diff --git a/.gitignore b/.gitignore
index 2d87067..5a98fc1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/freeipa-4.7.90.pre1.tar.gz
+SOURCES/freeipa-4.8.4.tar.gz
diff --git a/.ipa.metadata b/.ipa.metadata
index ff45819..8d08b2e 100644
--- a/.ipa.metadata
+++ b/.ipa.metadata
@@ -1 +1 @@
-a61a3e7f174a021934368252c4773da6238de820 SOURCES/freeipa-4.7.90.pre1.tar.gz
+72c91f01b2039795223417dc6761edf8ee0f36ee SOURCES/freeipa-4.8.4.tar.gz
diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch b/SOURCES/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
deleted file mode 100644
index 5d479d6..0000000
--- a/SOURCES/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 486ba017ceab1fb240f2fc48fea6169bc8c97319 Mon Sep 17 00:00:00 2001
-From: Adam Williamson <awilliam@redhat.com>
-Date: Wed, 1 May 2019 16:19:53 -0700
-Subject: [PATCH] Correct default fontawesome path (broken by da2cf1c5)
-
-On Fedora/RHEL, it does not have a dash in it. The changes in
-da2cf1c5 inadvertently added a dash to the path in the 'base'
-paths definition (used on Fedora/RHEL), so the font wasn't found.
-
-Signed-off-by: Adam Williamson <awilliam@redhat.com>
----
- ipaplatform/base/paths.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index 1cd2591bc..e1d396690 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -249,7 +249,7 @@ class BasePathNamespace:
-     USERADD = "/usr/sbin/useradd"
-     FONTS_DIR = "/usr/share/fonts"
-     FONTS_OPENSANS_DIR = "/usr/share/fonts/open-sans"
--    FONTS_FONTAWESOME_DIR = "/usr/share/fonts/font-awesome"
-+    FONTS_FONTAWESOME_DIR = "/usr/share/fonts/fontawesome"
-     USR_SHARE_IPA_DIR = "/usr/share/ipa/"
-     USR_SHARE_IPA_CLIENT_DIR = "/usr/share/ipa/client"
-     CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
--- 
-2.21.0
-
diff --git a/SOURCES/0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch b/SOURCES/0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch
new file mode 100644
index 0000000..9fba237
--- /dev/null
+++ b/SOURCES/0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch
@@ -0,0 +1,47 @@
+From 2c2cef7063315766d893b275185b422be3f3c019 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Dec 16 2019 20:37:17 +0000
+Subject: DNS install check: Fix overlapping DNS zone from the master itself
+
+
+The change to allow overlapping zone to be from the master itself has
+introduced two issues: The check for the master itself should only executed
+if options.force and options.allow_zone_overlap are both false and the
+reverse zone check later on was still handling ValueError instead of
+dnsutil.DNSZoneAlreadyExists.
+
+Both issues have been fixed and the deployment with existing name servers
+is properly working again.
+
+Fixes: https://pagure.io/freeipa/issue/8150
+Signed-off-by: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+
+---
+
+diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
+index 36ba6f8..9f08e86 100644
+--- a/ipaserver/install/dns.py
++++ b/ipaserver/install/dns.py
+@@ -135,15 +135,15 @@ def install_check(standalone, api, replica, options, hostname):
+                 logger.warning("%s Please make sure that the domain is "
+                                "properly delegated to this IPA server.",
+                                e)
+-
+-            hst = dnsutil.DNSName(hostname).make_absolute().to_text()
+-            if hst not in e.kwargs['ns']:
+-                raise ValueError(str(e))
++            else:
++                hst = dnsutil.DNSName(hostname).make_absolute().to_text()
++                if hst not in e.kwargs['ns']:
++                    raise ValueError(str(e))
+ 
+     for reverse_zone in options.reverse_zones:
+         try:
+             dnsutil.check_zone_overlap(reverse_zone)
+-        except ValueError as e:
++        except dnsutil.DNSZoneAlreadyExists as e:
+             if options.force or options.allow_zone_overlap:
+                 logger.warning('%s', str(e))
+             else:
+
diff --git a/SOURCES/0001-No-need-to-call-rhel-specific-domainname-service.patch b/SOURCES/0001-No-need-to-call-rhel-specific-domainname-service.patch
deleted file mode 100644
index bcc4ceb..0000000
--- a/SOURCES/0001-No-need-to-call-rhel-specific-domainname-service.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From b3378c32603e83ea3d4651cee3af99e644a30457 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Fri, 20 Jul 2018 11:06:55 -0400
-Subject: [PATCH] No need to call rhel-specific domainname service
-
-It was moved upstream into hostname package which named it
-nis-domainname. When it was in the initscripts package there were
-separate fedora-domainname and rhel-domainname services.
-
-From F29+ it will be nis-domainname. We can use that as well in
-RHEL 8.
----
- ipaplatform/rhel/services.py | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/ipaplatform/rhel/services.py b/ipaplatform/rhel/services.py
-index 1403d08..06fa633 100644
---- a/ipaplatform/rhel/services.py
-+++ b/ipaplatform/rhel/services.py
-@@ -30,9 +30,6 @@ from ipaplatform.redhat import services as redhat_services
- # to their actual systemd service names
- rhel_system_units = redhat_services.redhat_system_units
- 
--# Service that sets domainname on RHEL is called rhel-domainname.service
--rhel_system_units['domainname'] = 'rhel-domainname.service'
--
- 
- # Service classes that implement RHEL-specific behaviour
- 
--- 
-2.13.6
-
diff --git a/SOURCES/0001-revert-minssf-defaults.patch b/SOURCES/0001-revert-minssf-defaults.patch
deleted file mode 100644
index 777c13e..0000000
--- a/SOURCES/0001-revert-minssf-defaults.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Wed, 1 May 2019 21:25:31 +0300
-Subject: [PATCH] Revert "Require a minimum SASL security factor of 56"
-
-This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
----
- install/share/Makefile.am       |  1 -
- install/share/min-ssf.ldif      | 14 --------------
- ipalib/constants.py             |  3 ---
- ipapython/ipaldap.py            | 17 ++---------------
- ipaserver/install/dsinstance.py |  5 -----
- 5 files changed, 2 insertions(+), 38 deletions(-)
- delete mode 100644 install/share/min-ssf.ldif
-
-diff --git a/install/share/Makefile.am b/install/share/Makefile.am
-index be83bdf75..8d039d95c 100644
---- a/install/share/Makefile.am
-+++ b/install/share/Makefile.am
-@@ -94,7 +94,6 @@ dist_app_DATA =				\
- 	ipa-kdc-proxy.conf.template	\
- 	ipa-pki-proxy.conf.template	\
- 	ipa-rewrite.conf.template	\
--	min-ssf.ldif			\
- 	ipaca_default.ini		\
- 	ipaca_customize.ini		\
- 	ipaca_softhsm2.ini		\
-diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif
-deleted file mode 100644
-index 1c2566f84..000000000
---- a/install/share/min-ssf.ldif
-+++ /dev/null
-@@ -1,14 +0,0 @@
--# config
--# pretend SSF for LDAPI connections
--# nsslapd-localssf must be equal to or greater than nsslapd-minssf
--dn: cn=config
--changetype: modify
--replace: nsslapd-localssf
--nsslapd-localssf: 256
--
--# minimum security strength factor for SASL and TLS
--# 56 is considered weak, but some old clients announce wrong SSF.
--dn: cn=config
--changetype: modify
--replace: nsslapd-minssf
--nsslapd-minssf: 56
-diff --git a/ipalib/constants.py b/ipalib/constants.py
-index bcf6f3373..c22dd26ae 100644
---- a/ipalib/constants.py
-+++ b/ipalib/constants.py
-@@ -311,9 +311,6 @@ TLS_VERSIONS = [
- ]
- TLS_VERSION_MINIMAL = "tls1.0"
- 
--# minimum SASL secure strength factor for LDAP connections
--# 56 provides backwards compatibility with old libraries.
--LDAP_SSF_MIN_THRESHOLD = 56
- 
- # Use cache path
- USER_CACHE_PATH = (
-diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
-index d9d67be1d..9ff443fe4 100644
---- a/ipapython/ipaldap.py
-+++ b/ipapython/ipaldap.py
-@@ -43,9 +43,7 @@ import six
- 
- # pylint: disable=ipa-forbidden-import
- from ipalib import errors, x509, _
--from ipalib.constants import (
--    LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
--)
-+from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
- # pylint: enable=ipa-forbidden-import
- from ipaplatform.paths import paths
- from ipapython.ipautil import format_netloc, CIDict
-@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):
-     return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
- 
- 
--def ldap_initialize(uri, cacertfile=None,
--                    ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
-+def ldap_initialize(uri, cacertfile=None):
-     """Wrapper around ldap.initialize()
- 
-     The function undoes global and local ldap.conf settings that may cause
-@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,
-       locations, also known as system-wide trust store.
-     * Cert validation is enforced.
-     * SSLv2 and SSLv3 are disabled.
--    * Require a minimum SASL security factor of 56. That level ensures
--      data integrity and confidentiality. Although at least AES128 is
--      enforced pretty much everywhere, 56 is required for backwards
--      compatibility with systems that announce wrong SSF.
-     """
-     conn = ldap.initialize(uri)
- 
-@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,
-     conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
- 
-     if not uri.startswith('ldapi://'):
--        # require a minimum SSF for TCP connections, but don't lower SSF_MIN
--        # if the current value is already larger.
--        cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
--        if cur_min_ssf < ssf_min_threshold:
--            conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
--
-         if cacertfile:
-             if not os.path.isfile(cacertfile):
-                 raise IOError(errno.ENOENT, cacertfile)
-diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
-index 8240e3043..9f05db1db 100644
---- a/ipaserver/install/dsinstance.py
-+++ b/ipaserver/install/dsinstance.py
-@@ -324,8 +324,6 @@ class DsInstance(service.Service):
-         else:
-             self.step("importing CA certificates from LDAP",
-                       self.__import_ca_certs)
--        # set min SSF after DS is configured for TLS
--        self.step("require minimal SSF", self.__min_ssf)
-         self.step("restarting directory server", self.__restart_instance)
- 
-         self.start_creation()
-@@ -1243,9 +1241,6 @@ class DsInstance(service.Service):
-             dm_password=self.dm_password
-         )
- 
--    def __min_ssf(self):
--        self._ldap_mod("min-ssf.ldif")
--
-     def __add_sudo_binduser(self):
-         self._ldap_mod("sudobind.ldif", self.sub_dict)
- 
--- 
-2.21.0
-
diff --git a/SOURCES/0002-upgrade-adtrust-when-no-trusts.patch b/SOURCES/0002-upgrade-adtrust-when-no-trusts.patch
deleted file mode 100644
index b98c49f..0000000
--- a/SOURCES/0002-upgrade-adtrust-when-no-trusts.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 528a21996734467be193673e4f987e7e3acc3ad9 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sat, 11 May 2019 11:54:40 +0300
-Subject: [PATCH] upgrade: adtrust - catch empty result when retrieving list of
- trusts
-
-Upgrade failure when ipa-server-upgrade is being run on a system with no
-trust established but trust configured
-
-Fixes: https://pagure.io/freeipa/issue/7939
----
- ipaserver/install/plugins/adtrust.py | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
-index 6b4e2caa2..cdc3a8b04 100644
---- a/ipaserver/install/plugins/adtrust.py
-+++ b/ipaserver/install/plugins/adtrust.py
-@@ -609,11 +609,17 @@ class update_tdo_to_new_layout(Updater):
- 
-         trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
- 
--        trusts = ldap.get_entries(
--            base_dn=trusts_dn,
--            scope=ldap.SCOPE_ONELEVEL,
--            filter=self.trust_filter,
--            attrs_list=self.trust_attrs)
-+        # We might be in a situation when no trusts exist yet
-+        # In such case there is nothing to upgrade but we have to catch
-+        # an exception or it will abort the whole upgrade process
-+        try:
-+            trusts = ldap.get_entries(
-+                base_dn=trusts_dn,
-+                scope=ldap.SCOPE_ONELEVEL,
-+                filter=self.trust_filter,
-+                attrs_list=self.trust_attrs)
-+        except errors.EmptyResult:
-+            trusts = []
- 
-         # For every trust, retrieve its principals and convert
-         for t_entry in trusts:
--- 
-2.21.0
-
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
index dd6dc07..be93e35 100644
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,15 +1,15 @@
-From 63b3030e2e2f6411ad29448746b96bb9658467f8 Mon Sep 17 00:00:00 2001
+From a98b0595fce7dea121c743455ac5d44a2e282e80 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 02/72]    client/man/default.conf.5: Change branding to IPA
- and Identity Management
+Subject: [PATCH 01/71] client/man/default.conf.5: Change branding to IPA and
+ Identity Management
 
 ---
  client/man/default.conf.5 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/client/man/default.conf.5 b/client/man/default.conf.5
-index f21d9d5b7..d6c1e42d1 100644
+index 728fc08..6ec8616 100644
 --- a/client/man/default.conf.5
 +++ b/client/man/default.conf.5
 @@ -16,7 +16,7 @@
@@ -22,21 +22,21 @@ index f21d9d5b7..d6c1e42d1 100644
  default.conf \- IPA configuration file
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 3fe816976ea30d363ae5c6086b8daaaadaa5d7f7 Mon Sep 17 00:00:00 2001
+From 67d0b5bf5b4ce068d3d5a89a36fca44589ba7040 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 03/72]    client/man/ipa-certupdate.1: Change branding to IPA
- and Identity Management
+Subject: [PATCH 02/71] client/man/ipa-certupdate.1: Change branding to IPA and
+ Identity Management
 
 ---
  client/man/ipa-certupdate.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/client/man/ipa-certupdate.1 b/client/man/ipa-certupdate.1
-index d95790a36..431b395a9 100644
+index d95790a..431b395 100644
 --- a/client/man/ipa-certupdate.1
 +++ b/client/man/ipa-certupdate.1
 @@ -16,7 +16,7 @@
@@ -49,21 +49,21 @@ index d95790a36..431b395a9 100644
  ipa\-certupdate \- Update local IPA certificate databases with certificates from the server
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From eca4cf0eabb4dee96ca01c02910153147e58ec4d Mon Sep 17 00:00:00 2001
+From 84addd7681276f065e6c974997127d394133d51c Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 04/72]    client/man/ipa-client-automount.1: Change branding
- to IPA and Identity Management
+Subject: [PATCH 03/71] client/man/ipa-client-automount.1: Change branding to
+ IPA and Identity Management
 
 ---
  client/man/ipa-client-automount.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/client/man/ipa-client-automount.1 b/client/man/ipa-client-automount.1
-index 343f64160..3f7c7d506 100644
+index 4c3caee..3f6edab 100644
 --- a/client/man/ipa-client-automount.1
 +++ b/client/man/ipa-client-automount.1
 @@ -16,7 +16,7 @@
@@ -76,21 +76,21 @@ index 343f64160..3f7c7d506 100644
  ipa\-client\-automount \- Configure automount and NFS for IPA
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From e4097608a167f41998e863dfed0e3d135c54b6a0 Mon Sep 17 00:00:00 2001
+From d63e2ce893f3fb8a3fcf0ec91893847f942380f6 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 05/72]    client/man/ipa-client-install.1: Change branding to
- IPA and Identity Management
+Subject: [PATCH 04/71] client/man/ipa-client-install.1: Change branding to IPA
+ and Identity Management
 
 ---
  client/man/ipa-client-install.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
-index a20bec9a1..d7347ed37 100644
+index 94b4b04..743fa6a 100644
 --- a/client/man/ipa-client-install.1
 +++ b/client/man/ipa-client-install.1
 @@ -1,7 +1,7 @@
@@ -103,21 +103,21 @@ index a20bec9a1..d7347ed37 100644
  ipa\-client\-install \- Configure an IPA client
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 3bfd21f6778e288b5094262aa481a835b49cc0f4 Mon Sep 17 00:00:00 2001
+From 959face241f87ba6c703b7ae4aa71ff9da60d175 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 06/72]    client/man/ipa-getkeytab.1: Change branding to IPA
- and Identity Management
+Subject: [PATCH 05/71] client/man/ipa-getkeytab.1: Change branding to IPA and
+ Identity Management
 
 ---
  client/man/ipa-getkeytab.1 | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
-index 20ceee2e6..061798693 100644
+index f06fcd9..01a2618 100644
 --- a/client/man/ipa-getkeytab.1
 +++ b/client/man/ipa-getkeytab.1
 @@ -17,7 +17,7 @@
@@ -129,7 +129,7 @@ index 20ceee2e6..061798693 100644
  .SH "NAME"
  ipa\-getkeytab \- Get a keytab for a Kerberos principal
  .SH "SYNOPSIS"
-@@ -117,7 +117,7 @@ GSSAPI or EXTERNAL.
+@@ -118,7 +118,7 @@ GSSAPI or EXTERNAL.
  \fB\-r\fR
  Retrieve mode. Retrieve an existing key from the server instead of generating a
  new one. This is incompatible with the \-\-password option, and will work only
@@ -139,13 +139,13 @@ index 20ceee2e6..061798693 100644
  .SH "EXAMPLES"
  Add and retrieve a keytab for the NFS service principal on
 -- 
-2.17.1
+2.21.0
 
 
-From 812ccffd549367cac3e4d2896b231b7b278e0b92 Mon Sep 17 00:00:00 2001
+From f6a2e0baebd1969de46a0ea92b68bb0742459235 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 07/72]    client/man/ipa-join.1: Change branding to IPA and
+Subject: [PATCH 06/71] client/man/ipa-join.1: Change branding to IPA and
  Identity Management
 
 ---
@@ -153,7 +153,7 @@ Subject: [PATCH 07/72]    client/man/ipa-join.1: Change branding to IPA and
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/client/man/ipa-join.1 b/client/man/ipa-join.1
-index d88160784..30b667558 100644
+index d881607..30b6675 100644
 --- a/client/man/ipa-join.1
 +++ b/client/man/ipa-join.1
 @@ -16,7 +16,7 @@
@@ -166,21 +166,21 @@ index d88160784..30b667558 100644
  ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 3cac7f131059c01306b1db34fc30345add3fcf11 Mon Sep 17 00:00:00 2001
+From fcf92b11295321a8df6eb27babcc959926a59fe3 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 08/72]    client/man/ipa-rmkeytab.1: Change branding to IPA
- and Identity Management
+Subject: [PATCH 07/71] client/man/ipa-rmkeytab.1: Change branding to IPA and
+ Identity Management
 
 ---
  client/man/ipa-rmkeytab.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/client/man/ipa-rmkeytab.1 b/client/man/ipa-rmkeytab.1
-index 53f775439..2c8218c94 100644
+index 53f7754..2c8218c 100644
 --- a/client/man/ipa-rmkeytab.1
 +++ b/client/man/ipa-rmkeytab.1
 @@ -17,7 +17,7 @@
@@ -193,21 +193,21 @@ index 53f775439..2c8218c94 100644
  ipa\-rmkeytab \- Remove a kerberos principal from a keytab
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 0373bb1499f50bf4c04becabf2e773dd5977060e Mon Sep 17 00:00:00 2001
+From 8978dadb62b23014d5d82547e16c07c575c7cf56 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 09/72]    client/man/ipa.1: Change branding to IPA and
- Identity Management
+Subject: [PATCH 08/71] client/man/ipa.1: Change branding to IPA and Identity
+ Management
 
 ---
  client/man/ipa.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/client/man/ipa.1 b/client/man/ipa.1
-index f9fae7c0d..2fb21b52d 100644
+index f9fae7c..2fb21b5 100644
 --- a/client/man/ipa.1
 +++ b/client/man/ipa.1
 @@ -16,7 +16,7 @@
@@ -220,21 +220,21 @@ index f9fae7c0d..2fb21b52d 100644
  ipa \- IPA command\-line interface
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 36b7dce706ec2b0b650c51cea24be0655fd0c096 Mon Sep 17 00:00:00 2001
+From d2a614533c0d7c1203d9251dc557871bc8962efd Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 10/72]    install/html/ssbrowser.html: Change branding to IPA
- and Identity Management
+Subject: [PATCH 09/71] install/html/ssbrowser.html: Change branding to IPA and
+ Identity Management
 
 ---
  install/html/ssbrowser.html | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html
-index faa7e657b..89ada7cb1 100644
+index faa7e65..89ada7c 100644
 --- a/install/html/ssbrowser.html
 +++ b/install/html/ssbrowser.html
 @@ -2,7 +2,7 @@
@@ -256,21 +256,21 @@ index faa7e657b..89ada7cb1 100644
      </nav>
  
 -- 
-2.17.1
+2.21.0
 
 
-From 9273d2fdee9baef212eeaac941b7c8b497d50728 Mon Sep 17 00:00:00 2001
+From 199f34178cd8dfff0fd5edd37472787bbd3b4320 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 11/72]    install/html/unauthorized.html: Change branding to
- IPA and Identity Management
+Subject: [PATCH 10/71] install/html/unauthorized.html: Change branding to IPA
+ and Identity Management
 
 ---
  install/html/unauthorized.html | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/install/html/unauthorized.html b/install/html/unauthorized.html
-index 630982da8..b8c64d69d 100644
+index 630982d..b8c64d6 100644
 --- a/install/html/unauthorized.html
 +++ b/install/html/unauthorized.html
 @@ -2,7 +2,7 @@
@@ -292,13 +292,13 @@ index 630982da8..b8c64d69d 100644
      </nav>
  
 -- 
-2.17.1
+2.21.0
 
 
-From b9d7e2a0d08d8d03f1fbaaae6268292934f894f0 Mon Sep 17 00:00:00 2001
+From 116e40f79a289aa4817cee7d8fbb4935b6346997 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 12/72]    install/migration/index.html: Change branding to IPA
+Subject: [PATCH 11/71] install/migration/index.html: Change branding to IPA
  and Identity Management
 
 ---
@@ -306,7 +306,7 @@ Subject: [PATCH 12/72]    install/migration/index.html: Change branding to IPA
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/migration/index.html b/install/migration/index.html
-index fca517cdc..b5ac1f6df 100644
+index fca517c..b5ac1f6 100644
 --- a/install/migration/index.html
 +++ b/install/migration/index.html
 @@ -2,7 +2,7 @@
@@ -319,21 +319,21 @@ index fca517cdc..b5ac1f6df 100644
      <!--[if IE]>
      <meta id="ie-detector">
 -- 
-2.17.1
+2.21.0
 
 
-From 9a2d23539ec1d3e72f2bcfda319c78994d8c8b73 Mon Sep 17 00:00:00 2001
+From 15bcd44695d9f0920c0df57f1a32f3cfaf5a4247 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 13/72]    install/share/schema.d/README: Change branding to
- IPA and Identity Management
+Subject: [PATCH 12/71] install/share/schema.d/README: Change branding to IPA
+ and Identity Management
 
 ---
  install/share/schema.d/README | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/install/share/schema.d/README b/install/share/schema.d/README
-index 19e3e6832..2a92ec6ae 100644
+index 19e3e68..2a92ec6 100644
 --- a/install/share/schema.d/README
 +++ b/install/share/schema.d/README
 @@ -7,8 +7,8 @@ schema files during the run of ipa-server-upgrade utility. Therefore, they are
@@ -348,21 +348,21 @@ index 19e3e6832..2a92ec6ae 100644
  You may place your schema files in a subdirectory too, the code that loads
  schema files processes recursively all subdirectories of schema.d.
 -- 
-2.17.1
+2.21.0
 
 
-From 8cdc33d0bfc113d4391c75470b262c82ddf39a51 Mon Sep 17 00:00:00 2001
+From 96ab352b2c46c6387d4deed7a06649def48e2351 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 14/72]    install/tools/ipa-adtrust-install.in: Change
- branding to IPA and Identity Management
+Subject: [PATCH 13/71] install/tools/ipa-adtrust-install.in: Change branding
+ to IPA and Identity Management
 
 ---
  install/tools/ipa-adtrust-install.in | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/install/tools/ipa-adtrust-install.in b/install/tools/ipa-adtrust-install.in
-index cb0b1a17a..3cc680f3a 100644
+index 1abfea9..04510a5 100644
 --- a/install/tools/ipa-adtrust-install.in
 +++ b/install/tools/ipa-adtrust-install.in
 @@ -141,11 +141,11 @@ def main():
@@ -380,21 +380,21 @@ index cb0b1a17a..3cc680f3a 100644
      # print "  * Add a SID to all users and Posix groups"
      print("")
 -- 
-2.17.1
+2.21.0
 
 
-From 8eabc86504ea14b8b0c9f7dfd03e9964782a6707 Mon Sep 17 00:00:00 2001
+From d1479121c7bbb1ab74e62ffb2b5b6ccac0d82ff9 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 15/72]    install/tools/ipa-replica-conncheck.in: Change
- branding to IPA and Identity Management
+Subject: [PATCH 14/71] install/tools/ipa-replica-conncheck.in: Change branding
+ to IPA and Identity Management
 
