mkosek@redhat.com> - 2.1.4-4
+- Fix ipa-replica-install crashes
+- Fix ipa-server-install and ipa-dns-install logging
+- Set minimum version of pki-ca to 9.0.17 to fix sslget problem
+ caused by FEDORA-2011-17400 update (#771357)
+
+* Wed Dec 21 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-3
+- Allow Web-based migration to work with tightened SE Linux policy (#769440)
+- Rebuild slapi plugins against re-enterant version of libldap
+
+* Sun Dec 11 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-2
+- Allow longer dirsrv startup with systemd:
+ - IPAdmin class will wait until dirsrv instance is available up to 10 seconds
+ - Helps with restarts during upgrade for ipa-ldap-updater
+- Fix pylint warnings from F16 and Rawhide
+
+* Tue Dec 6 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.4-1
+- Update to upstream 2.1.4 (CVE-2011-3636)
+
+* Mon Dec 5 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-8
+- Update SELinux policy to allow ipa_kpasswd to connect ldap and
+ read /dev/urandom. (#759679)
+
+* Wed Nov 30 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-7
+- Fix wrong path in packaging freeipa-systemd-upgrade
+
+* Wed Nov 30 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-6
+- Introduce upgrade script to recover existing configuration after systemd migration
+ as user has no means to recover FreeIPA from systemd migration
+- Upgrade script:
+ - recovers symlinks in Dogtag instance install
+ - recovers systemd configuration for FreeIPA's directory server instances
+ - recovers freeipa.service
+ - migrates directory server and KDC configs to use proper keytabs for systemd services
+
+* Wed Oct 26 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.3-5
+- Rebuilt for glibc bug#747377
+
+* Wed Oct 19 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-4
+- clean up spec
+- Depend on sssd >= 1.6.2 for better user experience
+
+* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-3
+- Fix Fedora package changelog after merging systemd changes
+
+* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-2
+- Fix postin scriplet for F-15/F-16
+
+* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-1
+- 2.1.3
+
+* Mon Oct 17 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.2-1
+- Default to systemd for Fedora 16 and onwards
+
+* Tue Aug 16 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.0-1
+- Update to upstream 2.1.0
+
+* Fri May 6 2011 Simo Sorce <ssorce@redhat.com> - 2.0.1-2
+- Fix bug #702633
+
+* Mon May 2 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.1-1
+- Update minimum selinux-policy to 3.9.16-18
+- Update minimum pki-ca and pki-selinux to 9.0.7
+- Update minimum 389-ds-base to 1.2.8.0-1
+- Update to upstream 2.0.1
+
+* Thu Mar 24 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-1
+- Update to upstream GA release
+- Automatically apply updates when the package is upgraded
+
+* Fri Feb 25 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.4.rc2
+- Update to upstream freeipa-2.0.0.rc2
+- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in
+- Set minimum version of sssd to 1.5.1
+- Patch to include SuiteSpotGroup when setting up 389-ds instances
+- Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled
+
+* Tue Feb 15 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.3.rc1
+- Set the N-V-R so rc1 is an update to beta2.
+
+* Mon Feb 14 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.rc1
+- Set minimum version of sssd to 1.5.1
+- Update to upstream freeipa-2.0.0.rc1
+- Move server-only binaries from admintools subpackage to server
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.0-0.2.beta2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Thu Feb 3 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.beta2
+- Set min version of 389-ds-base to 1.2.8
+- Set min version of mod_nss 1.0.8-10
+- Set min version of selinux-policy to 3.9.7-27
+- Add dogtag themes to Requires
+- Update to upstream freeipa-2.0.0.pre2
+
+* Thu Jan 27 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.2.beta.git80e87e7
+- Remove unnecessary moving of v1 CA serial number file in post script
+- Add Obsoletes for server-selinxu subpackage
+- Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da
+
+* Wed Jan 26 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.beta.git80e87e7
+- Prepare spec file for release
+- Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503
+
+* Tue Jan 25 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-41
+- Re-arrange doc and defattr to clean up rpmlint warnings
+- Remove conditionals on older releases
+- Move some man pages into admintools subpackage
+- Remove some explicit Requires in client that aren't needed
+- Consistent use of buildroot vs RPM_BUILD_ROOT
+
+* Wed Jan 19 2011 Adam Young <ayoung@redhat.com> - 1.99-40
+- Moved directory install/static to install/ui
+
+* Thu Jan 13 2011 Simo Sorce <ssorce@redhat.com> - 1.99-39
+- Remove dependency on nss_ldap/nss-pam-ldapd
+- The official client is sssd and that's what we use by default.
