diff --git a/SOURCES/0202-Prevent-replica-install-from-overwriting-cert-profil.patch b/SOURCES/0202-Prevent-replica-install-from-overwriting-cert-profil.patch
new file mode 100644
index 0000000..45c936e
--- /dev/null
+++ b/SOURCES/0202-Prevent-replica-install-from-overwriting-cert-profil.patch
@@ -0,0 +1,70 @@
+From 81d5888a2dc512cd0295b860cf8f408dea2e46a0 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Wed, 11 May 2016 16:13:51 +1000
+Subject: [PATCH] Prevent replica install from overwriting cert profiles
+
+An earlier change that unconditionally triggers import of file-based
+profiles to LDAP during server or replica install results in
+replicas overwriting FreeIPA-managed profiles with profiles of the
+same name shipped with Dogtag. ('caIPAserviceCert' is the affected
+profile).
+
+Avoid this situation by never overwriting existing profiles during
+the LDAP import.
+
+Fixes: https://fedorahosted.org/freeipa/ticket/5881
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/install/cainstance.py | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index b06760308865aa42afac79d6750f4a422a5c8f95..50ca5d3aeb9be24d8e1e80ad408191fca76a459c 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1763,7 +1763,9 @@ def import_included_profiles():
+ conn.add_entry(entry)
+ profile_data = ipautil.template_file(
+ '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
+- _create_dogtag_profile(profile_id, profile_data)
++
++ # Create the profile, replacing any existing profile of same name
++ _create_dogtag_profile(profile_id, profile_data, overwrite=True)
+ root_logger.info("Imported profile '%s'", profile_id)
+
+ api.Backend.ra_certprofile.override_port = None
+@@ -1815,12 +1817,17 @@ def migrate_profiles_to_ldap(dogtag_constants):
+ profile_data += '\n'
+ profile_data += 'profileId={}\n'.format(profile_id)
+ profile_data += 'classId={}\n'.format(class_id)
+- _create_dogtag_profile(profile_id, profile_data)
++
++ # Import the profile, but do not replace it if it already exists.
++ # This prevents replicas from replacing IPA-managed profiles with
++ # Dogtag default profiles of same name.
++ #
++ _create_dogtag_profile(profile_id, profile_data, overwrite=False)
+
+ api.Backend.ra_certprofile.override_port = None
+
+
+-def _create_dogtag_profile(profile_id, profile_data):
++def _create_dogtag_profile(profile_id, profile_data, overwrite):
+ with api.Backend.ra_certprofile as profile_api:
+ # import the profile
+ try:
+@@ -1831,9 +1838,8 @@ def _create_dogtag_profile(profile_id, profile_data):
+ root_logger.debug("Error migrating '{}': {}".format(
+ profile_id, e))
+
+- # conflicting profile; replace it if we are
+- # installing IPA, but keep it for upgrades
+- if api.env.context == 'installer':
++ # profile already exists
++ if overwrite:
+ try:
+ profile_api.disable_profile(profile_id)
+ except errors.RemoteRetrieveError:
+--
+2.5.5
+
diff --git a/SOURCES/0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch b/SOURCES/0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch
new file mode 100644
index 0000000..c83ebe6
--- /dev/null
+++ b/SOURCES/0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch
@@ -0,0 +1,118 @@
+From 1eb9cc7556357b1b8d6d826321cb38b1f96c1b7e Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Wed, 18 May 2016 14:10:39 +1000
+Subject: [PATCH] Detect and repair incorrect caIPAserviceCert config
+
+A regression caused replica installation to replace the FreeIPA
+version of caIPAserviceCert with the version shipped by Dogtag.
+
+During upgrade, detect and repair occurrences of this problem.
+
+Part of: https://fedorahosted.org/freeipa/ticket/5881
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/install/cainstance.py | 49 ++++++++++++++++++++++++++++++++++---
+ ipaserver/install/server/upgrade.py | 3 +++
+ 2 files changed, 49 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 50ca5d3aeb9be24d8e1e80ad408191fca76a459c..a8a57c4ffdbec453c76a01b88a7d4a188c03be33 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1717,14 +1717,18 @@ def configure_profiles_acl():
+ conn.disconnect()
+ return updated
+
+-def import_included_profiles():
++
++def __get_profile_config(profile_id):
+ sub_dict = dict(
+ DOMAIN=ipautil.format_netloc(api.env.domain),
+ IPA_CA_RECORD=IPA_CA_RECORD,
+ CRL_ISSUER='CN=Certificate Authority,o=ipaca',
+ SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(),
+ )
++ return ipautil.template_file(
++ '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
+
++def import_included_profiles():
+ server_id = installutils.realm_to_serverid(api.env.realm)
+ dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
+ conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
+@@ -1761,10 +1765,9 @@ def import_included_profiles():
+ ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'],
+ )
+ conn.add_entry(entry)
+- profile_data = ipautil.template_file(
+- '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
+
+ # Create the profile, replacing any existing profile of same name
++ profile_data = __get_profile_config(profile_id)
+ _create_dogtag_profile(profile_id, profile_data, overwrite=True)
+ root_logger.info("Imported profile '%s'", profile_id)
+
+@@ -1772,6 +1775,46 @@ def import_included_profiles():
+ conn.disconnect()
+
+
++def repair_profile_caIPAserviceCert():
++ """
++ A regression caused replica installation to replace the FreeIPA
++ version of caIPAserviceCert with the version shipped by Dogtag.