 ---
  install/tools/ipa-replica-conncheck.in | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/ipa-replica-conncheck.in b/install/tools/ipa-replica-conncheck.in
-index 82fa170c6..413d2cb66 100644
+index b22db11..b86ce45 100644
 --- a/install/tools/ipa-replica-conncheck.in
 +++ b/install/tools/ipa-replica-conncheck.in
 @@ -290,7 +290,7 @@ class PortResponder(threading.Thread):
@@ -407,13 +407,13 @@ index 82fa170c6..413d2cb66 100644
          self.ports_open_cond = threading.Condition()
  
 -- 
-2.17.1
+2.21.0
 
 
-From 54fe67b68c08a617748d5ab46201141cf0d3f39a Mon Sep 17 00:00:00 2001
+From 3ea319693045808c59bb43055e0b9d511cbc1ef8 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 16/72]    install/tools/man/ipa-adtrust-install.1: Change
+Subject: [PATCH 15/71] install/tools/man/ipa-adtrust-install.1: Change
  branding to IPA and Identity Management
 
 ---
@@ -421,7 +421,7 @@ Subject: [PATCH 16/72]    install/tools/man/ipa-adtrust-install.1: Change
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
-index b11065806..f70f316f6 100644
+index b110658..f70f316 100644
 --- a/install/tools/man/ipa-adtrust-install.1
 +++ b/install/tools/man/ipa-adtrust-install.1
 @@ -16,7 +16,7 @@
@@ -443,21 +443,21 @@ index b11065806..f70f316f6 100644
  to the list automatically as restart of the LDAP service on each of them
  is required. The host where ipa\-adtrust\-install is being run is added
 -- 
-2.17.1
+2.21.0
 
 
-From bcedaa67083688b766a713b392cb5a3df350fe41 Mon Sep 17 00:00:00 2001
+From c12d0550c227a625a1a04ed11781a3c0ffae05f9 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 17/72]    install/tools/man/ipa-advise.1: Change branding to
- IPA and Identity Management
+Subject: [PATCH 16/71] install/tools/man/ipa-advise.1: Change branding to IPA
+ and Identity Management
 
 ---
  install/tools/man/ipa-advise.1 | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/install/tools/man/ipa-advise.1 b/install/tools/man/ipa-advise.1
-index 4c494aab9..515bbddbe 100644
+index 4c494aa..515bbdd 100644
 --- a/install/tools/man/ipa-advise.1
 +++ b/install/tools/man/ipa-advise.1
 @@ -16,7 +16,7 @@
@@ -477,21 +477,21 @@ index 4c494aab9..515bbddbe 100644
 \ No newline at end of file
 +1 if an error occurred
 -- 
-2.17.1
+2.21.0
 
 
-From 610ffd04d15ab82fb34abd068785cdbfa7bd094c Mon Sep 17 00:00:00 2001
+From 24b7c7cd888abd3d044b7a7c7fba8fe6f6fe2d44 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 18/72]    install/tools/man/ipa-backup.1: Change branding to
- IPA and Identity Management
+Subject: [PATCH 17/71] install/tools/man/ipa-backup.1: Change branding to IPA
+ and Identity Management
 
 ---
  install/tools/man/ipa-backup.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-backup.1 b/install/tools/man/ipa-backup.1
-index 77081b61d..8f3f71282 100644
+index 77081b6..8f3f712 100644
 --- a/install/tools/man/ipa-backup.1
 +++ b/install/tools/man/ipa-backup.1
 @@ -16,7 +16,7 @@
@@ -504,21 +504,21 @@ index 77081b61d..8f3f71282 100644
  ipa\-backup \- Back up an IPA master
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 1b71763bbf751b932118aa79b79c8dbd21e00ed6 Mon Sep 17 00:00:00 2001
+From 6f811a93085b8422bd75d540dd9b9a58d7b75f86 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 19/72]    install/tools/man/ipa-ca-install.1: Change branding
- to IPA and Identity Management
+Subject: [PATCH 18/71] install/tools/man/ipa-ca-install.1: Change branding to
+ IPA and Identity Management
 
 ---
  install/tools/man/ipa-ca-install.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
-index 5ac7e2b75..edb25be70 100644
+index 3ebe32c..8e57c00 100644
 --- a/install/tools/man/ipa-ca-install.1
 +++ b/install/tools/man/ipa-ca-install.1
 @@ -16,7 +16,7 @@
@@ -531,21 +531,21 @@ index 5ac7e2b75..edb25be70 100644
  ipa\-ca\-install \- Install a CA on a server
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 352f373c2daefa96fd46906d9fbeac0a6817c4c7 Mon Sep 17 00:00:00 2001
+From bb7f2fab05d96e97a845f074e9aeb2c2dab52f20 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 20/72]    install/tools/man/ipa-cacert-manage.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 19/71] install/tools/man/ipa-cacert-manage.1: Change branding
+ to IPA and Identity Management
 
 ---
  install/tools/man/ipa-cacert-manage.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1
-index bacd56b5a..ed69e8435 100644
+index 0cd34ee..84fbc1a 100644
 --- a/install/tools/man/ipa-cacert-manage.1
 +++ b/install/tools/man/ipa-cacert-manage.1
 @@ -16,7 +16,7 @@
@@ -558,21 +558,21 @@ index bacd56b5a..ed69e8435 100644
  ipa\-cacert\-manage \- Manage CA certificates in IPA
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 0f35caa7b5ffce35f85c99e0fac3fe16a92050a1 Mon Sep 17 00:00:00 2001
+From 5203f09b581b3cd385d2f022b100e854b65c71db Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 21/72]    install/tools/man/ipa-compat-manage.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 20/71] install/tools/man/ipa-compat-manage.1: Change branding
+ to IPA and Identity Management
 
 ---
  install/tools/man/ipa-compat-manage.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-compat-manage.1 b/install/tools/man/ipa-compat-manage.1
-index f22b1743e..26470331a 100644
+index f22b174..2647033 100644
 --- a/install/tools/man/ipa-compat-manage.1
 +++ b/install/tools/man/ipa-compat-manage.1
 @@ -16,7 +16,7 @@
@@ -585,13 +585,13 @@ index f22b1743e..26470331a 100644
  ipa\-compat\-manage \- Enables or disables the schema compatibility plugin
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 915fad2b79ca214fe311d6d44945847c751265f5 Mon Sep 17 00:00:00 2001
+From 118a4b5d5a7782fa2f98194ca940ddd68f17116c Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 22/72]    install/tools/man/ipa-csreplica-manage.1: Change
+Subject: [PATCH 21/71] install/tools/man/ipa-csreplica-manage.1: Change
  branding to IPA and Identity Management
 
 ---
@@ -599,7 +599,7 @@ Subject: [PATCH 22/72]    install/tools/man/ipa-csreplica-manage.1: Change
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-csreplica-manage.1 b/install/tools/man/ipa-csreplica-manage.1
-index ab5bfddd8..6d039751e 100644
+index ab5bfdd..6d03975 100644
 --- a/install/tools/man/ipa-csreplica-manage.1
 +++ b/install/tools/man/ipa-csreplica-manage.1
 @@ -16,7 +16,7 @@
@@ -612,21 +612,21 @@ index ab5bfddd8..6d039751e 100644
  ipa\-csreplica\-manage \- Manage an IPA CS replica
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 82567551b768c027993dba4a3a31fa0c144dcbd1 Mon Sep 17 00:00:00 2001
+From 07aee8049471294f114d3953c0af762fd0ce7dfc Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 23/72]    install/tools/man/ipa-dns-install.1: Change branding
- to IPA and Identity Management
+Subject: [PATCH 22/71] install/tools/man/ipa-dns-install.1: Change branding to
+ IPA and Identity Management
 
 ---
  install/tools/man/ipa-dns-install.1 | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
-index 14e4cd51f..029001eca 100644
+index 14e4cd5..029001e 100644
 --- a/install/tools/man/ipa-dns-install.1
 +++ b/install/tools/man/ipa-dns-install.1
 @@ -1,7 +1,7 @@
@@ -648,21 +648,21 @@ index 14e4cd51f..029001eca 100644
  This command requires that an IPA server is already installed and configured.
  
 -- 
-2.17.1
+2.21.0
 
 
-From 3296a366d3b1fd542af4141830796a1535df03ea Mon Sep 17 00:00:00 2001
+From fd0616fde2690c1d1e69556d0d15c711585b24e7 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 24/72]    install/tools/man/ipa-kra-install.1: Change branding
- to IPA and Identity Management
+Subject: [PATCH 23/71] install/tools/man/ipa-kra-install.1: Change branding to
+ IPA and Identity Management
 
 ---
  install/tools/man/ipa-kra-install.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1
-index b7661f7cc..8e71e4669 100644
+index 6c8523a..5476a4e 100644
 --- a/install/tools/man/ipa-kra-install.1
 +++ b/install/tools/man/ipa-kra-install.1
 @@ -16,7 +16,7 @@
@@ -675,21 +675,21 @@ index b7661f7cc..8e71e4669 100644
  ipa\-kra\-install \- Install a KRA on a server
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 73785bf8c3c95d3118ea0d2cad2d9ea035cd0bd7 Mon Sep 17 00:00:00 2001
+From d8236fb3826f400d828cfe56c83cb8af65645071 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 25/72]    install/tools/man/ipa-ldap-updater.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 24/71] install/tools/man/ipa-ldap-updater.1: Change branding
+ to IPA and Identity Management
 
 ---
  install/tools/man/ipa-ldap-updater.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-ldap-updater.1 b/install/tools/man/ipa-ldap-updater.1
-index 4893802c2..7ead55bd9 100644
+index 4893802..7ead55b 100644
 --- a/install/tools/man/ipa-ldap-updater.1
 +++ b/install/tools/man/ipa-ldap-updater.1
 @@ -16,7 +16,7 @@
@@ -702,13 +702,13 @@ index 4893802c2..7ead55bd9 100644
  ipa\-ldap\-updater \- Update the IPA LDAP configuration
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 15e96eb03dad223c7dde208ec5e324c1867de484 Mon Sep 17 00:00:00 2001
+From 7164d61f04d6eb4369c3d1743e46f38d17dedc46 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 26/72]    install/tools/man/ipa-managed-entries.1: Change
+Subject: [PATCH 25/71] install/tools/man/ipa-managed-entries.1: Change
  branding to IPA and Identity Management
 
 ---
@@ -716,7 +716,7 @@ Subject: [PATCH 26/72]    install/tools/man/ipa-managed-entries.1: Change
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-managed-entries.1 b/install/tools/man/ipa-managed-entries.1
-index 3d5ca22b8..edaa0a90d 100644
+index 3d5ca22..edaa0a9 100644
 --- a/install/tools/man/ipa-managed-entries.1
 +++ b/install/tools/man/ipa-managed-entries.1
 @@ -16,7 +16,7 @@
@@ -729,21 +729,21 @@ index 3d5ca22b8..edaa0a90d 100644
  ipa\-managed\-entries \- Enables or disables the schema Managed Entry plugins
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From a69685a751bf537e3a696d1da592290deb95a014 Mon Sep 17 00:00:00 2001
+From bde20076f4f7b5c519313e0890fcfaf0cfea04f8 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 27/72]    install/tools/man/ipa-nis-manage.1: Change branding
- to IPA and Identity Management
+Subject: [PATCH 26/71] install/tools/man/ipa-nis-manage.1: Change branding to
+ IPA and Identity Management
 
 ---
  install/tools/man/ipa-nis-manage.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-nis-manage.1 b/install/tools/man/ipa-nis-manage.1
-index 93278487c..1107b7790 100644
+index 9327848..1107b77 100644
 --- a/install/tools/man/ipa-nis-manage.1
 +++ b/install/tools/man/ipa-nis-manage.1
 @@ -16,7 +16,7 @@
@@ -756,13 +756,13 @@ index 93278487c..1107b7790 100644
  ipa\-nis\-manage \- Enables or disables the NIS listener plugin
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From d39335717d55d7da36eb24399c1684fdc980f747 Mon Sep 17 00:00:00 2001
+From d58f69b6c65de144e4d4413a2572f92fb32d269a Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 28/72]    install/tools/man/ipa-otptoken-import.1: Change
+Subject: [PATCH 27/71] install/tools/man/ipa-otptoken-import.1: Change
  branding to IPA and Identity Management
 
 ---
@@ -770,7 +770,7 @@ Subject: [PATCH 28/72]    install/tools/man/ipa-otptoken-import.1: Change
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-otptoken-import.1 b/install/tools/man/ipa-otptoken-import.1
-index 920a08ca2..fe91040fa 100644
+index 920a08c..fe91040 100644
 --- a/install/tools/man/ipa-otptoken-import.1
 +++ b/install/tools/man/ipa-otptoken-import.1
 @@ -16,7 +16,7 @@
@@ -783,21 +783,21 @@ index 920a08ca2..fe91040fa 100644
  ipa\-otptoken\-import \- Imports OTP tokens from RFC 6030 XML file
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From f5614518de761b7897c156876f76e685be401127 Mon Sep 17 00:00:00 2001
+From 317f15595001171dc6c0dc9eba0b54294a1b78ce Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 29/72]    install/tools/man/ipa-pkinit-manage.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 28/71] install/tools/man/ipa-pkinit-manage.1: Change branding
+ to IPA and Identity Management
 
 ---
  install/tools/man/ipa-pkinit-manage.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-pkinit-manage.1 b/install/tools/man/ipa-pkinit-manage.1
-index 5018ce8aa..50d63e921 100644
+index 5018ce8..50d63e9 100644
 --- a/install/tools/man/ipa-pkinit-manage.1
 +++ b/install/tools/man/ipa-pkinit-manage.1
 @@ -1,7 +1,7 @@
@@ -810,13 +810,13 @@ index 5018ce8aa..50d63e921 100644
  ipa\-pkinit\-manage \- Enables or disables PKINIT
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 4188427191d4b736b6492a942e713d9703bc0901 Mon Sep 17 00:00:00 2001
+From fda0cc19e2575fbeec92e3f9baa53cec8a3a5837 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 30/72]    install/tools/man/ipa-replica-conncheck.1: Change
+Subject: [PATCH 29/71] install/tools/man/ipa-replica-conncheck.1: Change
  branding to IPA and Identity Management
 
 ---
@@ -824,7 +824,7 @@ Subject: [PATCH 30/72]    install/tools/man/ipa-replica-conncheck.1: Change
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-replica-conncheck.1 b/install/tools/man/ipa-replica-conncheck.1
-index 6451f3545..ed441e3be 100644
+index 6451f35..ed441e3 100644
 --- a/install/tools/man/ipa-replica-conncheck.1
 +++ b/install/tools/man/ipa-replica-conncheck.1
 @@ -16,7 +16,7 @@
@@ -837,13 +837,13 @@ index 6451f3545..ed441e3be 100644
  ipa\-replica\-conncheck \- Check a replica\-master network connection before installation
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 067c2df8cc7535a1863f30f3581c3018f98f5e3f Mon Sep 17 00:00:00 2001
+From 96be660cba85a4358bd90549a8c26cd10310cdf7 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 31/72]    install/tools/man/ipa-replica-install.1: Change
+Subject: [PATCH 30/71] install/tools/man/ipa-replica-install.1: Change
  branding to IPA and Identity Management
 
 ---
@@ -851,7 +851,7 @@ Subject: [PATCH 31/72]    install/tools/man/ipa-replica-install.1: Change
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
-index 7f6ca57e5..dd4cfea24 100644
+index 19d1d91..44fce10 100644
 --- a/install/tools/man/ipa-replica-install.1
 +++ b/install/tools/man/ipa-replica-install.1
 @@ -1,7 +1,7 @@
@@ -870,9 +870,9 @@ index 7f6ca57e5..dd4cfea24 100644
 -To create a replica, the machine only needs to be enrolled in the FreeIPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
 +To create a replica, the machine only needs to be enrolled in the IPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
  
- If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica.
+ If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica. The NTP configuration cannot be updated during client promotion. 
  
-@@ -226,7 +226,7 @@ ldapmodify command info the directory server.
+@@ -229,7 +229,7 @@ ldapmodify command info the directory server.
  .TP
  \fB\-\-add\-agents\fR
  Add IPA masters to the list that allows to serve information about
@@ -882,21 +882,21 @@ index 7f6ca57e5..dd4cfea24 100644
  to the list automatically as restart of the LDAP service on each of them
  is required. The host where ipa\-adtrust\-install is being run is added
 -- 
-2.17.1
+2.21.0
 
 
-From ea5e08cd996e75472a58dfd45fff06b747324817 Mon Sep 17 00:00:00 2001
+From d83e2fc2480d12404056de5a7cd4ea7ff1eb936c Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 32/72]    install/tools/man/ipa-replica-manage.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 31/71] install/tools/man/ipa-replica-manage.1: Change branding
+ to IPA and Identity Management
 
 ---
  install/tools/man/ipa-replica-manage.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1
-index 239f1591c..2c94278ca 100644
+index 239f159..2c94278 100644
 --- a/install/tools/man/ipa-replica-manage.1
 +++ b/install/tools/man/ipa-replica-manage.1
 @@ -16,7 +16,7 @@
@@ -909,21 +909,21 @@ index 239f1591c..2c94278ca 100644
  ipa\-replica\-manage \- Manage an IPA replica
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 9202123a94ca41cb41d2cf255bffa96c776145ef Mon Sep 17 00:00:00 2001
+From 61cd4587092d982c7e9bd56ae82f59a3859e5739 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 33/72]    install/tools/man/ipa-restore.1: Change branding to
- IPA and Identity Management
+Subject: [PATCH 32/71] install/tools/man/ipa-restore.1: Change branding to IPA
+ and Identity Management
 
 ---
  install/tools/man/ipa-restore.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-restore.1 b/install/tools/man/ipa-restore.1
-index 5843d5546..bc0755baa 100644
+index 5843d55..bc0755b 100644
 --- a/install/tools/man/ipa-restore.1
 +++ b/install/tools/man/ipa-restore.1
 @@ -16,7 +16,7 @@
@@ -936,13 +936,13 @@ index 5843d5546..bc0755baa 100644
  ipa\-restore \- Restore an IPA master
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 953314e5afa0502a11200d54d1296425c4e51d82 Mon Sep 17 00:00:00 2001
+From 00ba3a4744ec9df96213461af3a0e72129765540 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 34/72]    install/tools/man/ipa-server-certinstall.1: Change
+Subject: [PATCH 33/71] install/tools/man/ipa-server-certinstall.1: Change
  branding to IPA and Identity Management
 
 ---
@@ -950,7 +950,7 @@ Subject: [PATCH 34/72]    install/tools/man/ipa-server-certinstall.1: Change
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1
-index 00fd03b6b..aa9bb7b85 100644
+index 79bd7c8..3f12a5a 100644
 --- a/install/tools/man/ipa-server-certinstall.1
 +++ b/install/tools/man/ipa-server-certinstall.1
 @@ -16,7 +16,7 @@
@@ -963,21 +963,21 @@ index 00fd03b6b..aa9bb7b85 100644
  ipa\-server\-certinstall \- Install new SSL server certificates
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 17368ed31bfee73d7cb0b93909b9cd8aca425716 Mon Sep 17 00:00:00 2001
+From 9efb599bef9a8129876d946e2d1f4e901663acd7 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 35/72]    install/tools/man/ipa-server-install.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 34/71] install/tools/man/ipa-server-install.1: Change branding
+ to IPA and Identity Management
 
 ---
  install/tools/man/ipa-server-install.1 | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
-index 019c157fa..a8aeeb26d 100644
+index 1a4d2f6..fdb0f4c 100644
 --- a/install/tools/man/ipa-server-install.1
 +++ b/install/tools/man/ipa-server-install.1
 @@ -1,7 +1,7 @@
@@ -989,7 +989,7 @@ index 019c157fa..a8aeeb26d 100644
  .SH "NAME"
  ipa\-server\-install \- Configure an IPA server
  .SH "SYNOPSIS"
-@@ -169,7 +169,7 @@ Install and configure a KRA on this server.
+@@ -172,7 +172,7 @@ Install and configure a KRA on this server.
  .SS "DNS OPTIONS"
  IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
  
@@ -999,21 +999,21 @@ index 019c157fa..a8aeeb26d 100644
  .TP
  \fB\-\-setup\-dns\fR
 -- 
-2.17.1
+2.21.0
 
 
-From 630167ac51b80853225d4057db46a74ac416bc29 Mon Sep 17 00:00:00 2001
+From e42dae0ed616406b8c99efba2d4fb76e5f643040 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 36/72]    install/tools/man/ipa-server-upgrade.1: Change
- branding to IPA and Identity Management
+Subject: [PATCH 35/71] install/tools/man/ipa-server-upgrade.1: Change branding
+ to IPA and Identity Management
 
 ---
  install/tools/man/ipa-server-upgrade.1 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
-index cbbdc5901..3db19b0f1 100644
+index cbbdc59..3db19b0 100644
 --- a/install/tools/man/ipa-server-upgrade.1
 +++ b/install/tools/man/ipa-server-upgrade.1
 @@ -2,7 +2,7 @@
@@ -1026,13 +1026,13 @@ index cbbdc5901..3db19b0f1 100644
  ipa\-server\-upgrade \- upgrade IPA server
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 9119708871268a9401bd491b819e17292be8be15 Mon Sep 17 00:00:00 2001
+From 43b77f8ad6fc8cc931d85eeeab05c8b7ba8fa086 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 37/72]    install/tools/man/ipa-winsync-migrate.1: Change
+Subject: [PATCH 36/71] install/tools/man/ipa-winsync-migrate.1: Change
  branding to IPA and Identity Management
 
 ---
@@ -1040,7 +1040,7 @@ Subject: [PATCH 37/72]    install/tools/man/ipa-winsync-migrate.1: Change
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipa-winsync-migrate.1 b/install/tools/man/ipa-winsync-migrate.1
-index 88702bad6..1812f6348 100644
+index 88702ba..1812f63 100644
 --- a/install/tools/man/ipa-winsync-migrate.1
 +++ b/install/tools/man/ipa-winsync-migrate.1
 @@ -16,7 +16,7 @@
@@ -1053,21 +1053,21 @@ index 88702bad6..1812f6348 100644
  ipa\-winsync\-migrate \- Seamless migration of AD users created by winsync to native AD users.
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From 6149bf9ee37f3a341db2b14e8186b0e1294ad1e7 Mon Sep 17 00:00:00 2001
+From 74a61bfd749da6c4ab1b35c5d61906433b591414 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 38/72]    install/tools/man/ipactl.8: Change branding to IPA
- and Identity Management
+Subject: [PATCH 37/71] install/tools/man/ipactl.8: Change branding to IPA and
+ Identity Management
 
 ---
  install/tools/man/ipactl.8 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/tools/man/ipactl.8 b/install/tools/man/ipactl.8
-index fb533aae2..d7aaaf8ed 100644
+index fb533aa..d7aaaf8 100644
 --- a/install/tools/man/ipactl.8
 +++ b/install/tools/man/ipactl.8
 @@ -16,7 +16,7 @@
@@ -1080,21 +1080,21 @@ index fb533aae2..d7aaaf8ed 100644
  ipactl \- IPA Server Control Interface
  .SH "SYNOPSIS"
 -- 
-2.17.1
+2.21.0
 
 
-From f978206e28449fa5946a76cbd79f422df0d72725 Mon Sep 17 00:00:00 2001
+From eaf3a578fc370e95dbc55365e12db238fd7feff2 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 39/72]    install/ui/css/patternfly.css: Change branding to
- IPA and Identity Management
+Subject: [PATCH 38/71] install/ui/css/patternfly.css: Change branding to IPA
+ and Identity Management
 