+
+* Thu Jan 13 2011 Simo Sorce <ssorce@redhat.com> - 1.99-38
+- Remove radius subpackages
+
+* Thu Jan 13 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-37
+- Set minimum pki-ca and pki-silent versions to 9.0.0
+
+* Wed Jan 12 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-36
+- Drop BuildRequires on mozldap-devel
+
+* Mon Dec 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-35
+- Add Requires on krb5-pkinit-openssl
+
+* Fri Dec 10 2010 Jr Aquino <jr.aquino@citrix.com> - 1.99-34
+- Add ipa-host-net-manage script
+
+* Tue Dec 7 2010 Simo Sorce <ssorce@redhat.com> - 1.99-33
+- Add ipa init script
+
+* Fri Nov 19 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-32
+- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin
+
+* Wed Nov 3 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-31
+- remove ipa-fix-CVE-2008-3274
+
+* Wed Oct 6 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-30
+- Remove duplicate %%files entries on share/ipa/static
+- Add python default encoding shared library
+
+* Mon Sep 20 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-29
+- Drop requires on python-configobj (not used any more)
+- Drop ipa-ldap-updater message, upgrades are done differently now
+
+* Wed Sep 8 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-28
+- Drop conflicts on mod_nss
+- Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847)
+- Drop a slew of conditionals on older Fedora releases (< 12)
+- Add a few conditionals against RHEL 6
+- Add Requires of nss-tools on ipa-client
+
+* Fri Aug 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-27
+- Set minimum version of certmonger to 0.26 (to pck up #621670)
+- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm)
+- Set minimum version of pki-ca to 1.3.6
+- Set minimum version of sssd to 1.2.1
+
+* Tue Aug 10 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-26
+- Add BuildRequires for authconfig
+
+* Mon Jul 19 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-25
+- Bump up minimum version of python-nss to pick up nss_is_initialize() API
+
+* Thu Jun 24 2010 Adam Young <ayoung@redhat.com> - 1.99-24
+- Removed python-asset based webui
+
+* Thu Jun 24 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-23
+- Change Requires from fedora-ds-base to 389-ds-base
+- Set minimum level of 389-ds-base to 1.2.6 for the replication
+ version plugin.
+
+* Tue Jun 1 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-22
+- Drop Requires of python-krbV on ipa-client
+
+* Mon May 17 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-21
+- Load ipa_dogtag.pp in post install
+
+* Mon Apr 26 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-20
+- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes.
+
+* Thu Mar 4 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-19
+- No need to create /var/log/ipa_error.log since we aren't using
+ TurboGears any more.