++
++ This function detects and repairs occurrences of this problem.
++
++ """
++ api.Backend.ra_certprofile._read_password()
++ api.Backend.ra_certprofile.override_port = 8443
++
++ profile_id = 'caIPAserviceCert'
++
++ with api.Backend.ra_certprofile as profile_api:
++ try:
++ cur_config = profile_api.read_profile(profile_id).splitlines()
++ except errors.RemoteRetrieveError as e:
++ # no profile there to check/repair
++ api.Backend.ra_certprofile.override_port = None
++ return
++
++ indicators = [
++ "policyset.serverCertSet.1.default.params.name="
++ "CN=$request.req_subject_name.cn$, OU=pki-ipa, O=IPA ",
++ "policyset.serverCertSet.9.default.params.crlDistPointsPointName_0="
++ "https://ipa.example.com/ipa/crl/MasterCRL.bin",
++ ]
++ need_repair = all(l in cur_config for l in indicators)
++
++ if need_repair:
++ root_logger.debug(
++ "Detected that profile '{}' has been replaced with "
++ "incorrect version; begin repair.".format(profile_id))
++ _create_dogtag_profile(
++ profile_id, __get_profile_config(profile_id), overwrite=True)
++ root_logger.debug("Repair of profile '{}' complete.".format(profile_id))
++
++ api.Backend.ra_certprofile.override_port = None
++
++
+ def migrate_profiles_to_ldap(dogtag_constants):
+ """Migrate profiles from filesystem to LDAP.
+
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index c53b19a937d559b25da256670a5205ab40e0cadb..b0cd789d58408f720774adb276843a1b6ab6007d 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -1554,6 +1554,9 @@ def upgrade_configuration():
+ ca_import_included_profiles(ca)
+ add_default_caacl(ca)
+
++ if ca.is_configured():
++ cainstance.repair_profile_caIPAserviceCert()
++
+ set_sssd_domain_option('ipa_server_mode', 'True')
+
+ if ds_running and not ds.is_running():
+--
+2.5.5
+
diff --git a/SOURCES/0204-replica-install-do-not-set-CA-renewal-master-flag.patch b/SOURCES/0204-replica-install-do-not-set-CA-renewal-master-flag.patch
new file mode 100644
index 0000000..8b03c3a
--- /dev/null
+++ b/SOURCES/0204-replica-install-do-not-set-CA-renewal-master-flag.patch
@@ -0,0 +1,89 @@
+From d279db85dbf455a6cbdacc48cbbc2081a9be5252 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Mon, 23 May 2016 16:18:02 +0200
+Subject: [PATCH] replica install: do not set CA renewal master flag
+
+The CA renewal master flag was uncoditionally set on every replica during
+replica install. This causes the Dogtag certificates initially shared
+among all replicas to differ after renewal.
+
+Do not set the CA renewal master flag in replica install anymore. On
+upgrade, remove the flag from all but one IPA masters.