 ---
  install/ui/css/patternfly.css | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/ui/css/patternfly.css b/install/ui/css/patternfly.css
-index ee920530b..de574a84c 100644
+index ee92053..de574a8 100644
 --- a/install/ui/css/patternfly.css
 +++ b/install/ui/css/patternfly.css
 @@ -4,4 +4,4 @@
@@ -1106,13 +1106,13 @@ index ee920530b..de574a84c 100644
 + */.bootstrap-select.btn-group,.bootstrap-select.btn-group[class*=span]{float:none;display:inline-block;margin-bottom:10px;margin-left:0}.form-horizontal .bootstrap-select.btn-group,.form-inline .bootstrap-select.btn-group,.form-search .bootstrap-select.btn-group{margin-bottom:0}.bootstrap-select.form-control{margin-bottom:0;padding:0;border:none}.bootstrap-select.btn-group.pull-right,.bootstrap-select.btn-group[class*=span].pull-right,.row-fluid .bootstrap-select.btn-group[class*=span].pull-right{float:right}.input-append .bootstrap-select.btn-group{margin-left:-1px}.input-prepend .bootstrap-select.btn-group{margin-right:-1px}.bootstrap-select:not([class*=span]):not([class*=col-]):not([class*=form-control]){width:220px}.bootstrap-select{width:220px\9}.bootstrap-select.form-control:not([class*=span]){width:100%}.bootstrap-select>.btn{width:100%}.error .bootstrap-select .btn{border:1px solid #b94a48}.dropdown-menu{z-index:2000}.bootstrap-select.show-menu-arrow.open>.btn{z-index:2051}.bootstrap-select .btn:focus{outline:thin dotted #333!important;outline:5px auto -webkit-focus-ring-color!important;outline-offset:-2px}.bootstrap-select.btn-group .btn .filter-option{overflow:hidden;position:absolute;left:12px;right:25px;text-align:left}.bootstrap-select.btn-group .btn .caret{position:absolute;top:50%;right:12px;margin-top:-2px;vertical-align:middle}.bootstrap-select.btn-group .dropdown-menu li.disabled>a,.bootstrap-select.btn-group>.disabled{cursor:not-allowed}.bootstrap-select.btn-group>.disabled:focus{outline:0!important}.bootstrap-select.btn-group[class*=span] .btn{width:100%}.bootstrap-select.btn-group .dropdown-menu{min-width:100%;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}.bootstrap-select.btn-group .dropdown-menu.inner{position:static;border:0;padding:0;margin:0;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0;-webkit-box-shadow:none;-moz-box-shadow:none;box-shadow:none}.bootstrap-select.btn-group .dropdown-menu dt{display:block;padding:3px 20px;cursor:default}.bootstrap-select.btn-group .div-contain{overflow:hidden}.bootstrap-select.btn-group .dropdown-menu li{position:relative}.bootstrap-select.btn-group .dropdown-menu li>a.opt{position:relative;padding-left:35px}.bootstrap-select.btn-group .dropdown-menu li>a{cursor:pointer}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.btn-group.show-tick .dropdown-menu li.selected a i.check-mark{display:inline-block;position:absolute;right:15px;margin-top:2.5px}.bootstrap-select.btn-group .dropdown-menu li a i.check-mark{display:none}.bootstrap-select.btn-group.show-tick .dropdown-menu li a span.text{margin-right:34px}.bootstrap-select.btn-group .dropdown-menu li small{padding-left:.5em}.bootstrap-select.btn-group .dropdown-menu li.active:not(.disabled)>a small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:hover small{color:#64b1d8;color:rgba(255,255,255,.4)}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.show-menu-arrow .dropdown-toggle:before{content:'';display:inline-block;border-left:7px solid transparent;border-right:7px solid transparent;border-bottom:7px solid #CCC;border-bottom-color:rgba(0,0,0,.2);position:absolute;bottom:-4px;left:9px;display:none}.bootstrap-select.show-menu-arrow .dropdown-toggle:after{content:'';display:inline-block;border-left:6px solid transparent;border-right:6px solid transparent;border-bottom:6px solid #fff;position:absolute;bottom:-4px;left:10px;display:none}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:before{bottom:auto;top:-3px;border-top:7px solid #ccc;border-bottom:0;border-top-color:rgba(0,0,0,.2)}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:after{bottom:auto;top:-3px;border-top:6px solid #fff;border-bottom:0}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:before{right:12px;left:auto}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:after{right:13px;left:auto}.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:after,.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:before{display:block}.bootstrap-select.btn-group .no-results{padding:3px;background:#f5f5f5;margin:0 5px}.mobile-device{position:absolute;top:0;left:0;display:block!important;width:100%;height:100%!important;opacity:0}.bootstrap-select.fit-width{width:auto!important}.bootstrap-select.btn-group.fit-width .btn .filter-option{position:static}.bootstrap-select.btn-group.fit-width .btn .caret{position:static;top:auto;margin-top:-1px}.control-group.error .bootstrap-select .dropdown-toggle{border-color:#b94a48}.bootstrap-select-searchbox{padding:4px 8px}.bootstrap-select-searchbox input{margin-bottom:0}.alert{border-width:1px;padding-left:47px;padding-right:14px;position:relative}.alert .alert-link{color:#0088ce}.alert .alert-link:hover{color:#00659c}.alert>.btn.pull-right{margin-top:-3px}.alert>.pficon{font-size:22px;position:absolute;left:13px;top:10px}.alert .close{opacity:.85;filter:alpha(opacity=85)}.alert .close:focus,.alert .close:hover{opacity:1;filter:alpha(opacity=100)}.alert .pficon-info{color:#4d5258}.alert-dismissable{padding-right:28px}.alert-dismissable .close{right:-13px;top:1px}.badge{margin-left:6px}.nav-pills>li>a>.badge{margin-left:6px}.bootstrap-select.btn-group.form-control{margin-bottom:0}.bootstrap-select.btn-group .btn{-webkit-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.bootstrap-select.btn-group .btn:hover{border-color:#7dc3e8}.bootstrap-select.btn-group .btn .caret{margin-top:-4px}.bootstrap-select.btn-group .btn:focus{border-color:#0088ce;outline:0!important;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6);box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6)}.has-error .bootstrap-select.btn-group .btn{border-color:#c00}.has-error .bootstrap-select.btn-group .btn:focus{border-color:#900;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33}.has-success .bootstrap-select.btn-group .btn{border-color:#3c763d}.has-success .bootstrap-select.btn-group .btn:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168}.has-warning .bootstrap-select.btn-group .btn{border-color:#ec7a08}.has-warning .bootstrap-select.btn-group .btn:focus{border-color:#bb6106;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60}.bootstrap-select.btn-group .dropdown-menu>.active>a,.bootstrap-select.btn-group .dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.bootstrap-select.btn-group .dropdown-menu>.active>a small,.bootstrap-select.btn-group .dropdown-menu>.active>a:active small{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.disabled>a{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu .divider{background:#ededed!important;margin:4px 1px!important}.bootstrap-select.btn-group .dropdown-menu dt{color:#8b8d8f;font-weight:400;padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li>a.opt{padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu li a:focus small,.bootstrap-select.btn-group .dropdown-menu li a:hover small{color:#9c9c9c}.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:hover small{color:#9c9c9c}.combobox-container.combobox-selected .glyphicon-remove{display:inline-block}.combobox-container .caret{margin-left:0}.combobox-container .combobox::-ms-clear{display:none}.combobox-container .dropdown-menu{margin-top:-1px;width:100%}.combobox-container .glyphicon-remove{display:none;top:auto;width:12px}.combobox-container .glyphicon-remove:before{content:"\e60b";font-family:PatternFlyIcons-webfont}.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;position:relative}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.combobox-container .input-group-addon:focus,.combobox-container .input-group-addon:hover,.open .dropdown-toggle.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.open .dropdown-toggle.combobox-container .input-group-addon{background-image:none}.combobox-container .input-group-addon.active.focus,.combobox-container .input-group-addon.active:focus,.combobox-container .input-group-addon.active:hover,.combobox-container .input-group-addon:active.focus,.combobox-container .input-group-addon:active:focus,.combobox-container .input-group-addon:active:hover,.open .dropdown-toggle.combobox-container .input-group-addon.focus,.open .dropdown-toggle.combobox-container .input-group-addon:focus,.open .dropdown-toggle.combobox-container .input-group-addon:hover{background-color:#e5e5e5;border-color:#a9a9a9}.combobox-container .input-group-addon.disabled,.combobox-container .input-group-addon.disabled.active,.combobox-container .input-group-addon.disabled:active,.combobox-container .input-group-addon.disabled:focus,.combobox-container .input-group-addon.disabled:hover,.combobox-container .input-group-addon[disabled],.combobox-container .input-group-addon[disabled].active,.combobox-container .input-group-addon[disabled]:active,.combobox-container .input-group-addon[disabled]:focus,.combobox-container .input-group-addon[disabled]:hover,fieldset[disabled] .combobox-container .input-group-addon,fieldset[disabled] .combobox-container .input-group-addon.active,fieldset[disabled] .combobox-container .input-group-addon:active,fieldset[disabled] .combobox-container .input-group-addon:focus,fieldset[disabled] .combobox-container .input-group-addon:hover{background-color:#f1f1f1;border-color:#bbb}.combobox-container .input-group-addon:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.treeview .list-group{border-top:0}.treeview .list-group-item{background:0 0;border-bottom:1px solid transparent!important;border-top:1px solid transparent!important;margin-bottom:0;padding:0 10px}.treeview .list-group-item:hover{background:#def3ff!important;border-color:#bee1f4!important}.treeview .list-group-item.node-selected{background:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.treeview span.icon{display:inline-block;font-size:13px;min-width:10px;text-align:center}.treeview span.icon>[class*=fa-angle]{font-size:15px}.treeview span.indent{margin-right:5px}.breadcrumb{padding-left:0}.breadcrumb>.active strong{font-weight:600}.breadcrumb>li{display:inline}.breadcrumb>li+li:before{color:#9c9c9c;content:"\f101";font-family:FontAwesome;font-size:11px;padding:0 9px 0 7px}.btn{-webkit-box-shadow:0 2px 3px rgba(3,3,3,.1);box-shadow:0 2px 3px rgba(3,3,3,.1)}.btn:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{background-color:#fafafa!important;background-image:none!important;border-color:#d1d1d1!important;color:#8b8d8f!important;opacity:1}.btn.disabled:active,.btn[disabled]:active,fieldset[disabled] .btn:active{-webkit-box-shadow:none;box-shadow:none}.btn.disabled.btn-link,.btn[disabled].btn-link,fieldset[disabled] .btn.btn-link{background-color:transparent!important;border:0}.btn-danger{background-color:#a30000;background-image:-webkit-linear-gradient(top,#c00 0,#a30000 100%);background-image:-o-linear-gradient(top,#c00 0,#a30000 100%);background-image:linear-gradient(to bottom,#c00 0,#a30000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffcc0000', endColorstr='#ffa30000', GradientType=0);border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.btn-danger:focus,.btn-danger:hover,.open .dropdown-toggle.btn-danger{background-color:#a30000;background-image:none;border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.open .dropdown-toggle.btn-danger{background-image:none}.btn-danger.active.focus,.btn-danger.active:focus,.btn-danger.active:hover,.btn-danger:active.focus,.btn-danger:active:focus,.btn-danger:active:hover,.open .dropdown-toggle.btn-danger.focus,.open .dropdown-toggle.btn-danger:focus,.open .dropdown-toggle.btn-danger:hover{background-color:#8a0000;border-color:#670000}.btn-danger.disabled,.btn-danger.disabled.active,.btn-danger.disabled:active,.btn-danger.disabled:focus,.btn-danger.disabled:hover,.btn-danger[disabled],.btn-danger[disabled].active,.btn-danger[disabled]:active,.btn-danger[disabled]:focus,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger,fieldset[disabled] .btn-danger.active,fieldset[disabled] .btn-danger:active,fieldset[disabled] .btn-danger:focus,fieldset[disabled] .btn-danger:hover{background-color:#a30000;border-color:#8b0000}.btn-default{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.btn-default:focus,.btn-default:hover,.open .dropdown-toggle.btn-default{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.open .dropdown-toggle.btn-default{background-image:none}.btn-default.active.focus,.btn-default.active:focus,.btn-default.active:hover,.btn-default:active.focus,.btn-default:active:focus,.btn-default:active:hover,.open .dropdown-toggle.btn-default.focus,.open .dropdown-toggle.btn-default:focus,.open .dropdown-toggle.btn-default:hover{background-color:#e5e5e5;border-color:#a9a9a9}.btn-default.disabled,.btn-default.disabled.active,.btn-default.disabled:active,.btn-default.disabled:focus,.btn-default.disabled:hover,.btn-default[disabled],.btn-default[disabled].active,.btn-default[disabled]:active,.btn-default[disabled]:focus,.btn-default[disabled]:hover,fieldset[disabled] .btn-default,fieldset[disabled] .btn-default.active,fieldset[disabled] .btn-default:active,fieldset[disabled] .btn-default:focus,fieldset[disabled] .btn-default:hover{background-color:#f1f1f1;border-color:#bbb}.btn-link,.btn-link:active{-webkit-box-shadow:none;box-shadow:none}.btn-primary{background-color:#0088ce;background-image:-webkit-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:-o-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:linear-gradient(to bottom,#39a5dc 0,#0088ce 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff39a5dc', endColorstr='#ff0088ce', GradientType=0);border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.btn-primary:focus,.btn-primary:hover,.open .dropdown-toggle.btn-primary{background-color:#0088ce;background-image:none;border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.open .dropdown-toggle.btn-primary{background-image:none}.btn-primary.active.focus,.btn-primary.active:focus,.btn-primary.active:hover,.btn-primary:active.focus,.btn-primary:active:focus,.btn-primary:active:hover,.open .dropdown-toggle.btn-primary.focus,.open .dropdown-toggle.btn-primary:focus,.open .dropdown-toggle.btn-primary:hover{background-color:#0077b5;border-color:#004e78}.btn-primary.disabled,.btn-primary.disabled.active,.btn-primary.disabled:active,.btn-primary.disabled:focus,.btn-primary.disabled:hover,.btn-primary[disabled],.btn-primary[disabled].active,.btn-primary[disabled]:active,.btn-primary[disabled]:focus,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary,fieldset[disabled] .btn-primary.active,fieldset[disabled] .btn-primary:active,fieldset[disabled] .btn-primary:focus,fieldset[disabled] .btn-primary:hover{background-color:#0088ce;border-color:#00659c}.btn-group-xs .btn,.btn-group-xs>.btn,.btn-xs{font-weight:400}.close{text-shadow:none;opacity:.6;filter:alpha(opacity=60)}.close:focus,.close:hover{opacity:.9;filter:alpha(opacity=90)}.ColVis_Button:active:focus{outline:0}.ColVis_catcher{position:absolute;z-index:999}.ColVis_collection{background-color:#fff;border:1px solid #bbb;border-radius:1px;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);background-clip:padding-box;list-style:none;margin:-1px 0 0 0;padding:5px 10px;width:150px;z-index:1000}.ColVis_collection label{font-weight:400;margin-bottom:5px;margin-top:5px;padding-left:20px}.ColVis_collectionBackground{background-color:#fff;height:100%;left:0;position:fixed;top:0;width:100%;z-index:998}.dataTables_header{background-color:#f5f5f5;border:1px solid #d1d1d1;border-bottom:none;padding:5px;position:relative;text-align:center}.dataTables_header .btn{-webkit-box-shadow:none;box-shadow:none}.dataTables_header .ColVis{position:absolute;right:5px;text-align:left;top:5px}.dataTables_header .ColVis+.dataTables_info{padding-right:30px}.dataTables_header .dataTables_filter{position:absolute}.dataTables_header .dataTables_filter input{border:1px solid #bbb;height:24px}@media (max-width:767px){.dataTables_header .dataTables_filter input{width:100px}}.dataTables_header .dataTables_info{padding:2px 0}@media (max-width:480px){.dataTables_header .dataTables_info{text-align:right}}.dataTables_header .dataTables_info b{font-weight:700}.dataTables_footer{background-color:#fff;border:1px solid #d1d1d1;border-top:none;overflow:hidden}.dataTables_paginate{background:#fafafa;float:right;margin:0}.dataTables_paginate .pagination{float:left;margin:0}.dataTables_paginate .pagination>li>span{border-color:#fff #d1d1d1 #f5f5f5;border-width:0 1px;font-size:16px;font-weight:400;padding:0;text-align:center;width:31px}.dataTables_paginate .pagination>li>span:focus,.dataTables_paginate .pagination>li>span:hover{filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination>li.last>span{border-right:none}.dataTables_paginate .pagination>li.disabled>span{background:#f5f5f5;border-left-color:#ededed;border-right-color:#ededed;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination-input{float:left;font-size:12px;line-height:1em;padding:4px 15px 0;text-align:right}.dataTables_paginate .pagination-input .paginate_input{border:1px solid #d1d1d1;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075);box-shadow:inset 0 1px 1px rgba(3,3,3,.075);font-size:12px;font-weight:600;height:19px;margin-right:8px;padding-right:3px;text-align:right;width:30px}.dataTables_paginate .pagination-input .paginate_of{position:relative}.dataTables_paginate .pagination-input .paginate_of b{margin-left:3px}.dataTables_wrapper{margin:20px 0}@media (max-width:767px){.dataTables_wrapper .table-responsive{margin-bottom:0}}.DTCR_clonedTable{background-color:rgba(255,255,255,.7);z-index:202}.DTCR_pointer{background-color:#0088ce;width:1px;z-index:201}table.datatable{margin-bottom:0;max-width:none!important}table.datatable thead .sorting,table.datatable thead .sorting_asc,table.datatable thead .sorting_asc_disabled,table.datatable thead .sorting_desc,table.datatable thead .sorting_desc_disabled{cursor:pointer}table.datatable thead .sorting_asc,table.datatable thead .sorting_desc{color:#0088ce!important;position:relative}table.datatable thead .sorting_asc:after,table.datatable thead .sorting_desc:after{content:"\f107";font-family:FontAwesome;font-size:10px;font-weight:400;height:9px;left:7px;line-height:12px;position:relative;top:2px;vertical-align:baseline;width:12px}table.datatable thead .sorting_asc:before,table.datatable thead .sorting_desc:before{background:#0088ce;content:'';height:2px;position:absolute;left:0;top:0;width:100%}table.datatable thead .sorting_asc:after{content:"\f106";top:-3px}table.datatable th:active{outline:0}.caret{font-family:FontAwesome;font-weight:400;height:9px;position:relative;vertical-align:baseline;width:12px}.caret:before{bottom:0;content:"\f107";left:0;line-height:12px;position:absolute;text-align:center;top:-1px;right:0}.dropup .caret:before{content:"\f106"}.dropdown-menu .divider{background-color:#ededed;height:1px;margin:4px 1px;overflow:hidden}.dropdown-menu>li>a{border-color:transparent;border-style:solid;border-width:1px 0;padding:1px 10px}.dropdown-menu>li>a:focus,.dropdown-menu>li>a:hover{border-color:#bee1f4;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>li>a:active{background-color:#0088ce;border-color:#0088ce;color:#fff!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.active>a,.dropdown-menu>.active>a:focus,.dropdown-menu>.active>a:hover{background-color:#0088ce!important;border-color:#0088ce!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-header{padding-left:10px;padding-right:10px;text-transform:uppercase}.btn-group>.dropdown-menu,.dropdown>.dropdown-menu,.input-group-btn>.dropdown-menu{margin-top:-1px}.dropup .dropdown-menu{margin-bottom:-1px}.dropdown-submenu{position:relative}.dropdown-submenu:hover>a{background-color:#def3ff;border-color:#bee1f4}.dropdown-submenu:hover>.dropdown-menu{display:block}.dropdown-submenu.pull-left{float:none!important}.dropdown-submenu.pull-left>.dropdown-menu{left:auto;margin-left:10px;right:100%}.dropdown-submenu>a{padding-right:20px!important}.dropdown-submenu>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:2px}.dropdown-submenu>.dropdown-menu{left:100%;margin-top:0;top:-6px}.dropup .dropdown-submenu>.dropdown-menu{bottom:-5px;top:auto}.open .dropdown-submenu.active>.dropdown-menu{display:block}.dropdown-kebab-pf .btn-link{color:#252525;font-size:16px;line-height:1;padding:4px 0}.dropdown-kebab-pf .btn-link:active,.dropdown-kebab-pf .btn-link:focus,.dropdown-kebab-pf .btn-link:hover{color:#0088ce}.dropdown-kebab-pf .dropdown-menu{left:-15px;margin-top:11px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right{left:auto;right:-15px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:after,.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:before{left:auto;right:6px}.dropdown-kebab-pf .dropdown-menu:after,.dropdown-kebab-pf .dropdown-menu:before{border-bottom-color:#bbb;border-bottom-style:solid;border-bottom-width:10px;border-left:10px solid transparent;border-right:10px solid transparent;content:"";display:inline-block;left:6px;position:absolute;top:-11px}.dropdown-kebab-pf .dropdown-menu:after{border-bottom-color:#fff;top:-10px}.dropdown-kebab-pf.dropup .dropdown-menu{margin-bottom:11px;margin-top:0}.dropdown-kebab-pf.dropup .dropdown-menu:after,.dropdown-kebab-pf.dropup .dropdown-menu:before{border-bottom:none;border-top-color:#bbb;border-top-style:solid;border-top-width:10px;bottom:-11px;top:auto}.dropdown-kebab-pf.dropup .dropdown-menu:after{border-top-color:#fff;bottom:-10px}@font-face{font-family:'Open Sans';font-style:normal;font-weight:400;src:local('Open Sans'),local('OpenSans'),url(../fonts/open-sans/OpenSans-Regular.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:300;src:local('OpenSans-Light'),local('Open Sans Light'),url(../fonts/open-sans/OpenSans-Light.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:600;src:local('Open Sans Semibold'),local('OpenSans-Semibold'),url(../fonts/open-sans/OpenSans-Semibold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:700;src:local('Open Sans Bold'),local('OpenSans-Bold'),url(../fonts/open-sans/OpenSans-Bold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:800;src:local('Open Sans Extrabold'),local('OpenSans-Extrabold'),url(../fonts/open-sans/OpenSans-ExtraBold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:300;src:local('Open Sans Light Italic'),local('OpenSansLight-Italic'),url(../fonts/open-sans/OpenSans-LightItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:400;src:local('Open Sans Italic'),local('OpenSans-Italic'),url(../fonts/open-sans/OpenSans-Italic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:600;src:local('Open Sans Semibold Italic'),local('OpenSans-SemiboldItalic'),url(../fonts/open-sans/OpenSans-SemiboldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:700;src:local('Open Sans Bold Italic'),local('OpenSans-BoldItalic'),url(../fonts/open-sans/OpenSans-BoldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:800;src:local('Open Sans Extrabold Italic'),local('OpenSans-ExtraboldItalic'),url(../fonts/open-sans/OpenSans-ExtraBoldItalic.ttf) format('truetype')}.chars-remaining-pf span{font-weight:600;padding-right:5px}.chars-warn-remaining-pf{color:#c00}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f}.form-control[disabled]:hover,.form-control[readonly]:hover,fieldset[disabled] .form-control:hover{border-color:#bbb}.form-control:hover{border-color:#7dc3e8}.has-error .form-control:hover{border-color:#900}.has-success .form-control:hover{border-color:#2b542c}.has-warning .form-control:hover{border-color:#bb6106}.has-error .checkbox,.has-error .checkbox-inline,.has-error .control-label,.has-error .radio,.has-error .radio-inline,.has-error.checkbox label,.has-error.checkbox-inline label,.has-error.radio label,.has-error.radio-inline label,.has-success .checkbox,.has-success .checkbox-inline,.has-success .control-label,.has-success .radio,.has-success .radio-inline,.has-success.checkbox label,.has-success.checkbox-inline label,.has-success.radio label,.has-success.radio-inline label,.has-warning .checkbox,.has-warning .checkbox-inline,.has-warning .control-label,.has-warning .radio,.has-warning .radio-inline,.has-warning.checkbox label,.has-warning.checkbox-inline label,.has-warning.radio label,.has-warning.radio-inline label{color:#363636}.help-block{margin-bottom:0}.input-group .input-group-btn .btn{-webkit-box-shadow:none;box-shadow:none}label{font-weight:600}.navbar-nav>li>.dropdown-menu.infotip{border-top-width:1px!important;margin-top:10px}@media (max-width:767px){.navbar-pf .navbar-nav .open .dropdown-menu.infotip{background-color:#fff!important;margin-top:0}}.infotip{min-width:235px;padding:0}.infotip .list-group{border-top:0;margin:0;padding:8px 0}.infotip .list-group .list-group-item{border:none;margin:0 15px 0 34px;padding:5px 0}.infotip .list-group .list-group-item>.i{color:#4d5258;font-size:13px;left:-20px;position:absolute;top:8px}.infotip .list-group .list-group-item>a{color:#4d5258;line-height:13px}.infotip .list-group .list-group-item>.close{float:right}.infotip .footer{background-color:#f5f5f5;padding:6px 15px}.infotip .footer a:hover{color:#0088ce}.infotip .arrow,.infotip .arrow:after{border-color:transparent;border-style:solid;display:block;height:0;position:absolute;width:0}.infotip .arrow{border-width:11px}.infotip .arrow:after{border-width:10px;content:""}.infotip.bottom .arrow,.infotip.bottom-left .arrow,.infotip.bottom-right .arrow{border-bottom-color:#999;border-bottom-color:#bbb;border-top-width:0;left:50%;margin-left:-11px;top:-11px}.infotip.bottom .arrow:after,.infotip.bottom-left .arrow:after,.infotip.bottom-right .arrow:after{border-top-width:0;border-bottom-color:#fff;content:" ";margin-left:-10px;top:1px}.infotip.bottom-left .arrow{left:20%}.infotip.bottom-right .arrow{left:80%}.infotip.top .arrow{border-bottom-width:0;border-top-color:#999;border-top-color:#bbb;bottom:-11px;left:50%;margin-left:-11px}.infotip.top .arrow:after{border-bottom-width:0;border-top-color:#f5f5f5;bottom:1px;content:" ";margin-left:-10px}.infotip.right .arrow{border-left-width:0;border-right-color:#999;border-right-color:#bbb;left:-11px;margin-top:-11px;top:50%}.infotip.right .arrow:after{bottom:-10px;border-left-width:0;border-right-color:#fff;content:" ";left:1px}.infotip.left .arrow{border-left-color:#999;border-left-color:#bbb;border-right-width:0;margin-top:-11px;right:-11px;top:50%}.infotip.left .arrow:after{border-left-color:#fff;border-right-width:0;bottom:-10px;content:" ";right:1px}.label{border-radius:0;font-size:100%;font-weight:600}h1 .label,h2 .label,h3 .label,h4 .label,h5 .label,h6 .label{font-size:75%}.list-group{border-top:1px solid #ededed}.list-group .list-group-item:first-child{border-top:0}.list-group-item{border-top:0;border-left:0;border-right:0;margin-bottom:0}.list-group-item-heading{font-weight:600}.list-group-item.active,.list-group-item.active:focus,.list-group-item.active:hover{border-top:solid 1px #39a5dc;margin-top:-1px;z-index:auto}.list-group-item.active:first-child{border-top:1px solid #39a5dc!important;margin-top:-1px}.login-pf{height:100%}.login-pf #brand{position:relative;top:-70px}.login-pf #brand img{display:block;height:18px;margin:0 auto;max-width:100%}@media (min-width:768px){.login-pf #brand img{margin:0;text-align:left}}.login-pf #badge{display:block;margin:20px auto 70px;position:relative;text-align:center}@media (min-width:768px){.login-pf #badge{float:right;margin-right:64px;margin-top:50px}}.login-pf body{background:#1a1a1a url(../img/bg-login.jpg) repeat-x 50% 0;background-size:auto}@media (min-width:768px){.login-pf body{background-size:100% auto}}.login-pf .container{background-color:transparent;clear:right;color:#fff;padding-bottom:40px;padding-top:20px;width:auto}@media (min-width:768px){.login-pf .container{bottom:13%;padding-left:80px;position:absolute;width:100%}}.login-pf .container [class^=alert]{background:0 0;color:#fff}.login-pf .container .details p:first-child{border-top:1px solid rgba(255,255,255,.3);padding-top:25px;margin-top:25px}@media (min-width:768px){.login-pf .container .details{border-left:1px solid rgba(255,255,255,.3);padding-left:40px}.login-pf .container .details p:first-child{border-top:0;padding-top:0;margin-top:0}}.login-pf .container .details p{margin-bottom:2px}.login-pf .container .form-horizontal .control-label{font-size:13px;font-weight:400;text-align:left}.login-pf .container .form-horizontal .form-group:last-child,.login-pf .container .form-horizontal .form-group:last-child .help-block:last-child{margin-bottom:0}.login-pf .container .help-block{color:#fff}@media (min-width:768px){.login-pf .container .login{padding-right:40px}}.login-pf .container .submit{text-align:right}.modal-header{background-color:#f5f5f5;border-bottom:none;padding:10px 18px}.modal-header .close{margin-top:2px}.modal-title{font-size:13px;font-weight:700}.modal-footer{border-top:none;margin-top:15px;padding:14px 15px 15px}.modal-footer>.btn{padding-left:10px;padding-right:10px}.modal-footer>.btn>.fa-angle-left{margin-right:5px}.modal-footer>.btn>.fa-angle-right{margin-left:5px}.navbar-pf{background:#393F45;border:0;border-radius:0;border-top:3px solid #c00;margin-bottom:0;min-height:0}.navbar-pf .navbar-brand{color:#fff;height:auto;padding:12px 0;margin:0 0 0 20px}.navbar-pf .navbar-brand img{display:block}.navbar-pf .navbar-collapse{border-top:0;-webkit-box-shadow:none;box-shadow:none;padding:0}.navbar-pf .navbar-header{border-bottom:1px solid #53565b;float:none}.navbar-pf .navbar-nav{margin:0}.navbar-pf .navbar-nav>.active>a,.navbar-pf .navbar-nav>.active>a:focus,.navbar-pf .navbar-nav>.active>a:hover{background-color:#454C53;color:#fff}.navbar-pf .navbar-nav>li>a{color:#dbdada;line-height:1;padding:10px 20px;text-shadow:none}.navbar-pf .navbar-nav>li>a:focus,.navbar-pf .navbar-nav>li>a:hover{color:#fff}.navbar-pf .navbar-nav>.open>a,.navbar-pf .navbar-nav>.open>a:focus,.navbar-pf .navbar-nav>.open>a:hover{background-color:#454C53;color:#fff}@media (max-width:767px){.navbar-pf .navbar-nav .active .