+
+* Mon Mar 1 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-18
+- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included
+
+* Wed Feb 24 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-17
+- Added Require mod_wsgi, added share/ipa/wsgi.py
+
+* Thu Feb 11 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-16
+- Require python-wehjit >= 0.2.2
+
+* Wed Feb 3 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-15
+- Add sssd and certmonger as a Requires on ipa-client
+
+* Wed Jan 27 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-14
+- Require python-wehjit >= 0.2.0
+
+* Fri Dec 4 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-13
+- Add ipa-rmkeytab tool
+
+* Tue Dec 1 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-12
+- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1
+ Any type
+
+* Wed Nov 25 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-11
+- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf
+
+* Fri Nov 13 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-10
+- Add bash completion script and own /etc/bash_completion.d in case it
+ doesn't already exist
+
+* Tue Nov 3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-9
+- Remove ipa_webgui, its functions rolled into ipa_httpd
+
+* Mon Oct 12 2009 Jason Gerard DeRose <jderose@redhat.com> - 1.99-8
+- Removed python-cherrypy from BuildRequires and Requires
+- Added Requires python-assets, python-wehjit
+
+* Mon Aug 24 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-7
+- Added httpd SELinux policy so CRLs can be read
+
+* Thu May 21 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-6
+- Move ipalib to ipa-python subpackage
+- Bump minimum version of slapi-nis to 0.15
+
+* Wed May 6 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-5
+- Set 0.14 as minimum version for slapi-nis
+
+* Wed Apr 22 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-4
+- Add Requires: python-nss to ipa-python sub-package
+
+* Thu Mar 5 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-3
+- Remove the IPA DNA plugin, use the DS one
+
+* Wed Mar 4 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-2
+- Build radius separately
+- Fix a few minor issues
+
+* Tue Feb 3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-1
+- Replace TurboGears requirement with python-cherrypy
+
+* Sat Jan 17 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.1-3
+- rebuild with new openssl
+
+* Fri Dec 19 2008 Dan Walsh <dwalsh@redhat.com> - 1.2.1-2
+- Fix SELinux code
+
+* Mon Dec 15 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-1
+- Fix breakage caused by python-kerberos update to 1.1
+
+* Fri Dec 5 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-0
+- New upstream release 1.2.1
+
+* Sat Nov 29 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 1.2.0-4
+- Rebuild for Python 2.6
+
+* Fri Nov 14 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-3
+- Respin after the tarball has been re-released upstream
+ New hash is 506c9c92dcaf9f227cba5030e999f177
+
+* Thu Nov 13 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-2
+- Conditionally restart also dirsrv and httpd when upgrading
+
+* Wed Oct 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.2.0-1
+- Update to upstream version 1.2.0
+- Set fedora-ds-base minimum version to 1.1.3 for winsync header
+- Set the minimum version for SELinux policy
+- Remove references to Fedora 7
+
+* Wed Jul 23 2008 Simo Sorce <ssorce@redhat.com> - 1.1.0-3
+- Fix for CVE-2008-3274
+- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface
+- Add fix for bug #453185
+- Rebuild against openldap libraries, mozldap ones do not work properly
+- TurboGears is currently broken in rawhide. Added patch to not build
+ the UI locales and removed them from the ipa-server files section.
+
+* Wed Jun 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-2
+- Add call to /usr/sbin/upgradeconfig to post install
+
+* Wed Jun 11 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-1
+- Update to upstream version 1.1.0
+- Patch for indexing memberof attribute
+- Patch for indexing uidnumber and gidnumber
+- Patch to change DNA default values for replicas
+- Patch to fix uninitialized variable in ipa-getkeytab
+
+* Fri May 16 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-5
+- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum
+ version to 1.0.7-4 so we pick up the NSS fixes.
+- Add selinux-policy-base(post) to Requires (446496)
+
+* Tue Apr 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-4
+- Add missing entry for /var/cache/ipa/kpasswd (444624)
+- Added patch to fix permissions problems with the Apache NSS database.
+- Added patch to fix problem with DNS querying where the query could be
+ returned as the answer.