+
+https://fedorahosted.org/freeipa/ticket/5902
+
+Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
+---
+ ipaserver/install/ca.py | 6 +++++-
+ ipaserver/install/plugins/ca_renewal_master.py | 24 ++++++++++++++++++++++--
+ 2 files changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
+index b4db8dcbfad9d482e7106cd06b3d497ccf8954f0..aa3fe991bd958c59dc369f41d4bd6fdfceee9370 100644
+--- a/ipaserver/install/ca.py
++++ b/ipaserver/install/ca.py
+@@ -191,7 +191,11 @@ def install_step_1(standalone, replica_config, options):
+ ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
+
+ # We need to ldap_enable the CA now that DS is up and running
+- ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster'])
++ if replica_config is None:
++ config = ['caRenewalMaster']
++ else:
++ config = []
++ ca.ldap_enable('CA', host_name, dm_password, basedn, config)
+
+ # This is done within stopped_service context, which restarts CA
+ ca.enable_client_auth_to_db(dogtag_constants.CS_CFG_PATH)
+diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
+index dae976f02dc7f963736ca57344345135dbc1fe3b..c0c655c912a6b02da11d0feb333716f7653768ed 100644
+--- a/ipaserver/install/plugins/ca_renewal_master.py
++++ b/ipaserver/install/plugins/ca_renewal_master.py
+@@ -42,6 +42,7 @@ class update_ca_renewal_master(Updater):
+ ldap = self.api.Backend.ldap2
+ base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
+ self.api.env.basedn)
++ dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
+ filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
+ try:
+ entries = ldap.get_entries(base_dn=base_dn, filter=filter,
+@@ -50,7 +51,27 @@ class update_ca_renewal_master(Updater):
+ pass
+ else:
+ self.debug("found CA renewal master %s", entries[0].dn[1].value)
+- return False, []
++
++ master = False
++ updates = []
++
++ for entry in entries:
++ if entry.dn == dn:
++ master = True
++ continue
++
++ updates.append({
++ 'dn': entry.dn,
++ 'updates': [
++ dict(action='remove', attr='ipaConfigString',
++ value='caRenewalMaster')
++ ],
++ })
++
++ if master:
++ return False, updates
++ else:
++ return False, []
+
+ criteria = {
+ 'cert-database': paths.HTTPD_ALIAS_DIR,
+@@ -96,7 +117,6 @@ class update_ca_renewal_master(Updater):
+ "assuming local CA is renewal slave", config)
+ return (False, False, [])
+
+- dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
+ update = {
+ 'dn': dn,
+ 'updates': [
+--
+2.5.5
+
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
- PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
- PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
- ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+ ETC_CENTOS_RELEASE = "/etc/centos-release"
- RESOLV_CONF = "/etc/resolv.conf"
- SAMBA_KEYTAB = "/etc/samba/samba.keytab"
- SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
- os = "fedora"
-+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+ os = "centos"
- elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
- os = "rhel"
-
---
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 8ff79b0..9f26059 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -35,7 +35,7 @@
Name: ipa
Version: 4.2.0
-Release: 15%{?dist}.15
+Release: 15%{?dist}.17
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -43,10 +43,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -252,6 +252,9 @@ Patch0198: 0198-Fix-connections-to-DS-during-installation.patch
Patch0199: 0199-Fix-broken-trust-warnings.patch
Patch0200: 0200-replica-install-improvements-in-the-handling-of-CA-r.patch
Patch0201: 0201-certdb-never-use-the-r-option-of-certutil.patch
+Patch0202: 0202-Prevent-replica-install-from-overwriting-cert-profil.patch
+Patch0203: 0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch
+Patch0204: 0204-replica-install-do-not-set-CA-renewal-master-flag.patch
Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002: 1002-Remove-pkinit-plugin.patch
@@ -263,7 +266,6 @@ Patch1007: 1007-Do-not-build-tests.patch
Patch1008: 1008-RCUE.patch
Patch1009: 1009-Do-not-allow-installation-in-FIPS-mode.patch
Patch1010: 1010-WebUI-add-API-browser-is-experimental-warning.patch
-Patch1011: ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -398,7 +400,7 @@ Requires: systemd-python
Requires: %{etc_systemd_dir}
Requires: gzip
# RHEL spec file only: START
-# Requires: redhat-access-plugin-ipa
+Requires: redhat-access-plugin-ipa
# RHEL spec file only: END
Conflicts: %{alt_name}-server
@@ -607,10 +609,10 @@ for p in %patches ; do
done
# Red Hat's Identity Management branding
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
%build
@@ -1207,8 +1209,15 @@ fi
# RHEL spec file only: DELETED: Do not build tests
%changelog
-* Thu May 12 2016 CentOS Sources <bugs@centos.org> - 4.2.0-15.el7.centos.15
-- Roll in CentOS Branding
+* Tue May 24 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.17
+- Resolves: #1339304 CA installed on replica is always marked as renewal master
+ - replica install: do not set CA renewal master flag
+
+* Fri May 20 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.16
+- Resolves: #1337820 URI details missing and OCSP-URI details are incorrectly
+ displayed when certificate generated using IPA on RHEL 7.2up2.
+ - Prevent replica install from overwriting cert profiles
+ - Detect and repair incorrect caIPAserviceCert config
* Mon Apr 18 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.15
- Related: #1327197 Crash during IPA upgrade due to slapd