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent,.navbar-pf .navbar-nav .open .dropdown-menu{background-color:#3c434a!important;margin-left:0;padding-bottom:0;padding-top:0}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:hover{background-color:#424950!important;color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent>li>a,.navbar-pf .navbar-nav .open .dropdown-menu>li>a{background-color:transparent;border:0;color:#dbdada;outline:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu>li>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>li>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>li>a:hover{color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu .divider,.navbar-pf .navbar-nav .active .navbar-persistent .divider,.navbar-pf .navbar-nav .open .dropdown-menu .divider{background-color:#53565b;margin:0 1px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-header{padding-bottom:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open .dropdown-toggle{color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.pull-left{float:none!important}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu>a:after,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu>a:after{display:none}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-header{padding-left:45px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu{border:0;bottom:auto;-webkit-box-shadow:none;box-shadow:none;display:block;float:none;margin:0;min-width:0;padding:0;position:relative;left:auto;right:auto;top:auto}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu>li>a{padding:5px 15px 5px 45px;line-height:20px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a{padding-left:60px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-menu{display:block}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after{display:inline-block!important;position:relative;right:auto;top:1px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu{display:none}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-submenu>a:after{display:none!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu{background-color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active small{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.disabled>a{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li>a.opt{border-bottom:1px solid transparent;border-top:1px solid transparent;color:#363636;padding-left:10px;padding-right:10px}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:focus small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:hover small{color:#9c9c9c}.navbar-pf .navbar-nav .context-bootstrap-select>.open>.dropdown-menu{padding-bottom:5px;padding-top:5px}}.navbar-pf .navbar-persistent{display:none}.navbar-pf .active>.navbar-persistent{display:block}.navbar-pf .navbar-primary{float:none}.navbar-pf .navbar-primary .context{border-bottom:1px solid #53565b}.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group,.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group[class*=span]{margin:8px 20px 9px;width:auto}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a{position:relative}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{content:"\f107";display:inline-block;font-family:FontAwesome;font-weight:400}@media (max-width:767px){.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{height:10px;margin-left:4px;vertical-align:baseline}}.navbar-pf .navbar-toggle{border:0;margin:0;padding:10px 20px}.navbar-pf .navbar-toggle:focus,.navbar-pf .navbar-toggle:hover{background-color:transparent;outline:0}.navbar-pf .navbar-toggle:focus .icon-bar,.navbar-pf .navbar-toggle:hover .icon-bar{-webkit-box-shadow:0 0 3px #fff;box-shadow:0 0 3px #fff}.navbar-pf .navbar-toggle .icon-bar{background-color:#fff}.navbar-pf .navbar-utility{border-bottom:1px solid #53565b}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:36px;position:relative}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:20px;position:absolute;top:10px}@media (max-width:767px){.navbar-pf .navbar-utility>li+li{border-top:1px solid #53565b}}@media (min-width:768px){.navbar-pf .navbar-brand{padding:7px 0 8px}.navbar-pf .navbar-nav>li>a{padding-bottom:14px;padding-top:14px}.navbar-pf .navbar-persistent{font-size:14px}.navbar-pf .navbar-primary{font-size:14px;background-image:-webkit-linear-gradient(top,#474c50 0,#383f43 100%);background-image:-o-linear-gradient(top,#474c50 0,#383f43 100%);background-image:linear-gradient(to bottom,#474c50 0,#383f43 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff474c50', endColorstr='#ff383f43', GradientType=0)}.navbar-pf .navbar-primary.persistent-secondary .context .dropdown-menu{top:auto}.navbar-pf .navbar-primary.persistent-secondary .dropup .dropdown-menu{bottom:-5px;top:auto}.navbar-pf .navbar-primary.persistent-secondary>li{position:static}.navbar-pf .navbar-primary.persistent-secondary>li.active{margin-bottom:32px}.navbar-pf .navbar-primary.persistent-secondary>li.active>.navbar-persistent{display:block;left:0;position:absolute}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent{background:#f6f6f6;border-bottom:1px solid #cecdcd;padding:0;width:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent a{text-decoration:none!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a:hover{color:#0088ce!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active .active>a{color:#fff}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu:hover>.dropdown-menu{display:none}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-menu{display:block;left:20px;margin-top:1px;top:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle{padding-right:35px!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle:after{position:absolute;right:20px;top:10px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a:after,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a{background-color:transparent;display:block;line-height:1;padding:9px 20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle{padding-right:35px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle:after{font-size:15px;position:absolute;right:20px;top:9px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a:hover{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li a{color:#4d5258}.navbar-pf .navbar-primary>li>a{border-bottom:1px solid transparent;border-top:1px solid transparent;position:relative;margin:-1px 0 0}.navbar-pf .navbar-primary>li>a:hover{background-color:#4b5053;border-top-color:#949699;color:#dbdada;background-image:-webkit-linear-gradient(top,#5c6165 0,#4b5053 100%);background-image:-o-linear-gradient(top,#5c6165 0,#4b5053 100%);background-image:linear-gradient(to bottom,#5c6165 0,#4b5053 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5c6165', endColorstr='#ff4b5053', GradientType=0)}.navbar-pf .navbar-primary>.active>a,.navbar-pf .navbar-primary>.active>a:focus,.navbar-pf .navbar-primary>.active>a:hover,.navbar-pf .navbar-primary>.open>a,.navbar-pf .navbar-primary>.open>a:focus,.navbar-pf .navbar-primary>.open>a:hover{background-color:#64686c;border-bottom-color:#64686c;border-top-color:#949699;-webkit-box-shadow:none;box-shadow:none;color:#fff;background-image:-webkit-linear-gradient(top,#72757a 0,#64686c 100%);background-image:-o-linear-gradient(top,#72757a 0,#64686c 100%);background-image:linear-gradient(to bottom,#72757a 0,#64686c 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff72757a', endColorstr='#ff64686c', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select .filter-option{max-width:160px;text-overflow:ellipsis}.navbar-pf .navbar-primary li.context.dropdown{border-bottom:0}.navbar-pf .navbar-primary li.context.context-bootstrap-select,.navbar-pf .navbar-primary li.context>a{background-color:#505458;border-bottom-color:#65696d;border-right:1px solid #65696d;border-top-color:#64696d;font-weight:600;background-image:-webkit-linear-gradient(top,#585d61 0,#505458 100%);background-image:-o-linear-gradient(top,#585d61 0,#505458 100%);background-image:linear-gradient(to bottom,#585d61 0,#505458 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff585d61', endColorstr='#ff505458', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select:hover,.navbar-pf .navbar-primary li.context>a:hover{background-color:#5a5e62;border-bottom-color:#6e7276;border-right-color:#6e7276;border-top-color:#6c7276;background-image:-webkit-linear-gradient(top,#62676b 0,#5a5e62 100%);background-image:-o-linear-gradient(top,#62676b 0,#5a5e62 100%);background-image:linear-gradient(to bottom,#62676b 0,#5a5e62 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff62676b', endColorstr='#ff5a5e62', GradientType=0)}.navbar-pf .navbar-primary li.context.open>a{background-color:#65696d;border-bottom-color:#6e7276;border-right-color:#777a7e;border-top-color:#767a7e;background-image:-webkit-linear-gradient(top,#6b7175 0,#65696d 100%);background-image:-o-linear-gradient(top,#6b7175 0,#65696d 100%);background-image:linear-gradient(to bottom,#6b7175 0,#65696d 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff6b7175', endColorstr='#ff65696d', GradientType=0)}.navbar-pf .navbar-utility{border-bottom:0;font-size:11px;position:absolute;right:0;top:0}.navbar-pf .navbar-utility>.active>a,.navbar-pf .navbar-utility>.active>a:focus,.navbar-pf .navbar-utility>.active>a:hover,.navbar-pf .navbar-utility>.open>a,.navbar-pf .navbar-utility>.open>a:focus,.navbar-pf .navbar-utility>.open>a:hover{background:#5b6165;color:#fff}.navbar-pf .navbar-utility>li>a{border-left:1px solid #53565b;color:#fff!important;padding:7px 10px}.navbar-pf .navbar-utility>li>a:hover{background:#4a5053;border-left-color:#636466}.navbar-pf .navbar-utility>li.open>a{border-left-color:#6c6e70;color:#fff!important}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:26px}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:10px;top:7px}.navbar-pf .navbar-utility .open .dropdown-menu{left:auto;right:0}.navbar-pf .navbar-utility .open .dropdown-menu .dropdown-menu{left:auto;right:100%}.navbar-pf .navbar-utility .open .dropdown-menu{border-top-width:0}.navbar-pf .open .dropdown-submenu>.dropdown-menu,.navbar-pf .open.bootstrap-select .dropdown-menu{border-top-width:1px!important}}@media (max-width:360px){.navbar-pf .navbar-brand{margin-left:10px;width:75%}.navbar-pf .navbar-brand img{height:auto;max-width:100%}.navbar-pf .navbar-toggle{padding-left:0}}.drawer-pf{background-color:#fafafa;border:1px solid #d1d1d1;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);overflow-y:auto;position:absolute;right:0;width:320px;z-index:2}.drawer-pf .panel{border-bottom:none;border-left:none;border-right:none}.drawer-pf .panel-group .panel-heading+.panel-collapse .panel-body{border-top:none;border-bottom:1px solid #d1d1d1;padding:0}.drawer-pf .panel-counter{display:block;font-style:italic;line-height:1.2;padding-left:18px;padding-top:5px}.drawer-pf .panel-heading{border-bottom:1px solid #d1d1d1}.drawer-pf .panel-group{bottom:0;margin-bottom:0;position:absolute;top:25px;width:100%}.drawer-pf .panel-title a{cursor:pointer;display:block}.drawer-pf.drawer-pf-expanded{left:270px;width:inherit}.drawer-pf.drawer-pf-expanded .drawer-pf-toggle-expand:before{content:"\f101"}.drawer-pf-toggle-expand{color:inherit;cursor:pointer;left:0;padding:2px 5px;position:absolute}.drawer-pf-toggle-expand:before{content:"\f100";font-family:FontAwesome}.drawer-pf-toggle-expand:focus,.drawer-pf-toggle-expand:hover{color:inherit;text-decoration:none}.drawer-pf-action .btn-link{color:#0088ce;padding:10px 0}.drawer-pf-action .btn-link:hover{color:#00659c}.drawer-pf-loading{color:#4d5258;font-size:14px;padding:20px 15px}.drawer-pf-notification{border-bottom:1px solid #d1d1d1;padding:15px}.drawer-pf-notification .date{border-right:1px solid #aaa;display:inline-block;line-height:1;margin-right:5px;padding-right:9px}.drawer-pf-notification .pficon{font-size:14px;margin-top:3px}.drawer-pf-notification:last-of-type{border-bottom:none}.drawer-pf-notification:hover{background-color:#def3ff}.drawer-pf-notification.unread .drawer-pf-notification-message{font-weight:700}.drawer-pf-notification.expanded-notification .date{border-right:none;padding-right:0}.drawer-pf-notification-info,.drawer-pf-notification-message{display:block;padding-left:27px;padding-right:19px}.expanded-notification .drawer-pf-notification-info,.expanded-notification .drawer-pf-notification-message{display:inline-block}.drawer-pf-notifications-non-clickable .drawer-pf-notification:hover{background-color:#fff}.drawer-pf-title{background-color:#fafafa;border-bottom:1px solid #d1d1d1;position:absolute;width:318px}.drawer-pf-title h3{font-size:12px;margin:0;padding:6px 15px}.navbar-pf-vertical .drawer-pf{height:calc(100vh - 80px);top:58px}.navbar-pf-vertical .nav .drawer-pf-trigger .drawer-pf-trigger-icon{border-left:1px solid #53565b;border-right:1px solid #53565b;padding-left:15px;padding-right:15px}.navbar-pf-vertical .nav .drawer-pf-trigger.open .drawer-pf-trigger-icon{background-color:#4a5053}.navbar-pf .drawer-pf{height:calc(100vh - 46px);top:26px}.navbar-pf .drawer-pf-trigger-icon{cursor:pointer}.pager li>a,.pager li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;font-weight:600;line-height:22px;padding:2px 14px}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>a:focus,.pager li>a:hover,.pager li>span.active,.pager li>span:active,.pager li>span:focus,.pager li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>span.active,.pager li>span:active{background-image:none}.open .dropdown-toggle.pager li>a.focus,.open .dropdown-toggle.pager li>a:focus,.open .dropdown-toggle.pager li>a:hover,.open .dropdown-toggle.pager li>span.focus,.open .dropdown-toggle.pager li>span:focus,.open .dropdown-toggle.pager li>span:hover,.pager li>a.active.focus,.pager li>a.active:focus,.pager li>a.active:hover,.pager li>a:active.focus,.pager li>a:active:focus,.pager li>a:active:hover,.pager li>span.active.focus,.pager li>span.active:focus,.pager li>span.active:hover,.pager li>span:active.focus,.pager li>span:active:focus,.pager li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pager li>a.disabled,.pager li>a.disabled.active,.pager li>a.disabled:active,.pager li>a.disabled:focus,.pager li>a.disabled:hover,.pager li>a[disabled],.pager li>a[disabled].active,.pager li>a[disabled]:active,.pager li>a[disabled]:focus,.pager li>a[disabled]:hover,.pager li>span.disabled,.pager li>span.disabled.active,.pager li>span.disabled:active,.pager li>span.disabled:focus,.pager li>span.disabled:hover,.pager li>span[disabled],.pager li>span[disabled].active,.pager li>span[disabled]:active,.pager li>span[disabled]:focus,.pager li>span[disabled]:hover,fieldset[disabled] .pager li>a,fieldset[disabled] .pager li>a.active,fieldset[disabled] .pager li>a:active,fieldset[disabled] .pager li>a:focus,fieldset[disabled] .pager li>a:hover,fieldset[disabled] .pager li>span,fieldset[disabled] .pager li>span.active,fieldset[disabled] .pager li>span:active,fieldset[disabled] .pager li>span:focus,fieldset[disabled] .pager li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pager li>a>.i,.pager li>span>.i{font-size:18px;vertical-align:top;margin:2px 0}.pager li>a:hover>a:focus{color:#4d5258}.pager li a:active{background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(3,3,3,.125);box-shadow:inset 0 3px 5px rgba(3,3,3,.125);outline:0}.pager .disabled>a,.pager .disabled>a:active,.pager .disabled>a:focus,.pager .disabled>a:hover,.pager .disabled>span{background:#f5f5f5;-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f;cursor:default}.pager .next>a>.i,.pager .next>span>.i{margin-left:5px}.pager .previous>a>.i,.pager .previous>span>.i{margin-right:5px}.pager-sm li>a,.pager-sm li>span{font-weight:400;line-height:16px;padding:1px 10px}.pager-sm li>a>.i,.pager-sm li>span>.i{font-size:12px}.pagination>li>a,.pagination>li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;cursor:default;font-weight:600;padding:2px 10px}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>a:focus,.pagination>li>a:hover,.pagination>li>span.active,.pagination>li>span:active,.pagination>li>span:focus,.pagination>li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>span.active,.pagination>li>span:active{background-image:none}.open .dropdown-toggle.pagination>li>a.focus,.open .dropdown-toggle.pagination>li>a:focus,.open .dropdown-toggle.pagination>li>a:hover,.open .dropdown-toggle.pagination>li>span.focus,.open .dropdown-toggle.pagination>li>span:focus,.open .dropdown-toggle.pagination>li>span:hover,.pagination>li>a.active.focus,.pagination>li>a.active:focus,.pagination>li>a.active:hover,.pagination>li>a:active.focus,.pagination>li>a:active:focus,.pagination>li>a:active:hover,.pagination>li>span.active.focus,.pagination>li>span.active:focus,.pagination>li>span.active:hover,.pagination>li>span:active.focus,.pagination>li>span:active:focus,.pagination>li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pagination>li>a.disabled,.pagination>li>a.disabled.active,.pagination>li>a.disabled:active,.pagination>li>a.disabled:focus,.pagination>li>a.disabled:hover,.pagination>li>a[disabled],.pagination>li>a[disabled].active,.pagination>li>a[disabled]:active,.pagination>li>a[disabled]:focus,.pagination>li>a[disabled]:hover,.pagination>li>span.disabled,.pagination>li>span.disabled.active,.pagination>li>span.disabled:active,.pagination>li>span.disabled:focus,.pagination>li>span.disabled:hover,.pagination>li>span[disabled],.pagination>li>span[disabled].active,.pagination>li>span[disabled]:active,.pagination>li>span[disabled]:focus,.pagination>li>span[disabled]:hover,fieldset[disabled] .pagination>li>a,fieldset[disabled] .pagination>li>a.active,fieldset[disabled] .pagination>li>a:active,fieldset[disabled] .pagination>li>a:focus,fieldset[disabled] .pagination>li>a:hover,fieldset[disabled] .pagination>li>span,fieldset[disabled] .pagination>li>span.active,fieldset[disabled] .pagination>li>span:active,fieldset[disabled] .pagination>li>span:focus,fieldset[disabled] .pagination>li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pagination>li>a>.i,.pagination>li>span>.i{font-size:15px;vertical-align:top;margin:2px 0}.pagination>li>a:active,.pagination>li>span:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.pagination>.active>a,.pagination>.active>a:focus,.pagination>.active>a:hover,.pagination>.active>span,.pagination>.active>span:focus,.pagination>.active>span:hover{background-color:#f1f1f1;border-color:#bbb;-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2);color:#4d5258;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination>.disabled>a,.pagination>.disabled>a:focus,.pagination>.disabled>a:hover,.pagination>.disabled>span,.pagination>.disabled>span:focus,.pagination>.disabled>span:hover{-webkit-box-shadow:none;box-shadow:none;cursor:default;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination-sm>li>a,.pagination-sm>li>span{padding:2px 6px;font-size:11px;line-height:1.5}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:1px;border-top-left-radius:1px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-bottom-right-radius:1px;border-top-right-radius:1px}.pagination-sm>li>a,.pagination-sm>li>span{font-weight:400}.pagination-sm>li>a>.i,.pagination-sm>li>span>.i{font-size:12px;margin-top:2px}.panel-title{font-weight:700}.panel-group .panel{color:#4d5258}.panel-group .panel+.panel{margin-top:-1px}.panel-group .panel-default{border-color:#bbb;border-top-color:#bbb}.panel-group .panel-heading{background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.panel-group .panel-heading+.panel-collapse .panel-body{border-top:1px solid #d1d1d1}.panel-group .panel-title{font-weight:500;line-height:1}.panel-group .panel-title>a{color:#4d5258;font-weight:600}.panel-group .panel-title>a:before{content:"\f107";display:inline-block;font-family:FontAwesome;font-size:13px;margin-right:5px;text-align:center;vertical-align:0;width:8px}.panel-group .panel-title>a:focus{outline:0;text-decoration:none}.panel-group .panel-title>a:hover{text-decoration:none}.panel-group .panel-title>a.collapsed:before{content:"\f105"}.popover{-webkit-box-shadow:0 2px 2px rgba(3,3,3,.08);box-shadow:0 2px 2px rgba(3,3,3,.08);padding:0}.popover-content{color:#4d5258;line-height:18px;padding:10px 14px}.popover-title{border-bottom:none;border-radius:0;color:#4d5258;font-size:13px;font-weight:700;min-height:34px}.popover-title .close{height:22px;position:absolute;right:8px;top:6px}.popover-title.closable{padding-right:30px}@-webkit-keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}@keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}.progress{-webkit-box-shadow:inset 0 0 1px rgba(3,3,3,.25);box-shadow:inset 0 0 1px rgba(3,3,3,.25)}.progress.progress-label-left,.progress.progress-label-top-right{overflow:visible;position:relative}.progress.progress-label-left{margin-left:40px}.progress.progress-sm{height:14px;margin-bottom:14px}.progress.progress-xs{height:6px;margin-bottom:6px}td>.progress:first-child:last-child{margin-bottom:0;margin-top:3px}.progress-bar{box-shadow:none}.progress-label-left .progress-bar span,.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{color:#363636;position:absolute;text-align:right}.progress-label-left .progress-bar span{font-size:14px;left:-40px;top:0;width:35px}.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{font-size:11px;overflow:hidden;right:0;text-overflow:ellipsis;white-space:nowrap}.progress-label-right .progress-bar span strong,.progress-label-top-right .progress-bar span strong{font-weight:600}.progress-label-right .progress-bar span{max-width:85px;top:0}.progress-label-top-right .progress-bar span{max-width:47%;top:-30px}.progress-label-left.progress-sm .progress-bar span,.progress-label-top-right.progress-sm .progress-bar span{font-size:12px}.progress-sm .progress-bar{line-height:14px}.progress-xs .progress-bar{line-height:6px}.progress-bar-remaining{background:0 0}.progress-container{position:relative}.progress-container.progress-description-left{padding-left:90px}.progress-container.progress-label-right{padding-right:90px}.progress-description{margin-bottom:10px;max-width:52%;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.progress-description .count{font-size:20px;font-weight:300;line-height:1;margin-right:5px}.progress-description .fa,.progress-description .pficon{font-size:14px;margin-right:3px}.progress-description-left .progress-description{left:0;margin-bottom:0;max-width:85px;position:absolute;top:0}.progress-description .tooltip{white-space:normal}.search-pf.has-button{border-collapse:separate;display:table}.search-pf.has-button .form-group{display:table-cell;width:100%}.search-pf.has-button .form-group .btn{-webkit-box-shadow:none;box-shadow:none;float:left;margin-left:-1px}.search-pf.has-button .form-group .btn.btn-lg{font-size:14.5px}.search-pf.has-button .form-group .btn.btn-sm{font-size:10.7px}.search-pf.has-button .form-group .form-control{float:left}.search-pf .has-clear .clear{background:0 0;background:rgba(255,255,255,0);border:0;height:25px;line-height:1;padding:0;position:absolute;right:1px;top:1px;width:28px}.search-pf .has-clear .clear:focus{outline:0}.search-pf .has-clear .form-control{padding-right:30px}.search-pf .has-clear .form-control::-ms-clear{display:none}.search-pf .has-clear .input-lg+.clear{height:31px;width:28px}.search-pf .has-clear .input-sm+.clear{height:20px;width:28px}.search-pf .has-clear .input-sm+.clear span{font-size:10px}.search-pf .has-clear .search-pf-input-group{position:relative}.sidebar-header{border-bottom:1px solid #ececec;padding-bottom:11px;margin:50px 0 20px}.sidebar-header .actions{margin-top:-2px}.sidebar-pf .sidebar-header+.list-group{border-top:0;margin-top:-10px}.sidebar-pf .sidebar-header+.list-group .list-group-item{background:0 0;border-color:#ececec;padding-left:0}.sidebar-pf .sidebar-header+.list-group .list-group-item-heading{font-size:12px}.sidebar-pf .nav-category h2{color:#9c9c9c;font-size:12px;font-weight:400;line-height:21px;margin:0;padding:8px 0}.sidebar-pf .nav-category+.nav-category{margin-top:10px}.sidebar-pf .nav-pills>li.active>a{background:#0088ce!important;border-color:#0088ce!important;color:#fff}@media (min-width:768px){.sidebar-pf .nav-pills>li.active>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}.sidebar-pf .nav-pills>li.active>a .fa{color:#fff}.sidebar-pf .nav-pills>li>a{border-bottom:1px solid transparent;border-radius:0;border-top:1px solid transparent;color:#363636;font-size:13px;line-height:21px;padding:1px 20px}.sidebar-pf .nav-pills>li>a:hover{background:#def3ff;border-color:#bee1f4}.sidebar-pf .nav-pills>li>a .fa{color:#6a7079;font-size:15px;margin-right:10px;text-align:center;vertical-align:middle;width:15px}.sidebar-pf .nav-stacked{margin-left:-20px;margin-right:-20px}.sidebar-pf .nav-stacked li+li{margin-top:0}.sidebar-pf .panel{background:0 0}.sidebar-pf .panel-body{padding:6px 20px}.sidebar-pf .panel-body .nav-pills>li>a{padding-left:37px}.sidebar-pf .panel-heading{padding:9px 20px}.sidebar-pf .panel-title{font-size:12px}.sidebar-pf .panel-title>a:before{display:inline-block;margin-left:1px;margin-right:4px;width:9px}.sidebar-pf .panel-title>a.collapsed:before{margin-left:3px;margin-right:2px}@media (min-width:767px){.sidebar-header-bleed-left{margin-left:-20px}.sidebar-header-bleed-left>h2{margin-left:20px}.sidebar-header-bleed-right{margin-right:-20px}.sidebar-header-bleed-right .actions{margin-right:20px}.sidebar-header-bleed-right>h2{margin-right:20px}.sidebar-header-bleed-right+.list-group{margin-right:-20px}.sidebar-pf .panel-group .panel-default,.sidebar-pf .treeview{border-left:0;border-right:0;margin-left:-20px;margin-right:-20px}.sidebar-pf .treeview{margin-top:5px}.sidebar-pf .treeview .list-group-item{padding-left:20px;padding-right:20px}.sidebar-pf .treeview .list-group-item.node-selected:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}@media (min-width:768px){.sidebar-pf{background:#fafafa}.sidebar-pf.sidebar-pf-left{border-right:1px solid #d1d1d1}.sidebar-pf.sidebar-pf-right{border-left:1px solid #d1d1d1}.sidebar-pf>.nav-category,.sidebar-pf>.nav-stacked{margin-top:5px}}@-webkit-keyframes rotation{from{-webkit-transform:rotate(0)}to{-webkit-transform:rotate(359deg)}}@keyframes rotation{from{transform:rotate(0)}to{transform:rotate(359deg)}}.spinner{-webkit-animation:rotation .6s infinite linear;animation:rotation .6s infinite linear;border-bottom:4px solid rgba(3,3,3,.25);border-left:4px solid rgba(3,3,3,.25);border-right:4px solid rgba(3,3,3,.25);border-radius:100%;border-top:4px solid rgba(3,3,3,.75);height:24px;margin:0 auto;position:relative;width:24px}.spinner.spinner-inline{display:inline-block;margin-right:3px}.spinner.spinner-lg{border-width:5px;height:30px;width:30px}.spinner.spinner-sm{border-width:3px;height:18px;width:18px}.spinner.spinner-xs{border-width:2px;height:12px;width:12px}.spinner.spinner-inverse{border-bottom-color:rgba(255,255,255,.25);border-left-color:rgba(255,255,255,.25);border-right-color:rgba(255,255,255,.25);border-top-color:rgba(255,255,255,.75)}.ie9 .spinner{background:url(../img/spinner.gif) no-repeat;border:0}.ie9 .spinner.spinner-inverse{background-image:url(../img/spinner-inverse.gif)}.ie9 .spinner.spinner-inverse-lg{background-image:url(../img/spinner-inverse-lg.gif)}.ie9 .spinner.spinner-inverse-sm{background-image:url(../img/spinner-inverse-sm.gif)}.ie9 .spinner.spinner-inverse-xs{background-image:url(../img/spinner-inverse-xs.gif)}.ie9 .spinner.spinner-lg{background-image:url(../img/spinner-lg.gif)}.ie9 .spinner.spinner-sm{background-image:url(../img/spinner-sm.gif)}.ie9 .spinner.spinner-xs{background-image:url(../img/spinner-xs.gif)}.prettyprint .atn,.prettyprint .com,.prettyprint .fun,.prettyprint .var{color:#3f9c35}.prettyprint .atv,.prettyprint .str{color:#a30000}.prettyprint .clo,.prettyprint .dec,.prettyprint .kwd,.prettyprint .opn,.prettyprint .pln,.prettyprint .pun{color:#363636}.prettyprint .lit,.prettyprint .tag,.prettyprint .typ{color:#00659c}.prettyprint ol.linenums{margin-bottom:0}.table>tbody>tr>td,.table>tbody>tr>th,.table>tfoot>tr>td,.table>tfoot>tr>th,.table>thead>tr>td,.table>thead>tr>th{padding:2px 10px 3px}.table>tbody>tr>td>a:hover,.table>tbody>tr>th>a:hover,.table>tfoot>tr>td>a:hover,.table>tfoot>tr>th>a:hover,.table>thead>tr>td>a:hover,.table>thead>tr>th>a:hover{text-decoration:none}.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>th{font-family:'Open Sans';font-style:normal;font-weight:600}.table>thead{background-clip:padding-box;background-color:#f5f5f5;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.table-bordered{border:1px solid #d1d1d1}.table-bordered>tbody>tr>td,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>td,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border:1px solid #d1d1d1}.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border-bottom-width:1px}.table-striped>tbody>tr:nth-of-type(even){background-color:#f5f5f5}.table-striped>tbody>tr:nth-of-type(odd){background-color:transparent}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#def3ff;border-bottom-color:#7dc3e8}.table-treegrid span.indent{margin-left:10px;margin-right:10px}.table-treegrid span.icon{display:inline-block;font-size:13px;margin-right:5px;min-width:10px;text-align:center}.table-treegrid span.collapse-icon,.table-treegrid span.expand-icon{cursor:pointer}.table-treegrid>tbody>tr.odd{background-color:#f5f5f5}.nav-tabs{font-size:14px}.nav-tabs>li>a{color:#4d5258;margin-right:-1px;padding-bottom:5px;padding-top:5px}.nav-tabs>li>a:active,.nav-tabs>li>a:focus,.nav-tabs>li>a:hover{background:0 0;border-color:#ededed;color:#252525}.nav-tabs>li>.dropdown-menu{border-top:0;border-color:#ededed}.nav-tabs>li>.dropdown-menu.pull-right{right:-1px}.nav-tabs+.nav-tabs-pf{font-size:12px}.nav-tabs+.nav-tabs-pf>li:first-child>a{padding-left:15px}.nav-tabs+.nav-tabs-pf>li:first-child>a:before{left:15px!important}.nav-tabs .open>a,.nav-tabs .open>a:focus,.nav-tabs .open>a:hover{background-color:transparent;border-color:#ededed}@media (min-width:768px){.nav-tabs-pf.nav-justified{border-bottom:1px solid #ededed}}.nav-tabs-pf.nav-justified>li:first-child>a{padding-left:15px}.nav-tabs-pf.nav-justified>li>a{border-bottom:0}.nav-tabs-pf.nav-justified>li>a:before{left:0!important;right:0!important}.nav-tabs-pf>li{margin-bottom:0}.nav-tabs-pf>li.active>a:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li.active>a,.nav-tabs-pf>li.active>a:active,.nav-tabs-pf>li.active>a:focus,.nav-tabs-pf>li.active>a:hover{background-color:transparent;border:0!important;color:#0088ce}.nav-tabs-pf>li.active>a:active:before,.nav-tabs-pf>li.active>a:before,.nav-tabs-pf>li.active>a:focus:before,.nav-tabs-pf>li.active>a:hover:before{background:#0088ce}.nav-tabs-pf>li:first-child>a{padding-left:0}.nav-tabs-pf>li:first-child>a:before{left:0!important}.nav-tabs-pf>li>a{border:0;line-height:1;margin-right:0;padding-bottom:10px;padding-top:10px}.nav-tabs-pf>li>a:active:before,.nav-tabs-pf>li>a:focus:before,.nav-tabs-pf>li>a:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li>.dropdown-menu{left:15px;margin-top:1px}.nav-tabs-pf>li>.dropdown-menu.pull-right{left:auto;right:15px}.nav-tabs-pf .open>a,.nav-tabs-pf .open>a:focus,.nav-tabs-pf .open>a:hover{background-color:transparent}.tooltip{font-size:12px;line-height:1.4}.tooltip-inner{padding:7px 12px;text-align:left}.h1,.h2,h1,h2{font-weight:300}.page-header .actions{margin-top:8px}.page-header .actions a>.pficon{margin-right:4px}@media (min-width:767px){.page-header-bleed-left{margin-left:-20px}.page-header-bleed-right{margin-right:-20px}.page-header-bleed-right .actions{margin-right:20px}}
 \ No newline at end of file
 -- 
-2.17.1
+2.21.0
 