+- Fix spec error where patch1 was in the wrong section
+
+* Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-3
+- Added patch to fix problem reported by ldapmodify
+
+* Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-2
+- Fix Requires for krb5-server that was missing for Fedora versions > 9
+- Remove quotes around test for fedora version to package egg-info
+
+* Fri Apr 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-1
+- Update to upstream version 1.0.0
+
+* Tue Mar 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-12
+- Pull upstream changelog 722
+- Add Conflicts mod_ssl (435360)
+
+* Fri Feb 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-11
+- Pull upstream changelog 698
+- Fix ownership of /var/log/ipa_error.log during install (435119)
+- Add pwpolicy command and man page
+
+* Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-10
+- Pull upstream changelog 678
+- Add new subpackage, ipa-server-selinux
+- Add Requires: authconfig to ipa-python (bz #433747)
+- Package i18n files
+
+* Mon Feb 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-9
+- Pull upstream changelog 641
+- Require minimum version of krb5-server on F-7 and F-8
+- Package some new files
+
+* Thu Jan 31 2008 Rob Crittenden <rcritten@redhat.com> 0.99-8
+- Marked with wrong license. IPA is GPLv2.
+
+* Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-7
+- Ensure that /etc/ipa exists before moving user-modifiable html files there
+- Put html files into /etc/ipa/html instead of /etc/ipa
+
+* Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-6
+- Pull upstream changelog 608 which renamed several files
+
+* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-5
+- package the sessions dir /var/cache/ipa/sessions
+- Pull upstream changelog 597
+
+* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-4
+- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the
+ UI to not start.
+
+* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-3
+- Included LICENSE and README in all packages for documentation
+- Move user-modifiable content to /etc/ipa and linked back to
+ /usr/share/ipa/html
+- Changed some references to /usr to the {_usr} macro and /etc
+ to {_sysconfdir}
+- Added popt-devel to BuildRequires for Fedora 8 and higher and
+ popt for Fedora 7
+- Package the egg-info for Fedora 9 and higher for ipa-python
+
+* Tue Jan 22 2008 Rob Crittenden <rcritten@redhat.com> 0.99-2
+- Added auto* BuildRequires
+
+* Mon Jan 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-1
+- Unified spec file
+
+* Thu Jan 17 2008 Rob Crittenden <rcritten@redhat.com> - 0.6.0-2
+- Fixed License in specfile
+- Include files from /usr/lib/python*/site-packages/ipaserver
+
+* Fri Dec 21 2007 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1
+- Version bump for release
+
+* Wed Nov 21 2007 Karl MacMillan <kmacmill@mentalrootkit.com> - 0.5.0-1
+- Preverse mode on ipa-keytab-util
+- Version bump for relase and rpm name change
+
+* Thu Nov 15 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.1-2
+- Broke invididual Requires and BuildRequires onto separate lines and
+ reordered them
+- Added python-tgexpandingformwidget as a dependency
+- Require at least fedora-ds-base 1.1
+
+* Thu Nov 1 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.1-1
+- Version bump for release
+
+* Wed Oct 31 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-6
+- Add dep for freeipa-admintools and acl
+
+* Wed Oct 24 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-5
+- Add dependency for python-krbV
+
+* Fri Oct 19 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-4
+- Require mod_nss-1.0.7-2 for mod_proxy fixes
+
+* Thu Oct 18 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-3
+- Convert to autotools-based build
+
+* Tue Sep 25 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-2
+
+* Fri Sep 7 2007 Karl MacMillan <kmacmill@redhat.com> - 0.3.0-1
+- Added support for libipa-dna-plugin
+
+* Fri Aug 10 2007 Karl MacMillan <kmacmill@redhat.com> - 0.2.0-1
+- Added support for ipa_kpasswd and ipa_pwd_extop
+
+* Sun Aug 5 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-3
+- Abstracted client class to work directly or over RPC
+
+* Wed Aug 1 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-2
+- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires
+- Remove references to admin server in ipa-server-setupssl
+- Generate a client certificate for the XML-RPC server to connect to LDAP with
+- Create a keytab for Apache
+- Create an ldif with a test user
+- Provide a certmap.conf for doing SSL client authentication
+
+* Fri Jul 27 2007 Karl MacMillan <kmacmill@redhat.com> - 0.1.0-1
+- Initial rpm version