 
-From 9a69911b0024aebad69a1317532e77afe6427576 Mon Sep 17 00:00:00 2001
+From 6b3de20bbf50a2ca035793bf0625103a58b2d705 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 40/72]    install/ui/index.html: Change branding to IPA and
+Subject: [PATCH 39/71] install/ui/index.html: Change branding to IPA and
  Identity Management
 
 ---
@@ -1120,7 +1120,7 @@ Subject: [PATCH 40/72]    install/ui/index.html: Change branding to IPA and
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/ui/index.html b/install/ui/index.html
-index bc0f0cd1e..d1eacaf53 100644
+index bc0f0cd..d1eacaf 100644
 --- a/install/ui/index.html
 +++ b/install/ui/index.html
 @@ -2,7 +2,7 @@
@@ -1133,21 +1133,21 @@ index bc0f0cd1e..d1eacaf53 100644
      <!--[if IE]>
      <meta id="ie-detector">
 -- 
-2.17.1
+2.21.0
 
 
-From 206d1889cd8a9225f1d637e228aba54836cc3adf Mon Sep 17 00:00:00 2001
+From 9d19e7d9bb2ebd3d130ed0e3718c1be32a3a119b Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 41/72]    install/ui/less/brand.less: Change branding to IPA
- and Identity Management
+Subject: [PATCH 40/71] install/ui/less/brand.less: Change branding to IPA and
+ Identity Management
 
 ---
  install/ui/less/brand.less | 103 ++++++++++++++++++-------------------
  1 file changed, 50 insertions(+), 53 deletions(-)
 
 diff --git a/install/ui/less/brand.less b/install/ui/less/brand.less
-index c9030bb0b..7488eaf91 100644
+index c9030bb..7488eaf 100644
 --- a/install/ui/less/brand.less
 +++ b/install/ui/less/brand.less
 @@ -20,58 +20,55 @@
@@ -1261,21 +1261,21 @@ index c9030bb0b..7488eaf91 100644
  }
 \ No newline at end of file
 -- 
-2.17.1
+2.21.0
 
 
-From d9b08ebc53dca899cffb75e413b5472f35c107b8 Mon Sep 17 00:00:00 2001
+From 78cc2843205bcadcfd27a0e9d8d4a03a2e14d29d Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 42/72]    install/ui/less/patternfly.less: Change branding to
- IPA and Identity Management
+Subject: [PATCH 41/71] install/ui/less/patternfly.less: Change branding to IPA
+ and Identity Management
 
 ---
  install/ui/less/patternfly.less | 48 +++++++++++++++++++++++++++++++++
  1 file changed, 48 insertions(+)
 
 diff --git a/install/ui/less/patternfly.less b/install/ui/less/patternfly.less
-index a2e30c85b..97a8d5c26 100644
+index a2e30c8..97a8d5c 100644
 --- a/install/ui/less/patternfly.less
 +++ b/install/ui/less/patternfly.less
 @@ -129,3 +129,51 @@
@@ -1331,21 +1331,21 @@ index a2e30c85b..97a8d5c26 100644
 +@navbar-pf-navbar-utility-open-bg-color:                            #5b6165;
 +@navbar-pf-navbar-utility-open-border-color:                        #6c6e70;
 -- 
-2.17.1
+2.21.0
 
 
-From 1b1455e451ed00fd1f3ecfd3d807ca5935e6c272 Mon Sep 17 00:00:00 2001
+From 996fe9454f57fb4adc4ab72345511f2d207f7d46 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 43/72]    install/ui/reset_password.html: Change branding to
- IPA and Identity Management
+Subject: [PATCH 42/71] install/ui/reset_password.html: Change branding to IPA
+ and Identity Management
 
 ---
  install/ui/reset_password.html | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/ui/reset_password.html b/install/ui/reset_password.html
-index e5700c964..a4ea1ce0e 100644
+index e5700c9..a4ea1ce 100644
 --- a/install/ui/reset_password.html
 +++ b/install/ui/reset_password.html
 @@ -2,7 +2,7 @@
@@ -1358,21 +1358,21 @@ index e5700c964..a4ea1ce0e 100644
      <!--[if IE]>
      <meta id="ie-detector">
 -- 
-2.17.1
+2.21.0
 
 
-From 217b850ac3437e4d285adafbc5d4afb5fffbf6bf Mon Sep 17 00:00:00 2001
+From 2bdd0bcb746361b391aa6e53aaa1e1d6e57dbfe6 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 44/72]    install/ui/src/freeipa/widgets/App.js: Change
- branding to IPA and Identity Management
+Subject: [PATCH 43/71] install/ui/src/freeipa/widgets/App.js: Change branding
+ to IPA and Identity Management
 
 ---
  install/ui/src/freeipa/widgets/App.js | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/ui/src/freeipa/widgets/App.js b/install/ui/src/freeipa/widgets/App.js
-index 3a139555a..b0f75885d 100644
+index 3a13955..b0f7588 100644
 --- a/install/ui/src/freeipa/widgets/App.js
 +++ b/install/ui/src/freeipa/widgets/App.js
 @@ -187,7 +187,7 @@ define(['dojo/_base/declare',
@@ -1385,13 +1385,13 @@ index 3a139555a..b0f75885d 100644
  
              return this.brand_node;
 -- 
-2.17.1
+2.21.0
 
 
-From adacee4e1fe7239049adc2eeeee088311d6f2bb2 Mon Sep 17 00:00:00 2001
+From 01f8e875fd670d71d3ff8e6c0929a304c451bfaa Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 45/72]    install/ui/sync_otp.html: Change branding to IPA and
+Subject: [PATCH 44/71] install/ui/sync_otp.html: Change branding to IPA and
  Identity Management
 
 ---
@@ -1399,7 +1399,7 @@ Subject: [PATCH 45/72]    install/ui/sync_otp.html: Change branding to IPA and
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/ui/sync_otp.html b/install/ui/sync_otp.html
-index 5814b6c57..36a51ca62 100644
+index 5814b6c..36a51ca 100644
 --- a/install/ui/sync_otp.html
 +++ b/install/ui/sync_otp.html
 @@ -2,7 +2,7 @@
@@ -1412,13 +1412,13 @@ index 5814b6c57..36a51ca62 100644
      <!--[if IE]>
      <meta id="ie-detector">
 -- 
-2.17.1
+2.21.0
 
 
-From 188e41152183e7e0e1c6936df600330981553bdc Mon Sep 17 00:00:00 2001
+From ab6ee26de48cffbf3916dd8a2e15f18527b5f8f6 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 46/72]    install/ui/test/data/ipa_init_commands.json: Change
+Subject: [PATCH 45/71] install/ui/test/data/ipa_init_commands.json: Change
  branding to IPA and Identity Management
 
 ---
@@ -1426,7 +1426,7 @@ Subject: [PATCH 46/72]    install/ui/test/data/ipa_init_commands.json: Change
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
-index c35946b34..6d3667473 100644
+index c35946b..6d36674 100644
 --- a/install/ui/test/data/ipa_init_commands.json
 +++ b/install/ui/test/data/ipa_init_commands.json
 @@ -8689,7 +8689,7 @@
@@ -1448,13 +1448,13 @@ index c35946b34..6d3667473 100644
                       "no_update"
                    ],
 -- 
-2.17.1
+2.21.0
 
 
-From 3d6a1fa157e3da072ef1cf557788ad536e6c88d6 Mon Sep 17 00:00:00 2001
+From 8a439a32134ed2b8a4ab11c6637e7379be4bb4cc Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 47/72]    install/ui/test/data/ipa_init_objects.json: Change
+Subject: [PATCH 46/71] install/ui/test/data/ipa_init_objects.json: Change
  branding to IPA and Identity Management
 
 ---
@@ -1462,7 +1462,7 @@ Subject: [PATCH 47/72]    install/ui/test/data/ipa_init_objects.json: Change
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json
-index 6f9b13e92..08aaafd61 100644
+index 6f9b13e..08aaafd 100644
 --- a/install/ui/test/data/ipa_init_objects.json
 +++ b/install/ui/test/data/ipa_init_objects.json
 @@ -21190,7 +21190,7 @@
@@ -1475,24 +1475,24 @@ index 6f9b13e92..08aaafd61 100644
                    "cli_metavar" : "INT",
                    "default" : 0,
 -- 
-2.17.1
+2.21.0
 
 
-From 9a629a06c87b1b3436d92937035de6ce66ca6d69 Mon Sep 17 00:00:00 2001
+From 84fac58baf86da0536afb6e01f33cff5007bb4e7 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 48/72]    ipaclient/install/client.py: Change branding to IPA
- and Identity Management
+Subject: [PATCH 47/71] ipaclient/install/client.py: Change branding to IPA and
+ Identity Management
 
 ---
  ipaclient/install/client.py | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
-index 5787d03cf..cc3916648 100644
+index cc830f1..070b14d 100644
 --- a/ipaclient/install/client.py
 +++ b/ipaclient/install/client.py
-@@ -2022,7 +2022,7 @@ def install_check(options):
+@@ -2034,7 +2034,7 @@ def install_check(options):
      global client_domain
      global cli_basedn
  
@@ -1502,13 +1502,13 @@ index 5787d03cf..cc3916648 100644
      print("")
  
 -- 
-2.17.1
+2.21.0
 
 
-From 86ae50ed5e3466bae9481a516c5c2486161ac10d Mon Sep 17 00:00:00 2001
+From f72a60a224057254d9b213b9b6b451d8e4a408a5 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 49/72]    ipaclient/remote_plugins/2_114/otptoken.py: Change
+Subject: [PATCH 48/71] ipaclient/remote_plugins/2_114/otptoken.py: Change
  branding to IPA and Identity Management
 
 ---
@@ -1516,7 +1516,7 @@ Subject: [PATCH 49/72]    ipaclient/remote_plugins/2_114/otptoken.py: Change
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/ipaclient/remote_plugins/2_114/otptoken.py b/ipaclient/remote_plugins/2_114/otptoken.py
-index 632c97ea2..d3edb589d 100644
+index 632c97e..d3edb58 100644
 --- a/ipaclient/remote_plugins/2_114/otptoken.py
 +++ b/ipaclient/remote_plugins/2_114/otptoken.py
 @@ -132,7 +132,7 @@ class otptoken(Object):
@@ -1547,13 +1547,13 @@ index 632c97ea2..d3edb589d 100644
          ),
          parameters.Int(
 -- 
-2.17.1
+2.21.0
 
 
-From 1aee68b9138cbf57571494ac84a078ebff942be2 Mon Sep 17 00:00:00 2001
+From ef8b9e9e9028202d0018ac6d36e5110cfc64763f Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 50/72]    ipaclient/remote_plugins/2_156/otptoken.py: Change
+Subject: [PATCH 49/71] ipaclient/remote_plugins/2_156/otptoken.py: Change
  branding to IPA and Identity Management
 
 ---
@@ -1561,7 +1561,7 @@ Subject: [PATCH 50/72]    ipaclient/remote_plugins/2_156/otptoken.py: Change
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/ipaclient/remote_plugins/2_156/otptoken.py b/ipaclient/remote_plugins/2_156/otptoken.py
-index 0b2b54c6e..e674d465d 100644
+index 0b2b54c..e674d46 100644
 --- a/ipaclient/remote_plugins/2_156/otptoken.py
 +++ b/ipaclient/remote_plugins/2_156/otptoken.py
 @@ -132,7 +132,7 @@ class otptoken(Object):
@@ -1592,13 +1592,13 @@ index 0b2b54c6e..e674d465d 100644
          ),
          parameters.Int(
 -- 
-2.17.1
+2.21.0
 
 
-From 14aa8dc4b66e09e4bf344ec79732eff96c952df0 Mon Sep 17 00:00:00 2001
+From bc987f5b22040e2941e4a6f146929f53d20c54d2 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 51/72]    ipaclient/remote_plugins/2_164/otptoken.py: Change
+Subject: [PATCH 50/71] ipaclient/remote_plugins/2_164/otptoken.py: Change
  branding to IPA and Identity Management
 
 ---
@@ -1606,7 +1606,7 @@ Subject: [PATCH 51/72]    ipaclient/remote_plugins/2_164/otptoken.py: Change
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/ipaclient/remote_plugins/2_164/otptoken.py b/ipaclient/remote_plugins/2_164/otptoken.py
-index 0b2b54c6e..e674d465d 100644
+index 0b2b54c..e674d46 100644
 --- a/ipaclient/remote_plugins/2_164/otptoken.py
 +++ b/ipaclient/remote_plugins/2_164/otptoken.py
 @@ -132,7 +132,7 @@ class otptoken(Object):
@@ -1637,21 +1637,21 @@ index 0b2b54c6e..e674d465d 100644
          ),
          parameters.Int(
 -- 
-2.17.1
+2.21.0
 
 
-From 5be234c16ddcf8684c3d41c985f98ff6485c89db Mon Sep 17 00:00:00 2001
+From 5b4bebe15eb2604e63a02c90258423560e47791e Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 52/72]    ipalib/pkcs10.py: Change branding to IPA and
- Identity Management
+Subject: [PATCH 51/71] ipalib/pkcs10.py: Change branding to IPA and Identity
+ Management
 
 ---
  ipalib/pkcs10.py | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py
-index 2756c8568..590ce0757 100644
+index 2756c85..590ce07 100644
 --- a/ipalib/pkcs10.py
 +++ b/ipalib/pkcs10.py
 @@ -2,7 +2,7 @@ from __future__ import print_function
@@ -1664,13 +1664,13 @@ index 2756c8568..590ce0757 100644
      file=sys.stderr
  )
 -- 
-2.17.1
+2.21.0
 
 
-From cd983cb830b66bfd35c353cda8eb8c83053847eb Mon Sep 17 00:00:00 2001
+From 4157915ff75752341ddca82bef5f2eefbf4b1d24 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 53/72]    ipalib/rpc.py: Change branding to IPA and Identity
+Subject: [PATCH 52/71] ipalib/rpc.py: Change branding to IPA and Identity
  Management
 
 ---
@@ -1678,7 +1678,7 @@ Subject: [PATCH 53/72]    ipalib/rpc.py: Change branding to IPA and Identity
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ipalib/rpc.py b/ipalib/rpc.py
-index b27f3cef9..f2a697199 100644
+index 1ef0f5e..f1be905 100644
 --- a/ipalib/rpc.py
 +++ b/ipalib/rpc.py
 @@ -284,7 +284,7 @@ class _JSONPrimer(dict):
@@ -1691,13 +1691,13 @@ index b27f3cef9..f2a697199 100644
      The primer uses a couple of tricks to archive maximum performance:
  
 -- 
-2.17.1
+2.21.0
 
 
-From 8b5459b80408929c1593895e00f37a011aa09723 Mon Sep 17 00:00:00 2001
+From 6f853361b23d986c0048d9e7e60460732484dbd0 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 54/72]    ipalib/util.py: Change branding to IPA and Identity
+Subject: [PATCH 53/71] ipalib/util.py: Change branding to IPA and Identity
  Management
 
 ---
@@ -1705,10 +1705,10 @@ Subject: [PATCH 54/72]    ipalib/util.py: Change branding to IPA and Identity
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ipalib/util.py b/ipalib/util.py
-index 3e8fab49d..0aac1c799 100644
+index fd08d89..62577d7 100644
 --- a/ipalib/util.py
 +++ b/ipalib/util.py
-@@ -234,7 +234,7 @@ def normalize_zone(zone):
+@@ -236,7 +236,7 @@ def normalize_zone(zone):
  def get_proper_tls_version_span(tls_version_min, tls_version_max):
      """
      This function checks whether the given TLS versions are known in
@@ -1718,13 +1718,13 @@ index 3e8fab49d..0aac1c799 100644
      `ipalib.constants: TLS_VERSIONS, TLS_VERSION_MINIMAL`).
  
 -- 
-2.17.1
+2.21.0
 
 
-From 0fd0f26cbb7ff344f24acfedda97d11f46717b78 Mon Sep 17 00:00:00 2001
+From 61578b07480f2ba73e5c5e73b270ba69115319e9 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 55/72]    ipalib/x509.py: Change branding to IPA and Identity
+Subject: [PATCH 54/71] ipalib/x509.py: Change branding to IPA and Identity
  Management
 
 ---
@@ -1732,11 +1732,11 @@ Subject: [PATCH 55/72]    ipalib/x509.py: Change branding to IPA and Identity
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ipalib/x509.py b/ipalib/x509.py
-index bc78a8058..57a7e18df 100644
+index 1f612a3..dfe66e1 100644
 --- a/ipalib/x509.py
 +++ b/ipalib/x509.py
-@@ -86,7 +86,7 @@ SAN_KRB5PRINCIPALNAME = '1.3.6.1.5.2.2'
- class IPACertificate(object):
+@@ -88,7 +88,7 @@ SAN_KRB5PRINCIPALNAME = '1.3.6.1.5.2.2'
+ class IPACertificate:
      """
      A proxy class wrapping a python-cryptography certificate representation for
 -    FreeIPA purposes
@@ -1745,13 +1745,13 @@ index bc78a8058..57a7e18df 100644
      def __init__(self, cert, backend=None):
          """
 -- 
-2.17.1
+2.21.0
 
 
-From 08aaff17e615d159da73a4a254ca8d43cc05b82d Mon Sep 17 00:00:00 2001
+From cf108de27c35652d0678c6f3fbc8967be6a083d8 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 56/72]    ipaserver/advise/plugins/legacy_clients.py: Change
+Subject: [PATCH 55/71] ipaserver/advise/plugins/legacy_clients.py: Change
  branding to IPA and Identity Management
 
 ---
@@ -1759,10 +1759,10 @@ Subject: [PATCH 56/72]    ipaserver/advise/plugins/legacy_clients.py: Change
  1 file changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py
-index 7916965dd..c0d6c73f4 100644
+index 2a56922..0e322fe 100644
 --- a/ipaserver/advise/plugins/legacy_clients.py
 +++ b/ipaserver/advise/plugins/legacy_clients.py
-@@ -92,7 +92,7 @@ class config_redhat_sssd_before_1_9(config_base_legacy_client):
+@@ -94,7 +94,7 @@ class config_redhat_sssd_before_1_9(config_base_legacy_client):
      Legacy client configuration for Red Hat based systems, using SSSD.
      """
      description = ('Instructions for configuring a system with an old version '
@@ -1771,7 +1771,7 @@ index 7916965dd..c0d6c73f4 100644
                     'instructions is targeted for platforms that include '
                     'the authconfig utility, which are all Red Hat based '
                     'platforms.')
-@@ -127,7 +127,7 @@ class config_generic_linux_sssd_before_1_9(config_base_legacy_client):
+@@ -129,7 +129,7 @@ class config_generic_linux_sssd_before_1_9(config_base_legacy_client):
      using SSSD.
      """
      description = ('Instructions for configuring a system with an old version '
@@ -1780,7 +1780,7 @@ index 7916965dd..c0d6c73f4 100644
                     'instructions is targeted for linux systems that do not '
                     'include the authconfig utility.')
  
-@@ -182,7 +182,7 @@ class config_redhat_nss_pam_ldapd(config_base_legacy_client):
+@@ -184,7 +184,7 @@ class config_redhat_nss_pam_ldapd(config_base_legacy_client):
      using nss-pam-ldapd.
      """
      description = ('Instructions for configuring a system with nss-pam-ldapd '
@@ -1789,7 +1789,7 @@ index 7916965dd..c0d6c73f4 100644
                     'for platforms that include the authconfig utility, which '
                     'are all Red Hat based platforms.')
  
-@@ -350,7 +350,7 @@ class config_redhat_nss_ldap(config_base_legacy_client):
+@@ -352,7 +352,7 @@ class config_redhat_nss_ldap(config_base_legacy_client):
      using nss-ldap.
      """
      description = ('Instructions for configuring a system with nss-ldap '
@@ -1799,13 +1799,13 @@ index 7916965dd..c0d6c73f4 100644
                     'are all Red Hat based platforms.')
  
 -- 
-2.17.1
+2.21.0
 
 
-From c4c9d5687b29ee387356899151c7a64d9100f0e2 Mon Sep 17 00:00:00 2001
+From a8736b1b82bba093c72eb4a142c860c547a0e4b0 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 57/72]    ipaserver/advise/plugins/smart_card_auth.py: Change
+Subject: [PATCH 56/71] ipaserver/advise/plugins/smart_card_auth.py: Change
  branding to IPA and Identity Management
 
 ---
@@ -1813,10 +1813,10 @@ Subject: [PATCH 57/72]    ipaserver/advise/plugins/smart_card_auth.py: Change
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
-index 2f2e7aec9..5795f0f75 100644
+index c43c74e..ce50cec 100644
 --- a/ipaserver/advise/plugins/smart_card_auth.py
 +++ b/ipaserver/advise/plugins/smart_card_auth.py
-@@ -95,7 +95,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
+@@ -97,7 +97,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
      """
  
      description = ("Instructions for enabling Smart Card authentication on "
@@ -1825,7 +1825,7 @@ index 2f2e7aec9..5795f0f75 100644
                     "enabling PKINIT on KDC and configuring WebUI to accept "
                     "Smart Card auth requests. To enable the feature in the "
                     "whole topology you have to run the script on each master")
-@@ -222,11 +222,11 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
+@@ -244,11 +244,11 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
  @register()
  class config_client_for_smart_card_auth(common_smart_card_auth_config):
      """
@@ -1840,13 +1840,13 @@ index 2f2e7aec9..5795f0f75 100644
                     "allow smart card logins to desktop")
  
 -- 
-2.17.1
+2.21.0
 
 
-From 382d2f94b43410a6caefa7e8bec4f41455d7cc2b Mon Sep 17 00:00:00 2001
+From 2f35de8549d671caa36cccdf037bcc1c6382c812 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 58/72]    ipaserver/install/dns.py: Change branding to IPA and
+Subject: [PATCH 57/71] ipaserver/install/dns.py: Change branding to IPA and
  Identity Management
 
 ---
@@ -1854,7 +1854,7 @@ Subject: [PATCH 58/72]    ipaserver/install/dns.py: Change branding to IPA and
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
-index 80e81bbe0..c0ce42ab0 100644
+index 40688dc..2a130ab 100644
 --- a/ipaserver/install/dns.py
 +++ b/ipaserver/install/dns.py
 @@ -149,7 +149,7 @@ def install_check(standalone, api, replica, options, hostname):
@@ -1867,24 +1867,24 @@ index 80e81bbe0..c0ce42ab0 100644
          print("This includes:")
          print("  * Configure DNS (bind)")
 -- 
-2.17.1
+2.21.0
 
 
-From 2091272e23144e854045eec4c090311231ae6de7 Mon Sep 17 00:00:00 2001
+From a45b1e44bb8307dba6bbf32e677f7b7424205830 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 59/72]    ipaserver/install/ipa_kra_install.py: Change
- branding to IPA and Identity Management
+Subject: [PATCH 58/71] ipaserver/install/ipa_kra_install.py: Change branding
+ to IPA and Identity Management
 
 ---
  ipaserver/install/ipa_kra_install.py | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
-index 45a3b09f0..9f28bb0d1 100644
+index 2d6e4bf..076c206 100644
 --- a/ipaserver/install/ipa_kra_install.py
 +++ b/ipaserver/install/ipa_kra_install.py
-@@ -87,7 +87,7 @@ class KRAInstall(admintool.AdminTool):
+@@ -93,7 +93,7 @@ class KRAInstall(admintool.AdminTool):
          if options.uninstall:
              sys.exit(
                  'ERROR: Standalone KRA uninstallation was removed in '
@@ -1893,7 +1893,7 @@ index 45a3b09f0..9f28bb0d1 100644
                  'issues.')
          else:
              return KRAInstaller
-@@ -98,7 +98,7 @@ class KRAInstaller(KRAInstall):
+@@ -104,7 +104,7 @@ class KRAInstaller(KRAInstall):
  
      INSTALLER_START_MESSAGE = '''
          ===================================================================
@@ -1903,13 +1903,13 @@ index 45a3b09f0..9f28bb0d1 100644
      '''
  
 -- 
-2.17.1
+2.21.0
 
 
-From 574f21b25242c0dd32683443eaea24a3a88529ce Mon Sep 17 00:00:00 2001
+From 29661374a56cc16c3d707aca0c3fbe01d7ad7dee Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 60/72]    ipaserver/install/plugins/dns.py: Change branding to
+Subject: [PATCH 59/71] ipaserver/install/plugins/dns.py: Change branding to
  IPA and Identity Management
 
 ---
@@ -1917,7 +1917,7 @@ Subject: [PATCH 60/72]    ipaserver/install/plugins/dns.py: Change branding to
  1 file changed, 5 insertions(+), 5 deletions(-)
 
 diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
-index baa19c38e..a7a1748d9 100644
+index baa19c3..a7a1748 100644
 --- a/ipaserver/install/plugins/dns.py
 +++ b/ipaserver/install/plugins/dns.py
 @@ -161,11 +161,11 @@ class update_ipaconfigstring_dnsversion_to_ipadnsversion(Updater):
@@ -1962,13 +1962,13 @@ index baa19c38e..a7a1748d9 100644
      """
      backup_filename = u'dns-forwarding-empty-zones-%Y-%m-%d-%H-%M-%S.ldif'
 -- 
-2.17.1
+2.21.0
 
 
-From 7d7cbc6f104a837678ee56bd6a66c12c80a4100e Mon Sep 17 00:00:00 2001
+From ed41c0d8c9d782e4610837f9dbacb9d64fbecc65 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 61/72]    ipaserver/install/replication.py: Change branding to
+Subject: [PATCH 60/71] ipaserver/install/replication.py: Change branding to
  IPA and Identity Management
 
 ---
@@ -1976,10 +1976,10 @@ Subject: [PATCH 61/72]    ipaserver/install/replication.py: Change branding to
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
-index 92a99cd94..d77193092 100644
+index 1fefe3e..87794b7 100644
 --- a/ipaserver/install/replication.py
 +++ b/ipaserver/install/replication.py
-@@ -1693,7 +1693,7 @@ class ReplicationManager(object):
+@@ -1760,7 +1760,7 @@ class ReplicationManager:
          Ensure that the 'cn=replication managers,cn=sysaccounts' group exists
          and contains the principals for master and remote replica
  
@@ -1989,24 +1989,24 @@ index 92a99cd94..d77193092 100644
          """
          my_dn = DN(
 -- 
-2.17.1
+2.21.0
 
 
-From 3c2401a5414090a8deb7e6e2d439a4094dc66eb4 Mon Sep 17 00:00:00 2001
+From 9289815fa14bfa2ff3ff0a57031b4c7588c6a2f2 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 62/72]    ipaserver/install/server/install.py: Change branding
- to IPA and Identity Management
+Subject: [PATCH 61/71] ipaserver/install/server/install.py: Change branding to
+ IPA and Identity Management
 
 ---
  ipaserver/install/server/install.py | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
-index efccca77b..0a2774a6a 100644
+index 7cdf2a5..f7e9f88 100644
 --- a/ipaserver/install/server/install.py
 +++ b/ipaserver/install/server/install.py
-@@ -381,7 +381,7 @@ def install_check(installer):
+@@ -393,7 +393,7 @@ def install_check(installer):
  
      print("======================================="
            "=======================================")
@@ -2016,13 +2016,13 @@ index efccca77b..0a2774a6a 100644
      print("")
      print("This includes:")
 -- 
-2.17.1
+2.21.0
 
 
-From 6bf9c6a5db6526e2126c352c6bb8e9d117a14c1a Mon Sep 17 00:00:00 2001
+From 8c6d244de87c7c3bcfc4660921738efcdeaf17de Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 63/72]    ipaserver/install/server/replicainstall.py: Change
+Subject: [PATCH 62/71] ipaserver/install/server/replicainstall.py: Change
  branding to IPA and Identity Management
 
 ---
@@ -2030,10 +2030,10 @@ Subject: [PATCH 63/72]    ipaserver/install/server/replicainstall.py: Change
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index aaa1943f9..878c01e99 100644
+index 536f0db..3fb8b3f 100644
 --- a/ipaserver/install/server/replicainstall.py
 +++ b/ipaserver/install/server/replicainstall.py
-@@ -612,7 +612,7 @@ def check_domain_level_is_supported(current):
+@@ -619,7 +619,7 @@ def check_domain_level_is_supported(current):
      above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
  
      if under_lower_bound or above_upper_bound:
@@ -2043,13 +2043,13 @@ index aaa1943f9..878c01e99 100644
                     "this domain. The Domain Level needs to be "
                     "raised before installing a replica with "
 -- 
-2.17.1
+2.21.0
 
 
-From 5502cd648cb527fba8c32e9cb92b6d821fcb5cb0 Mon Sep 17 00:00:00 2001
+From a328d3c6e5ed88d6a5461448952672c4fb0d6956 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 64/72]    ipaserver/plugins/certmap.py: Change branding to IPA
+Subject: [PATCH 63/71] ipaserver/plugins/certmap.py: Change branding to IPA
  and Identity Management
 
 ---
@@ -2057,10 +2057,10 @@ Subject: [PATCH 64/72]    ipaserver/plugins/certmap.py: Change branding to IPA
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ipaserver/plugins/certmap.py b/ipaserver/plugins/certmap.py
-index 8705e4290..558c3987e 100644
+index ee8f0c1..cdbc38f 100644
 --- a/ipaserver/plugins/certmap.py
 +++ b/ipaserver/plugins/certmap.py
-@@ -541,7 +541,7 @@ class certmap_match(Search):
+@@ -614,7 +614,7 @@ class certmap_match(Search):
          The search is performed using SSSD's DBus interface
          Users.ListByCertificate.
          SSSD does the lookup based on certificate mapping rules, using
@@ -2070,21 +2070,21 @@ index 8705e4290..558c3987e 100644
          """
          sssd = _sssd()
 -- 
-2.17.1
+2.21.0
 
 
-From f0176f97e82a727ee0a057838478ee8789c116c4 Mon Sep 17 00:00:00 2001
+From 278276fed26cf350ffa81aea4abb46dc6c26b781 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 65/72]    ipaserver/plugins/otptoken.py: Change branding to
- IPA and Identity Management
+Subject: [PATCH 64/71] ipaserver/plugins/otptoken.py: Change branding to IPA
+ and Identity Management
 
 ---
  ipaserver/plugins/otptoken.py | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
-index 17b32094d..cf5de1cca 100644
+index 72ed539..46e4d5e 100644
 --- a/ipaserver/plugins/otptoken.py
 +++ b/ipaserver/plugins/otptoken.py
 @@ -245,7 +245,7 @@ class otptoken(LDAPObject):
@@ -2097,21 +2097,21 @@ index 17b32094d..cf5de1cca 100644
              autofill=True,
              flags=('no_update'),
 -- 
-2.17.1
+2.21.0
 
 
-From 3f01ae64c482a63d06bb8114943f41585a605ec5 Mon Sep 17 00:00:00 2001
+From a172851e990fee8b6749c7edbf8bc56be425b492 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 66/72]    ipaserver/plugins/sudorule.py: Change branding to
- IPA and Identity Management
+Subject: [PATCH 65/71] ipaserver/plugins/sudorule.py: Change branding to IPA
+ and Identity Management
 
 ---
  ipaserver/plugins/sudorule.py | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/ipaserver/plugins/sudorule.py b/ipaserver/plugins/sudorule.py
-index 643215985..68baa0174 100644
+index 6432159..68baa01 100644
 --- a/ipaserver/plugins/sudorule.py
 +++ b/ipaserver/plugins/sudorule.py
 @@ -47,7 +47,7 @@ give certain users (or groups of users) the ability to run some (or all)
@@ -2133,13 +2133,13 @@ index 643215985..68baa0174 100644
  """) + _("""
  To enable the binddn run the following command to set the password:
 -- 
-2.17.1
+2.21.0
 
 
-From bb3d8b2541764a92a580f7333c5fe2e966b5b07d Mon Sep 17 00:00:00 2001
+From b6c8cfacbb786cd91dd025545cb142fb409e8d34 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 67/72]    po/de.po: Change branding to IPA and Identity
+Subject: [PATCH 66/71] po/de.po: Change branding to IPA and Identity
  Management
 
 ---
@@ -2147,10 +2147,10 @@ Subject: [PATCH 67/72]    po/de.po: Change branding to IPA and Identity
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/po/de.po b/po/de.po
-index bc1c822c6..7a928f3ba 100644
+index 78b7cb6..5146ca4 100644
 --- a/po/de.po
 +++ b/po/de.po
-@@ -3677,7 +3677,7 @@ msgstr "TOTP Sychnronisierungsfenster"
+@@ -3672,7 +3672,7 @@ msgstr "TOTP Sychnronisierungsfenster"
  msgid "TOTP authentication Window"
  msgstr "TOTP Authentifizierungsfenster"
  
@@ -2160,24 +2160,24 @@ index bc1c822c6..7a928f3ba 100644
  
  msgid "Target"
 -- 
-2.17.1
+2.21.0
 
 
-From 5f8baa253864020ca013288470e19ac0f720eda4 Mon Sep 17 00:00:00 2001
+From aa73ce7826017703a4b1737bd0b445d011827a8e Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 68/72]    po/es.po: Change branding to IPA and Identity
+Subject: [PATCH 67/71] po/es.po: Change branding to IPA and Identity
  Management
 
 ---
- po/es.po | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
+ po/es.po | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
 
 diff --git a/po/es.po b/po/es.po
-index 46404dac9..a4aa0fed3 100644
+index bd7aa1f..31437e7 100644
 --- a/po/es.po
 +++ b/po/es.po
-@@ -1152,7 +1152,7 @@ msgid ""
+@@ -3363,7 +3363,7 @@ msgid ""
  "The profile configuration format is the raw property-list format\n"
  "used by Dogtag Certificate System.  The XML format is not supported.\n"
  "\n"
@@ -2186,7 +2186,7 @@ index 46404dac9..a4aa0fed3 100644
  "\n"
  "- When importing a profile the \"profileId\" field, if present, must\n"
  "  match the ID given on the command line.\n"
-@@ -1210,7 +1210,7 @@ msgstr ""
+@@ -3421,7 +3421,7 @@ msgstr ""
  "propiedad\n"
  "usado por Dogtag Certificate System.  No está soportado el formato XML.\n"
  "\n"
@@ -2195,7 +2195,7 @@ index 46404dac9..a4aa0fed3 100644
  "restricciones:\n"
  "\n"
  "- Cuando se importa un perfil el campo \"profileId\", si está presente, debe "
-@@ -1964,7 +1964,7 @@ msgid ""
+@@ -4988,7 +4988,7 @@ msgid ""
  "commands as root or another user while providing an audit trail of the\n"
  "commands and their arguments.\n"
  "\n"
@@ -2204,7 +2204,7 @@ index 46404dac9..a4aa0fed3 100644
  "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
  "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
  "Sudo.\n"
-@@ -1979,7 +1979,7 @@ msgid ""
+@@ -5003,7 +5003,7 @@ msgid ""
  "are evaluated (if the client supports it). This order is an integer and\n"
  "must be unique.\n"
  "\n"
@@ -2213,7 +2213,7 @@ index 46404dac9..a4aa0fed3 100644
  "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
  "\n"
  "To enable the binddn run the following command to set the password:\n"
-@@ -1987,7 +1987,7 @@ msgid ""
+@@ -5011,7 +5011,7 @@ msgid ""
  "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
  "dc=com\n"
  "\n"
@@ -2222,7 +2222,7 @@ index 46404dac9..a4aa0fed3 100644
  msgstr ""
  "\n"
  "Reglas Sudo\n"
-@@ -2000,7 +2000,7 @@ msgstr ""
+@@ -5024,7 +5024,7 @@ msgstr ""
  "auditoria de\n"
  " los comandos y sus argumentos.\n"
  "\n"
@@ -2231,7 +2231,7 @@ index 46404dac9..a4aa0fed3 100644
  "   Users: Los usuario(s)/grupos(s) que tienen permitido llamar a Sudo.\n"
  "   Hosts: Loshost(s)/grupo(s) de host a los que el usuario permite llamar a "
  "Sudo.\n"
-@@ -2018,7 +2018,7 @@ msgstr ""
+@@ -5042,7 +5042,7 @@ msgstr ""
  "será evaluada\n"
  "(si el cliente lo soporta). Este orden es un entero y debe ser único.\n"
  "\n"
@@ -2240,7 +2240,7 @@ index 46404dac9..a4aa0fed3 100644
  "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
  "\n"
  "Para habilitar el binddn ejecute el siguiente comando para fijar la "
-@@ -2027,7 +2027,7 @@ msgstr ""
+@@ -5051,7 +5051,7 @@ msgstr ""
  "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
  "dc=com\n"
  "\n"
@@ -2249,14 +2249,25 @@ index 46404dac9..a4aa0fed3 100644
  
  msgid ""
  "\n"
+@@ -12345,8 +12345,8 @@ msgstr "Variación del tiempo de autenticación TOTP (segundos)"
+ msgid "TOTP synchronization time variance (seconds)"
+ msgstr "Variación del tiempo de sincronización TOTP (segundos)"
+ 
+-msgid "TOTP token / FreeIPA server time difference"
+-msgstr "Ficha TOTP / Diferencia de hora del servidor FreeIPA"
++msgid "TOTP token / IPA server time difference"
++msgstr "Ficha TOTP / Diferencia de hora del servidor IPA"
+ 
+ msgid "Take a revoked certificate off hold."
+ msgstr "Tomar un certificado revocado de espera."
 -- 
-2.17.1
+2.21.0
 
 
-From df92542ae86b04a6f9d03eb93e41105a4cf7ea34 Mon Sep 17 00:00:00 2001
+From b61cae363c082c6ef850c00753cc2475b71093c0 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 69/72]    po/fr.po: Change branding to IPA and Identity
+Subject: [PATCH 68/71] po/fr.po: Change branding to IPA and Identity
  Management
 
 ---
@@ -2264,7 +2275,7 @@ Subject: [PATCH 69/72]    po/fr.po: Change branding to IPA and Identity
  1 file changed, 8 insertions(+), 8 deletions(-)
 
 diff --git a/po/fr.po b/po/fr.po
-index 42cd3d25f..cd2ea9f9b 100644
+index 1a4389b..e124a64 100644
 --- a/po/fr.po
 +++ b/po/fr.po
 @@ -2575,17 +2575,17 @@ msgstr ""
@@ -2315,7 +2326,7 @@ index 42cd3d25f..cd2ea9f9b 100644
  "\n"
  "- Lors de l'import d'un profil, le champ « profileId » s'il est présent "
  "doit\n"
-@@ -15762,8 +15762,8 @@ msgstr "Durée de la fenêtre d'authentification TOTP (secondes)"
+@@ -15663,8 +15663,8 @@ msgstr "Durée de la fenêtre d'authentification TOTP (secondes)"
  msgid "TOTP synchronization time variance (seconds)"
  msgstr "Variance temporelle de synchronisation TOTP (secondes)"
  
@@ -2327,13 +2338,13 @@ index 42cd3d25f..cd2ea9f9b 100644
  msgid "TSIG record"
  msgstr "Enregistrement TSIG"
 -- 
-2.17.1
+2.21.0
 
 
-From 60393752d8623d9b059c4133eb22499743826654 Mon Sep 17 00:00:00 2001
+From 1954de803b6616d885ef0f37530b78b8e6e5b490 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 70/72]    po/ru.po: Change branding to IPA and Identity
+Subject: [PATCH 69/71] po/ru.po: Change branding to IPA and Identity
  Management
 
 ---
@@ -2341,10 +2352,10 @@ Subject: [PATCH 70/72]    po/ru.po: Change branding to IPA and Identity
  1 file changed, 20 insertions(+), 20 deletions(-)
 
 diff --git a/po/ru.po b/po/ru.po
-index e97f2fb8a..8026b0c73 100644
+index 4bb68b8..560ead0 100644
 --- a/po/ru.po
 +++ b/po/ru.po
-@@ -5283,17 +5283,17 @@ msgstr ""
+@@ -5310,17 +5310,17 @@ msgstr ""
  
  msgid ""
  "\n"
@@ -2365,7 +2376,7 @@ index e97f2fb8a..8026b0c73 100644
  "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
  "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
  "Sudo.\n"
-@@ -5305,7 +5305,7 @@ msgid ""
+@@ -5332,7 +5332,7 @@ msgid ""
  "   Options: The various Sudoers Options that can modify Sudo's behavior.\n"
  msgstr ""
  "\n"
@@ -2374,7 +2385,7 @@ index e97f2fb8a..8026b0c73 100644
  "   Users: пользователь (пользователи) или группа (группы), которые могут "
  "вызывать Sudo.\n"
  "   Hosts: узел (узлы) или группа (группы) узлов, пользователи которых могут "
-@@ -8936,7 +8936,7 @@ msgid ""
+@@ -8770,7 +8770,7 @@ msgid ""
  "The profile configuration format is the raw property-list format\n"
  "used by Dogtag Certificate System.  The XML format is not supported.\n"
  "\n"
@@ -2383,7 +2394,7 @@ index e97f2fb8a..8026b0c73 100644
  "\n"
  "- When importing a profile the \"profileId\" field, if present, must\n"
  "  match the ID given on the command line.\n"
-@@ -8990,7 +8990,7 @@ msgstr ""
+@@ -8824,7 +8824,7 @@ msgstr ""
  "свойств, который используется системой сертификации Dogtag Certificate "
  "System.  Поддержка формата XML не предусмотрена.\n"
  "\n"
@@ -2392,7 +2403,7 @@ index e97f2fb8a..8026b0c73 100644
  "\n"
  "- При импорте профиля значение поля \"profileId\", если это поле имеется, "
  "должно совпадать с идентификатором, указанным в командной строке.\n"
-@@ -9046,7 +9046,7 @@ msgid ""
+@@ -8880,7 +8880,7 @@ msgid ""
  "The profile configuration format is the raw property-list format\n"
  "used by Dogtag Certificate System.  The XML format is not supported.\n"
  "\n"
@@ -2401,7 +2412,7 @@ index e97f2fb8a..8026b0c73 100644
  "\n"
  "- When importing a profile the \"profileId\" field, if present, must\n"
  "  match the ID given on the command line.\n"
-@@ -9102,7 +9102,7 @@ msgstr ""
+@@ -8936,7 +8936,7 @@ msgstr ""
  "свойств, который используется системой сертификации Dogtag Certificate "
  "System.  Поддержка формата XML не предусмотрена.\n"
  "\n"
@@ -2410,7 +2421,7 @@ index e97f2fb8a..8026b0c73 100644
  "\n"
  "- При импорте профиля значение поля \"profileId\", если это поле имеется, "
  "должно совпадать с идентификатором, указанным в командной строке.\n"
-@@ -14373,7 +14373,7 @@ msgid ""
+@@ -14207,7 +14207,7 @@ msgid ""
  "commands as root or another user while providing an audit trail of the\n"
  "commands and their arguments.\n"
  "\n"
@@ -2419,7 +2430,7 @@ index e97f2fb8a..8026b0c73 100644
  "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
  "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
  "Sudo.\n"
-@@ -14388,7 +14388,7 @@ msgid ""
+@@ -14222,7 +14222,7 @@ msgid ""
  "are evaluated (if the client supports it). This order is an integer and\n"
  "must be unique.\n"
  "\n"
@@ -2428,7 +2439,7 @@ index e97f2fb8a..8026b0c73 100644
  "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
  "\n"
  "To enable the binddn run the following command to set the password:\n"
-@@ -14426,7 +14426,7 @@ msgstr ""
+@@ -14260,7 +14260,7 @@ msgstr ""
  "пользователя \"root\" или другого пользователя, вместе с тем предоставляя "
  "журнал аудита команд и их аргументов.\n"
  "\n"
@@ -2437,7 +2448,7 @@ index e97f2fb8a..8026b0c73 100644
  "   Users: пользователь (пользователи) или группа (группы), которые могут "
  "вызывать Sudo.\n"
  "   Hosts: узел (узлы) или группа (группы) узлов, пользователи которых могут "
-@@ -14447,7 +14447,7 @@ msgstr ""
+@@ -14281,7 +14281,7 @@ msgstr ""
  "Порядок определяется числовым индексом (целое число), который не должен "
  "повторяться.\n"
  "\n"
@@ -2446,7 +2457,7 @@ index e97f2fb8a..8026b0c73 100644
  "Sudo:\n"
  "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
  "\n"
-@@ -14488,7 +14488,7 @@ msgid ""
+@@ -14322,7 +14322,7 @@ msgid ""
  "commands as root or another user while providing an audit trail of the\n"
  "commands and their arguments.\n"
  "\n"
@@ -2455,7 +2466,7 @@ index e97f2fb8a..8026b0c73 100644
  "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
  "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
  "Sudo.\n"
-@@ -14503,7 +14503,7 @@ msgid ""
+@@ -14337,7 +14337,7 @@ msgid ""
  "are evaluated (if the client supports it). This order is an integer and\n"
  "must be unique.\n"
  "\n"
@@ -2464,7 +2475,7 @@ index e97f2fb8a..8026b0c73 100644
  "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
  "\n"
  "To enable the binddn run the following command to set the password:\n"
-@@ -14511,7 +14511,7 @@ msgid ""
+@@ -14345,7 +14345,7 @@ msgid ""
  "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
  "dc=com\n"
  "\n"
@@ -2473,7 +2484,7 @@ index e97f2fb8a..8026b0c73 100644
  msgstr ""
  "\n"
  "Правила Sudo\n"
-@@ -14522,7 +14522,7 @@ msgstr ""
+@@ -14356,7 +14356,7 @@ msgstr ""
  "пользователя \"root\" или другого пользователя, вместе с тем предоставляя "
  "журнал аудита команд и их аргументов.\n"
  "\n"
@@ -2482,7 +2493,7 @@ index e97f2fb8a..8026b0c73 100644
  "   Users: пользователь (пользователи) или группа (группы), которые могут "
  "вызывать Sudo.\n"
  "   Hosts: узел (узлы) или группа (группы) узлов, пользователи которых могут "
-@@ -14543,7 +14543,7 @@ msgstr ""
+@@ -14377,7 +14377,7 @@ msgstr ""
  "Порядок определяется числовым индексом (целое число), который не должен "
  "повторяться.\n"
  "\n"
@@ -2491,7 +2502,7 @@ index e97f2fb8a..8026b0c73 100644
  "Sudo:\n"
  "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
  "\n"
-@@ -14552,7 +14552,7 @@ msgstr ""
+@@ -14386,7 +14386,7 @@ msgstr ""
  "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
  "dc=com\n"
  "\n"
@@ -2500,7 +2511,7 @@ index e97f2fb8a..8026b0c73 100644
  
  msgid ""
  "\n"
-@@ -27537,8 +27537,8 @@ msgstr "Отклонение по времени TOTP-аутентификаци
+@@ -27661,8 +27661,8 @@ msgstr "Отклонение по времени TOTP-аутентификаци
  msgid "TOTP synchronization time variance (seconds)"
  msgstr "Отклонение по времени TOTP-синхронизации (в секундах)"
  
@@ -2512,13 +2523,13 @@ index e97f2fb8a..8026b0c73 100644
  msgid "TSIG record"
  msgstr "Запись TSIG"
 -- 
-2.17.1
+2.21.0
 
 
-From 3525520540f22c3a20077bdc65355dbd381fe69c Mon Sep 17 00:00:00 2001
+From ef68c0facb2efbef9a40d02ebb4d9bdc141d16db Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 71/72]    po/uk.po: Change branding to IPA and Identity
+Subject: [PATCH 70/71] po/uk.po: Change branding to IPA and Identity
  Management
 
 ---
@@ -2526,10 +2537,10 @@ Subject: [PATCH 71/72]    po/uk.po: Change branding to IPA and Identity
  1 file changed, 20 insertions(+), 20 deletions(-)
 
 diff --git a/po/uk.po b/po/uk.po
-index b24c0a7de..2cf7c0dc2 100644
+index 9845500..a1e7ce4 100644
 --- a/po/uk.po
 +++ b/po/uk.po
-@@ -5377,17 +5377,17 @@ msgstr ""
+@@ -5403,17 +5403,17 @@ msgstr ""
  
  msgid ""
  "\n"
@@ -2550,7 +2561,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
  "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
  "Sudo.\n"
-@@ -5399,7 +5399,7 @@ msgid ""
+@@ -5425,7 +5425,7 @@ msgid ""
  "   Options: The various Sudoers Options that can modify Sudo's behavior.\n"
  msgstr ""
  "\n"
@@ -2559,7 +2570,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "   Users: користувачі або групи, які можуть викликати sudo.\n"
  "   Hosts: вузли або групи вузлів, користувачі якого можуть викликати sudo.\n"
  "   Allow Command: специфічні команди, які можна виконувати за допомогою "
-@@ -9084,7 +9084,7 @@ msgid ""
+@@ -8915,7 +8915,7 @@ msgid ""
  "The profile configuration format is the raw property-list format\n"
  "used by Dogtag Certificate System.  The XML format is not supported.\n"
  "\n"
@@ -2568,7 +2579,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "\n"
  "- When importing a profile the \"profileId\" field, if present, must\n"
  "  match the ID given on the command line.\n"
-@@ -9138,7 +9138,7 @@ msgstr ""
+@@ -8969,7 +8969,7 @@ msgstr ""
  "властивостей, що використовується системою сертифікації Dogtag.\n"
  "Підтримки формату XML не передбачено.\n"
  "\n"
@@ -2577,7 +2588,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "\n"
  "- Під час імпортування профілю поле «profileId», якщо таке є, має\n"
  "  містити значення, що збігається з ідентифікатором, вказаним у рядку "
-@@ -9195,7 +9195,7 @@ msgid ""
+@@ -9026,7 +9026,7 @@ msgid ""
  "The profile configuration format is the raw property-list format\n"
  "used by Dogtag Certificate System.  The XML format is not supported.\n"
  "\n"
@@ -2586,7 +2597,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "\n"
  "- When importing a profile the \"profileId\" field, if present, must\n"
  "  match the ID given on the command line.\n"
-@@ -9250,7 +9250,7 @@ msgstr ""
+@@ -9081,7 +9081,7 @@ msgstr ""
  "властивостей, що використовується системою сертифікації Dogtag.\n"
  "Підтримки формату XML не передбачено.\n"
  "\n"
@@ -2595,7 +2606,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "\n"
  "- Під час імпортування профілю поле «profileId», якщо таке є, має\n"
  "  містити значення, що збігається з ідентифікатором, вказаним у рядку "
-@@ -14520,7 +14520,7 @@ msgid ""
+@@ -14469,7 +14469,7 @@ msgid ""
  "commands as root or another user while providing an audit trail of the\n"
  "commands and their arguments.\n"
  "\n"
@@ -2604,7 +2615,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
  "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
  "Sudo.\n"
-@@ -14535,7 +14535,7 @@ msgid ""
+@@ -14484,7 +14484,7 @@ msgid ""
  "are evaluated (if the client supports it). This order is an integer and\n"
  "must be unique.\n"
  "\n"
@@ -2613,7 +2624,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
  "\n"
  "To enable the binddn run the following command to set the password:\n"
-@@ -14573,7 +14573,7 @@ msgstr ""
+@@ -14522,7 +14522,7 @@ msgstr ""
  "користувача, зберігаючи водночас журнал виконання команд та\n"
  "аргументів.\n"
  "\n"
@@ -2622,7 +2633,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "   Users: користувачі або групи, які можуть викликати sudo.\n"
  "   Hosts: вузли або групи вузлів, користувачі якого можуть викликати sudo.\n"
  "   Allow Command: специфічні команди, які можна виконувати за допомогою "
-@@ -14591,7 +14591,7 @@ msgstr ""
+@@ -14540,7 +14540,7 @@ msgstr ""
  "обробки записів (якщо такий порядок передбачено на клієнтському боці).\n"
  "Порядок визначається числовим індексом, який не повинен повторюватися.\n"
  "\n"
@@ -2631,7 +2642,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "розташовано у\n"
  "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
  "\n"
-@@ -14631,7 +14631,7 @@ msgid ""
+@@ -14580,7 +14580,7 @@ msgid ""
  "commands as root or another user while providing an audit trail of the\n"
  "commands and their arguments.\n"
  "\n"
@@ -2640,7 +2651,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
  "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
  "Sudo.\n"
-@@ -14646,7 +14646,7 @@ msgid ""
+@@ -14595,7 +14595,7 @@ msgid ""
  "are evaluated (if the client supports it). This order is an integer and\n"
  "must be unique.\n"
  "\n"
@@ -2649,7 +2660,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
  "\n"
  "To enable the binddn run the following command to set the password:\n"
-@@ -14654,7 +14654,7 @@ msgid ""
+@@ -14603,7 +14603,7 @@ msgid ""
  "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
  "dc=com\n"
  "\n"
@@ -2658,7 +2669,7 @@ index b24c0a7de..2cf7c0dc2 100644
  msgstr ""
  "\n"
  "Правила sudo\n"
-@@ -14665,7 +14665,7 @@ msgstr ""
+@@ -14614,7 +14614,7 @@ msgstr ""
  "користувача, зберігаючи водночас журнал виконання команд та\n"
  "аргументів.\n"
  "\n"
@@ -2667,7 +2678,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "   Users: користувачі або групи, які можуть викликати sudo.\n"
  "   Hosts: вузли або групи вузлів, користувачі якого можуть викликати sudo.\n"
  "   Allow Command: специфічні команди, які можна виконувати за допомогою "
-@@ -14683,7 +14683,7 @@ msgstr ""
+@@ -14632,7 +14632,7 @@ msgstr ""
  "обробки записів (якщо такий порядок передбачено на клієнтському боці).\n"
  "Порядок визначається числовим індексом, який не повинен повторюватися.\n"
  "\n"
@@ -2676,7 +2687,7 @@ index b24c0a7de..2cf7c0dc2 100644
  "розташовано у\n"
  "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
  "\n"
-@@ -14692,7 +14692,7 @@ msgstr ""
+@@ -14641,7 +14641,7 @@ msgstr ""
  "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
  "dc=com\n"
  "\n"
@@ -2685,7 +2696,7 @@ index b24c0a7de..2cf7c0dc2 100644
  
  msgid ""
  "\n"
-@@ -27454,8 +27454,8 @@ msgstr "Відхилення часу розпізнавання TOTP (у сек
+@@ -27982,8 +27982,8 @@ msgstr "Відхилення часу розпізнавання TOTP (у сек
  msgid "TOTP synchronization time variance (seconds)"
  msgstr "Відхилення часу синхронізації TOTP (у секундах)"
  
@@ -2697,13 +2708,13 @@ index b24c0a7de..2cf7c0dc2 100644
  msgid "TSIG record"
  msgstr "Запис TSIG"
 -- 
-2.17.1
+2.21.0
 
 
-From 4531df1333dc43484f2fab5ef0d601b2fe656cbb Mon Sep 17 00:00:00 2001
+From a1cb6d13c461f4d67c1efe7f1927e47de5619097 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 72/72]    po/zh_CN.po: Change branding to IPA and Identity
+Subject: [PATCH 71/71] po/zh_CN.po: Change branding to IPA and Identity
  Management
 
 ---
@@ -2711,7 +2722,7 @@ Subject: [PATCH 72/72]    po/zh_CN.po: Change branding to IPA and Identity
  1 file changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/po/zh_CN.po b/po/zh_CN.po
-index 594e52a77..18dcbb390 100644
+index 30e707d..e9eabce 100644
 --- a/po/zh_CN.po
 +++ b/po/zh_CN.po
 @@ -298,7 +298,7 @@ msgstr ""
@@ -2732,7 +2743,7 @@ index 594e52a77..18dcbb390 100644
  "   用户：用户/用户组允许调用Sudo。\n"
  "   主机：主机/主机组上的用户允许调用Sudo。\n"
  "   允许的命令：指定命令允许通过Sudo来运行。\n"
-@@ -10019,8 +10019,8 @@ msgstr "TOTP认证时间差异（秒）"
+@@ -9928,8 +9928,8 @@ msgstr "TOTP认证时间差异（秒）"
  msgid "TOTP synchronization time variance (seconds)"
  msgstr "TOTP同步时间差异（秒）"
  
@@ -2744,5 +2755,5 @@ index 594e52a77..18dcbb390 100644
  msgid "TSIG record"
  msgstr "TSIG记录"
 -- 
-2.17.1
+2.21.0
 
diff --git a/SOURCES/1002-4.7.90pre1-Remove-csrgen.patch b/SOURCES/1002-4.7.90pre1-Remove-csrgen.patch
deleted file mode 100644
index 16a966c..0000000
--- a/SOURCES/1002-4.7.90pre1-Remove-csrgen.patch
+++ /dev/null
@@ -1,1986 +0,0 @@
-This is a collection of an existing patch to remove csrgen for 4.7.1 and
-additional patches that have been added for 4.7.90 pre1.
-
-Additional reverted csrgen patches:
-
-852618fd6529fbdd7b03077fae37c6fbbe45b51b
-0ac1d3ea62efd9751fcc59cea46bcdafe1f11c37
-7633d62d858c14523a99143aa0ff36f76bb4ff68
-53f87ee5cd9d19f6fb91a9a1eafc8ea798095954
-395a68d20887d0ac010e480e68b225d6dfeff726
-03786ad9f3bd5edc351040847b8a49c9cd9288b2
-c9d710a446d10aad72795e15bf041b87102628c1
-2b90c8a20e45ade9bfd27731cccc94a34cf3f61e
-61dde27f70b9f8dd1b57ad1fbc3744f3c380613a
-806784dbd9e69a89c7a705c89bf42ba1fd4265c9
-79378c90512a1cdd5f3d5ec6482e434caea06e01
-bd5a5012d24820b54cdca2955f5405b84de1178c
-26ab51ddf47f421f3404709052db89f08c05adaa
-a53e17830c3d4fd59a62248d4447491675c6a80e
-e7588ab2dc73e7f66ebc6cdcfb99470540e37731
-136c6c3e2a4f77a27f435efd4a1cd95c9e089314
-5420e9cfbe7803808b6e26d2dae64f2a6a50149a
-
-Original patch from 4.7.1:
-
-From 468bcf90cb985e2b1eb394bd752dc39aa4b75582 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 19 Jul 2018 18:37:18 -0400
-Subject: [PATCH] Remove csrgen
-
-This reverts commits:
-* 72de679eb445c975ec70cd265d37d4927823ce5b
-* 177f07e163d6d591a1e609d35e0a6f6f5347551e
-* 80be18162921268be9c8981495c9e8a4de0c85cd
-* 83e2c2b65eeb5a3aa4a59c0535e9177aac5e4637
-* ada91c20588046bb147fc701718d3da4d2c080ca
-* 4350dcdea22fd2284836315d0ae7d38733a7620e
-* 39a5d9c5aae77687f67d9be02457733bdfb99ead
-* a26cf0d7910dd4c0a4da08682b4be8d3d94ba520
-* afd7c05d11432304bfdf183832a21d419f363689
-* f1a1c6eca1b294f24174d7b0e1f78de46d9d5b05
-* fc58eff6a3d7fe805e612b8b002304d8b9cd4ba9
-* 10ef5947860f5098182b1f95c08c1158e2da15f9
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1432630
----
- freeipa.spec.in                                    |  14 -
- ipaclient/csrgen.py                                | 488 ---------------------
- ipaclient/csrgen/profiles/caIPAserviceCert.json    |  15 -
- ipaclient/csrgen/profiles/userCert.json            |  15 -
- ipaclient/csrgen/rules/dataDNS.json                |   8 -
- ipaclient/csrgen/rules/dataEmail.json              |   8 -
- ipaclient/csrgen/rules/dataHostCN.json             |   8 -
- ipaclient/csrgen/rules/dataSubjectBase.json        |   8 -
- ipaclient/csrgen/rules/dataUsernameCN.json         |   8 -
- ipaclient/csrgen/rules/syntaxSAN.json              |   8 -
- ipaclient/csrgen/rules/syntaxSubject.json          |   9 -
- ipaclient/csrgen/templates/openssl_base.tmpl       |  17 -
- ipaclient/csrgen/templates/openssl_macros.tmpl     |  29 --
- ipaclient/csrgen_ffi.py                            | 331 --------------
- ipaclient/plugins/cert.py                          |  80 ----
- ipaclient/plugins/csrgen.py                        | 128 ------
- ipaclient/setup.py                                 |   8 -
- .../data/test_csrgen/configs/caIPAserviceCert.conf |  16 -
- .../data/test_csrgen/configs/userCert.conf         |  16 -
- .../data/test_csrgen/profiles/profile.json         |   8 -
- .../data/test_csrgen/rules/basic.json              |   5 -
- .../data/test_csrgen/rules/options.json            |   8 -
- .../data/test_csrgen/templates/identity_base.tmpl  |   1 -
- ipatests/test_ipaclient/test_csrgen.py             | 304 -------------
- 24 files changed, 1540 deletions(-)
- delete mode 100644 ipaclient/csrgen.py
- delete mode 100644 ipaclient/csrgen/profiles/caIPAserviceCert.json
- delete mode 100644 ipaclient/csrgen/profiles/userCert.json
- delete mode 100644 ipaclient/csrgen/rules/dataDNS.json
- delete mode 100644 ipaclient/csrgen/rules/dataEmail.json
- delete mode 100644 ipaclient/csrgen/rules/dataHostCN.json
- delete mode 100644 ipaclient/csrgen/rules/dataSubjectBase.json
- delete mode 100644 ipaclient/csrgen/rules/dataUsernameCN.json
- delete mode 100644 ipaclient/csrgen/rules/syntaxSAN.json
- delete mode 100644 ipaclient/csrgen/rules/syntaxSubject.json
- delete mode 100644 ipaclient/csrgen/templates/openssl_base.tmpl
- delete mode 100644 ipaclient/csrgen/templates/openssl_macros.tmpl
- delete mode 100644 ipaclient/csrgen_ffi.py
- delete mode 100644 ipaclient/plugins/csrgen.py
- delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
- delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
- delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json
- delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/rules/basic.json
- delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/rules/options.json
- delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
- delete mode 100644 ipatests/test_ipaclient/test_csrgen.py
-
-diff -urN freeipa-4.7.90.pre1.orig/freeipa.spec.in freeipa-4.7.90.pre1/freeipa.spec.in
---- freeipa-4.7.90.pre1.orig/freeipa.spec.in	2019-04-29 08:28:24.722860593 +0200
-+++ freeipa-4.7.90.pre1/freeipa.spec.in	2019-05-06 18:31:26.443792711 +0200
-@@ -1225,13 +1225,6 @@
- %dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
- %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
- %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
--%dir %{python3_sitelib}/ipaclient/csrgen
--%dir %{python3_sitelib}/ipaclient/csrgen/profiles
--%{python3_sitelib}/ipaclient/csrgen/profiles/*.json
--%dir %{python3_sitelib}/ipaclient/csrgen/rules
--%{python3_sitelib}/ipaclient/csrgen/rules/*.json
--%dir %{python3_sitelib}/ipaclient/csrgen/templates
--%{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl
- %{python3_sitelib}/ipaclient-*.egg-info
- 
- 
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/caIPAserviceCert.json freeipa-4.7.90.pre1/ipaclient/csrgen/profiles/caIPAserviceCert.json
---- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/caIPAserviceCert.json	2019-04-29 17:06:41.408224320 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/profiles/caIPAserviceCert.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,15 +0,0 @@
--[
--    {
--        "syntax": "syntaxSubject",
--        "data": [
--            "dataHostCN",
--            "dataSubjectBase"
--        ]
--    },
--    {
--        "syntax": "syntaxSAN",
--        "data": [
--            "dataDNS"
--        ]
--    }
--]
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/userCert.json freeipa-4.7.90.pre1/ipaclient/csrgen/profiles/userCert.json
---- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/userCert.json	2019-04-29 17:06:41.417224194 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/profiles/userCert.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,15 +0,0 @@
--[
--    {
--        "syntax": "syntaxSubject",
--        "data": [
--            "dataUsernameCN",
--            "dataSubjectBase"
--        ]
--    },
--    {
--        "syntax": "syntaxSAN",
--        "data": [
--            "dataEmail"
--        ]
--    }
--]
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataDNS.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataDNS.json
---- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataDNS.json	2019-04-29 17:06:41.422224125 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataDNS.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "DNS = {{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
--  },
--  "options": {
--    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
--  }
--}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataEmail.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataEmail.json
---- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataEmail.json	2019-04-29 17:06:41.426224069 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataEmail.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "email = {{subject.mail.0}}"
--  },
--  "options": {
--    "data_source": "subject.mail.0"
--  }
--}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataHostCN.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataHostCN.json
---- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataHostCN.json	2019-04-29 17:06:41.430224013 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataHostCN.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
--  },
--  "options": {
--    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
--  }
--}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataSubjectBase.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataSubjectBase.json
---- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataSubjectBase.json	2019-04-29 17:06:41.437223916 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataSubjectBase.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "{{config.ipacertificatesubjectbase.0}}"
--  },
--  "options": {
--    "data_source": "config.ipacertificatesubjectbase.0"
--  }
--}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataUsernameCN.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataUsernameCN.json
---- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataUsernameCN.json	2019-04-29 17:06:41.449223748 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataUsernameCN.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "CN={{subject.uid.0}}"
--  },
--  "options": {
--    "data_source": "subject.uid.0"
--  }
--}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSAN.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/syntaxSAN.json
---- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSAN.json	2019-04-29 17:06:41.456223650 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/syntaxSAN.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "subjectAltName = @{% call openssl.section() %}{{ datarules|join('\n') }}{% endcall %}"
--  },
--  "options": {
--    "extension": true
--  }
--}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSubject.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/syntaxSubject.json
---- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSubject.json	2019-04-29 17:06:41.461223581 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/syntaxSubject.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,9 +0,0 @@
--{
--  "rule": {
--    "template": "distinguished_name = {% call openssl.section() %}{{ datarules|reverse|join('\n') }}{% endcall %}"
--  },
--  "options": {
--    "required": true,
--    "data_source_combinator": "and"
--  }
--}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_base.tmpl freeipa-4.7.90.pre1/ipaclient/csrgen/templates/openssl_base.tmpl
---- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_base.tmpl	2019-04-29 17:06:41.469223469 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/templates/openssl_base.tmpl	1970-01-01 01:00:00.000000000 +0100
-@@ -1,17 +0,0 @@
--{% raw -%}
--{% import "openssl_macros.tmpl" as openssl -%}
--{% endraw -%}
--[ req ]
--prompt = no
--encrypt_key = no
--
--{{ parameters|join('\n') }}
--{% raw %}{% set rendered_extensions -%}{% endraw %}
--{{ extensions|join('\n') }}
--{% raw -%}
--{%- endset -%}
--{% if rendered_extensions -%}
--req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall %}
--{% endif %}
--{{ openssl.openssl_sections|join('\n\n') }}
--{%- endraw %}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_macros.tmpl freeipa-4.7.90.pre1/ipaclient/csrgen/templates/openssl_macros.tmpl
---- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_macros.tmpl	2019-04-29 17:06:41.475223385 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/templates/openssl_macros.tmpl	1970-01-01 01:00:00.000000000 +0100
-@@ -1,29 +0,0 @@
--{# List containing rendered sections to be included at end #}
--{% set openssl_sections = [] %}
--
--{#
--List containing one entry for each section name allocated. Because of
--scoping rules, we need to use a list so that it can be a "per-render global"
--that gets updated in place. Real globals are shared by all templates with the
--same environment, and variables defined in the macro don't persist after the
--macro invocation ends.
--#}
--{% set openssl_section_num = [] %}
--
--{% macro section() -%}
--{% set name -%}
--sec{{ openssl_section_num|length -}}
--{% endset -%}
--{% do openssl_section_num.append('') -%}
--{% set contents %}{{ caller() }}{% endset -%}
--{% if contents -%}
--{% set sectiondata = formatsection(name, contents) -%}
--{% do openssl_sections.append(sectiondata) -%}
--{% endif -%}
--{{ name -}}
--{% endmacro %}
--
--{% macro formatsection(name, contents) -%}
--[ {{ name }} ]
--{{ contents -}}
--{% endmacro %}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/ipaclient/csrgen_ffi.py
---- freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py	2019-04-29 17:06:41.367224892 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen_ffi.py	1970-01-01 01:00:00.000000000 +0100
-@@ -1,331 +0,0 @@
--from cffi import FFI
--import ctypes.util
--
--from ipalib import errors
--
--_ffi = FFI()
--
--_ffi.cdef('''
--typedef ... CONF;
--typedef ... CONF_METHOD;
--typedef ... BIO;
--typedef ... ipa_STACK_OF_CONF_VALUE;
--
--/* openssl/conf.h */
--typedef struct {
--    char *section;
--    char *name;
--    char *value;
--} CONF_VALUE;
--
--CONF *NCONF_new(CONF_METHOD *meth);
--void NCONF_free(CONF *conf);
--int NCONF_load_bio(CONF *conf, BIO *bp, long *eline);
--ipa_STACK_OF_CONF_VALUE *NCONF_get_section(const CONF *conf,
--                                        const char *section);
--char *NCONF_get_string(const CONF *conf, const char *group, const char *name);
--
--/* openssl/safestack.h */
--// int sk_CONF_VALUE_num(ipa_STACK_OF_CONF_VALUE *);
--// CONF_VALUE *sk_CONF_VALUE_value(ipa_STACK_OF_CONF_VALUE *, int);
--
--/* openssl/stack.h */
--typedef ... _STACK;
--
--int OPENSSL_sk_num(const _STACK *);
--void *OPENSSL_sk_value(const _STACK *, int);
--
--int sk_num(const _STACK *);
--void *sk_value(const _STACK *, int);
--
--/* openssl/bio.h */
--BIO *BIO_new_mem_buf(const void *buf, int len);
--int BIO_free(BIO *a);
--
--/* openssl/asn1.h */
--typedef struct ASN1_ENCODING_st {
--    unsigned char *enc;         /* DER encoding */
--    long len;                   /* Length of encoding */
--    int modified;               /* set to 1 if 'enc' is invalid */
--} ASN1_ENCODING;
--
--/* openssl/evp.h */
--typedef ... EVP_PKEY;
--
--void EVP_PKEY_free(EVP_PKEY *pkey);
--
--/* openssl/x509.h */
--typedef ... ASN1_INTEGER;
--typedef ... ASN1_BIT_STRING;
--typedef ... ASN1_OBJECT;
--typedef ... X509;
--typedef ... X509_ALGOR;
--typedef ... X509_CRL;
--typedef ... X509_NAME;
--typedef ... X509_PUBKEY;
--typedef ... ipa_STACK_OF_X509_ATTRIBUTE;
--
--typedef struct X509_req_info_st {
--    ASN1_ENCODING enc;
--    ASN1_INTEGER *version;
--    X509_NAME *subject;
--    X509_PUBKEY *pubkey;
--    /*  d=2 hl=2 l=  0 cons: cont: 00 */
--    ipa_STACK_OF_X509_ATTRIBUTE *attributes; /* [ 0 ] */
--} X509_REQ_INFO;
--
--typedef struct X509_req_st {
--    X509_REQ_INFO *req_info;
--    X509_ALGOR *sig_alg;
--    ASN1_BIT_STRING *signature;
--    int references;
--} X509_REQ;
--
--X509_REQ *X509_REQ_new(void);
--void X509_REQ_free(X509_REQ *);
--EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
--int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
--int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type,
--                               const unsigned char *bytes, int len, int loc,
--                               int set);
--int X509_NAME_entry_count(X509_NAME *name);
--int i2d_X509_REQ_INFO(X509_REQ_INFO *a, unsigned char **out);
--
--/* openssl/objects.h */
--ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name);
--
--/* openssl/x509v3.h */
--typedef ... X509V3_CONF_METHOD;
--
--typedef struct v3_ext_ctx {
--    int flags;
--    X509 *issuer_cert;
--    X509 *subject_cert;
--    X509_REQ *subject_req;
--    X509_CRL *crl;
--    X509V3_CONF_METHOD *db_meth;
--    void *db;
--} X509V3_CTX;
--
--void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
--                    X509_REQ *req, X509_CRL *crl, int flags);
--void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
--int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
--                             X509_REQ *req);
--
--/* openssl/x509v3.h */
--unsigned long ERR_get_error(void);
--char *ERR_error_string(unsigned long e, char *buf);
--''')  # noqa: E501
--
--_libcrypto = _ffi.dlopen(ctypes.util.find_library('crypto'))
--
--NULL = _ffi.NULL
--
--# openssl/conf.h
--NCONF_new = _libcrypto.NCONF_new
--NCONF_free = _libcrypto.NCONF_free
--NCONF_load_bio = _libcrypto.NCONF_load_bio
--NCONF_get_section = _libcrypto.NCONF_get_section
--NCONF_get_string = _libcrypto.NCONF_get_string
--
--# openssl/stack.h
--try:
--    sk_num = _libcrypto.OPENSSL_sk_num
--    sk_value = _libcrypto.OPENSSL_sk_value
--except AttributeError:
--    sk_num = _libcrypto.sk_num
--    sk_value = _libcrypto.sk_value
--
--
--def sk_CONF_VALUE_num(sk):
--    return sk_num(_ffi.cast("_STACK *", sk))
--
--
--def sk_CONF_VALUE_value(sk, i):
--    return _ffi.cast("CONF_VALUE *", sk_value(_ffi.cast("_STACK *", sk), i))
--
--
--# openssl/bio.h
--BIO_new_mem_buf = _libcrypto.BIO_new_mem_buf
--BIO_free = _libcrypto.BIO_free
--
--# openssl/x509.h
--X509_REQ_new = _libcrypto.X509_REQ_new
--X509_REQ_free = _libcrypto.X509_REQ_free
--X509_REQ_set_pubkey = _libcrypto.X509_REQ_set_pubkey
--d2i_PUBKEY_bio = _libcrypto.d2i_PUBKEY_bio
--i2d_X509_REQ_INFO = _libcrypto.i2d_X509_REQ_INFO
--X509_NAME_add_entry_by_OBJ = _libcrypto.X509_NAME_add_entry_by_OBJ
--X509_NAME_entry_count = _libcrypto.X509_NAME_entry_count
--
--
--def X509_REQ_get_subject_name(req):
--    return req.req_info.subject
--
--
--# openssl/objects.h
--OBJ_txt2obj = _libcrypto.OBJ_txt2obj
--
--# openssl/evp.h
--EVP_PKEY_free = _libcrypto.EVP_PKEY_free
--
--# openssl/asn1.h
--MBSTRING_UTF8 = 0x1000
--
--# openssl/x509v3.h
--X509V3_set_ctx = _libcrypto.X509V3_set_ctx
--X509V3_set_nconf = _libcrypto.X509V3_set_nconf
--X509V3_EXT_REQ_add_nconf = _libcrypto.X509V3_EXT_REQ_add_nconf
--
--# openssl/err.h
--ERR_get_error = _libcrypto.ERR_get_error
--ERR_error_string = _libcrypto.ERR_error_string
--
--
--def _raise_openssl_errors():
--    msgs = []
--
--    code = ERR_get_error()
--    while code != 0:
--        msg = _ffi.string(ERR_error_string(code, NULL))
--        try:
--            strmsg = msg.decode('utf-8')
--        except UnicodeDecodeError:
--            strmsg = repr(msg)
--        msgs.append(strmsg)
--        code = ERR_get_error()
--
--    raise errors.CSRTemplateError(reason='\n'.join(msgs))
--
--
--def _parse_dn_section(subj, dn_sk):
--    for i in range(sk_CONF_VALUE_num(dn_sk)):
--        v = sk_CONF_VALUE_value(dn_sk, i)
--        rdn_type = _ffi.string(v.name)
--
--        # Skip past any leading X. X: X, etc to allow for multiple instances
--        for idx, c in enumerate(rdn_type):
--            if c in b':,.':
--                if idx+1 < len(rdn_type):
--                    rdn_type = rdn_type[idx+1:]
--                break
--        if rdn_type.startswith(b'+'):
--            rdn_type = rdn_type[1:]
--            mval = -1
--        else:
--            mval = 0
--
--        # convert rdn_type to an OID
--        #
--        # OpenSSL is fussy about the case of the string.  For example,
--        # lower-case 'o' (for "organization name") is not recognised.
--        # Therefore, try to convert the given string into an OID.  If
--        # that fails, convert it upper case and try again.
--        #
--        oid = OBJ_txt2obj(rdn_type, 0)
--        if oid == NULL:
--            oid = OBJ_txt2obj(rdn_type.upper(), 0)
--        if oid == NULL:
--            raise errors.CSRTemplateError(
--                reason='unrecognised attribute type: {}'
--                .format(rdn_type.decode('utf-8')))
--
--        if not X509_NAME_add_entry_by_OBJ(
--                subj, oid, MBSTRING_UTF8,
--                _ffi.cast("unsigned char *", v.value), -1, -1, mval):
--            _raise_openssl_errors()
--
--    if not X509_NAME_entry_count(subj):
--        raise errors.CSRTemplateError(
--            reason='error, subject in config file is empty')
--
--
--def build_requestinfo(config, public_key_info):
--    '''
--    Return a cffi buffer containing a DER-encoded CertificationRequestInfo.
--
--    The returned object implements the buffer protocol.
--
--    '''
--    reqdata = NULL
--    req = NULL
--    nconf_bio = NULL
--    pubkey_bio = NULL
--    pubkey = NULL
--
--    try:
--        reqdata = NCONF_new(NULL)
--        if reqdata == NULL:
--            _raise_openssl_errors()
--
--        nconf_bio = BIO_new_mem_buf(config, len(config))
--        errorline = _ffi.new('long[1]', [-1])
--        i = NCONF_load_bio(reqdata, nconf_bio, errorline)
--        if i < 0:
--            if errorline[0] < 0:
--                raise errors.CSRTemplateError(reason="Can't load config file")
--            else:
--                raise errors.CSRTemplateError(
--                    reason='Error on line %d of config file' % errorline[0])
--
--        dn_sect = NCONF_get_string(reqdata, b'req', b'distinguished_name')
--        if dn_sect == NULL:
--            raise errors.CSRTemplateError(
--                reason='Unable to find "distinguished_name" key in config')
--
--        dn_sk = NCONF_get_section(reqdata, dn_sect)
--        if dn_sk == NULL:
--            raise errors.CSRTemplateError(
--                reason='Unable to find "%s" section in config' %
--                _ffi.string(dn_sect))
--
--        pubkey_bio = BIO_new_mem_buf(public_key_info, len(public_key_info))
--        pubkey = d2i_PUBKEY_bio(pubkey_bio, NULL)
--        if pubkey == NULL:
--            _raise_openssl_errors()
--
--        req = X509_REQ_new()
--        if req == NULL:
--            _raise_openssl_errors()
--
--        subject = X509_REQ_get_subject_name(req)
--
--        _parse_dn_section(subject, dn_sk)
--
--        if not X509_REQ_set_pubkey(req, pubkey):
--            _raise_openssl_errors()
--
--        ext_ctx = _ffi.new("X509V3_CTX[1]")
--        X509V3_set_ctx(ext_ctx, NULL, NULL, req, NULL, 0)
--        X509V3_set_nconf(ext_ctx, reqdata)
--
--        extn_section = NCONF_get_string(reqdata, b"req", b"req_extensions")
--        if extn_section != NULL:
--            if not X509V3_EXT_REQ_add_nconf(
--                    reqdata, ext_ctx, extn_section, req):
--                _raise_openssl_errors()
--
--        der_len = i2d_X509_REQ_INFO(req.req_info, NULL)
--        if der_len < 0:
--            _raise_openssl_errors()
--
--        der_buf = _ffi.new("unsigned char[%d]" % der_len)
--        der_out = _ffi.new("unsigned char **", der_buf)
--        der_len = i2d_X509_REQ_INFO(req.req_info, der_out)
--        if der_len < 0:
--            _raise_openssl_errors()
--
--        return _ffi.buffer(der_buf, der_len)
--
--    finally:
--        if reqdata != NULL:
--            NCONF_free(reqdata)
--        if req != NULL:
--            X509_REQ_free(req)
--        if nconf_bio != NULL:
--            BIO_free(nconf_bio)
--        if pubkey_bio != NULL:
--            BIO_free(pubkey_bio)
--        if pubkey != NULL:
--            EVP_PKEY_free(pubkey)
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen.py freeipa-4.7.90.pre1/ipaclient/csrgen.py
---- freeipa-4.7.90.pre1.orig/ipaclient/csrgen.py	2019-04-29 17:06:41.360224990 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen.py	1970-01-01 01:00:00.000000000 +0100
-@@ -1,488 +0,0 @@
--#
--# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
--#
--
--import base64
--import collections
--import errno
--import json
--import logging
--import os
--import os.path
--import pipes
--import subprocess
--import traceback
--import codecs
--
--import pkg_resources
--
--from cryptography.hazmat.backends import default_backend
--from cryptography.hazmat.primitives.asymmetric import padding
--from cryptography.hazmat.primitives import hashes
--from cryptography.hazmat.primitives.serialization import (
--    load_pem_private_key, Encoding, PublicFormat)
--from cryptography.x509 import load_pem_x509_certificate
--import jinja2
--import jinja2.ext
--import jinja2.sandbox
--from pyasn1.codec.der import decoder, encoder
--from pyasn1.type import univ
--from pyasn1_modules import rfc2314
--import six
--
--from ipalib import api
--from ipalib import errors
--from ipalib.text import _
--
--if six.PY3:
--    unicode = str
--
--__doc__ = _("""
--Routines for constructing certificate signing requests using IPA data and
--stored templates.
--""")
--
--logger = logging.getLogger(__name__)
--
--
--class IndexableUndefined(jinja2.Undefined):
--    def __getitem__(self, key):
--        return jinja2.Undefined(
--            hint=self._undefined_hint, obj=self._undefined_obj,
--            name=self._undefined_name, exc=self._undefined_exception)
--
--
--class IPAExtension(jinja2.ext.Extension):
--    """Jinja2 extension providing useful features for CSR generation rules."""
--
--    def __init__(self, environment):
--        super(IPAExtension, self).__init__(environment)
--
--        environment.filters.update(
--            quote=self.quote,
--            required=self.required,
--        )
--
--    def quote(self, data):
--        return pipes.quote(data)
--
--    def required(self, data, name):
--        if not data:
--            raise errors.CSRTemplateError(
--                reason=_(
--                    'Required CSR generation rule %(name)s is missing data') %
--                {'name': name})
--        return data
--
--
--class Formatter:
--    """
--    Class for processing a set of CSR generation rules into a template.
--
--    The template can be rendered with user and database data to produce a
--    config, which specifies how to build a CSR.
--
--    Subclasses of Formatter should set the value of base_template_name to the
--    filename of a base template with spaces for the processed rules.
--    Additionally, they should override the _get_template_params method to
--    produce the correct output for the base template.
--    """
--    base_template_name = None
--
--    def __init__(self, csr_data_dir=None):
--        # chain loaders:
--        # 1) csr_data_dir/templates
--        # 2) /etc/ipa/csrgen/templates
--        # 3) ipaclient/csrgen/templates
--        loaders = []
--        if csr_data_dir is not None:
--            loaders.append(jinja2.FileSystemLoader(
--                os.path.join(csr_data_dir, 'templates'))
--            )
--        loaders.append(jinja2.FileSystemLoader(
--            os.path.join(api.env.confdir, 'csrgen/templates'))
--        )
--        loaders.append(jinja2.PackageLoader('ipaclient', 'csrgen/templates'))
--
--        self.jinja2 = jinja2.sandbox.SandboxedEnvironment(
--            loader=jinja2.ChoiceLoader(loaders),
--            extensions=[jinja2.ext.ExprStmtExtension, IPAExtension],
--            keep_trailing_newline=True, undefined=IndexableUndefined)
--
--        self.passthrough_globals = {}
--
--    def _define_passthrough(self, call):
--        """Some macros are meant to be interpreted during the final render, not
--        when data rules are interpolated into syntax rules. This method allows
--        those macros to be registered so that calls to them are passed through
--        to the prepared rule rather than interpreted.
--        """
--
--        def passthrough(caller):
--            return u'{%% call %s() %%}%s{%% endcall %%}' % (call, caller())
--
--        parts = call.split('.')
--        current_level = self.passthrough_globals
--        for part in parts[:-1]:
--            if part not in current_level:
--                current_level[part] = {}
--            current_level = current_level[part]
--        current_level[parts[-1]] = passthrough
--
--    def build_template(self, rules):
--        """
--        Construct a template that can produce CSR generator strings.
--
--        :param rules: list of FieldMapping to use to populate the template.
--
--        :returns: jinja2.Template that can be rendered to produce the CSR data.
--        """
--        syntax_rules = []
--        for field_mapping in rules:
--            data_rules_prepared = [
--                self._prepare_data_rule(rule)
--                for rule in field_mapping.data_rules]
--
--            data_sources = []
--            for xrule in field_mapping.data_rules:
--                data_source = xrule.options.get('data_source')
--                if data_source:
--                    data_sources.append(data_source)
--
--            syntax_rules.append(self._prepare_syntax_rule(
--                field_mapping.syntax_rule, data_rules_prepared,
--                field_mapping.description, data_sources))
--
--        template_params = self._get_template_params(syntax_rules)
--        base_template = self.jinja2.get_template(
--            self.base_template_name, globals=self.passthrough_globals)
--
--        try:
--            combined_template_source = base_template.render(**template_params)
--        except jinja2.UndefinedError:
--            logger.debug(traceback.format_exc())
--            raise errors.CSRTemplateError(reason=_(
--                'Template error when formatting certificate data'))
--
--        logger.debug(
--            'Formatting with template: %s', combined_template_source)
--        combined_template = self.jinja2.from_string(combined_template_source)
--
--        return combined_template
--
--    def _wrap_conditional(self, rule, condition):
--        rule = '{%% if %s %%}%s{%% endif %%}' % (condition, rule)
--        return rule
--
--    def _wrap_required(self, rule, description):
--        template = '{%% filter required("%s") %%}%s{%% endfilter %%}' % (
--            description, rule)
--
--        return template
--
--    def _prepare_data_rule(self, data_rule):
--        template = data_rule.template
--
--        data_source = data_rule.options.get('data_source')
--        if data_source:
--            template = self._wrap_conditional(template, data_source)
--
--        return template
--
--    def _prepare_syntax_rule(
--            self, syntax_rule, data_rules, description, data_sources):
--        logger.debug('Syntax rule template: %s', syntax_rule.template)
--        template = self.jinja2.from_string(
--            syntax_rule.template, globals=self.passthrough_globals)
--        is_required = syntax_rule.options.get('required', False)
--        try:
--            prepared_template = template.render(datarules=data_rules)
--        except jinja2.UndefinedError:
--            logger.debug(traceback.format_exc())
--            raise errors.CSRTemplateError(reason=_(
--                'Template error when formatting certificate data'))
--
--        if data_sources:
--            combinator = ' %s ' % syntax_rule.options.get(
--                'data_source_combinator', 'or')
--            condition = combinator.join(data_sources)
--            prepared_template = self._wrap_conditional(
--                prepared_template, condition)
--
--        if is_required:
--            prepared_template = self._wrap_required(
--                prepared_template, description)
--
--        return prepared_template
--
--    def _get_template_params(self, syntax_rules):
--        """
--        Package the syntax rules into fields expected by the base template.
--
--        :param syntax_rules: list of prepared syntax rules to be included in
--            the template.
--
--        :returns: dict of values needed to render the base template.
--        """
--        raise NotImplementedError('Formatter class must be subclassed')
--
--
--class OpenSSLFormatter(Formatter):
--    """Formatter class generating the openssl config-file format."""
--
--    base_template_name = 'openssl_base.tmpl'
--
--    # Syntax rules are wrapped in this data structure, to keep track of whether
--    # each goes in the extension or the root section
--    SyntaxRule = collections.namedtuple(
--        'SyntaxRule', ['template', 'is_extension'])
--
--    def __init__(self, *args, **kwargs):
--        super(OpenSSLFormatter, self).__init__(*args, **kwargs)
--        self._define_passthrough('openssl.section')
--
--    def _get_template_params(self, syntax_rules):
--        parameters = [rule.template for rule in syntax_rules
--                      if not rule.is_extension]
--        extensions = [rule.template for rule in syntax_rules
--                      if rule.is_extension]
--
--        return {'parameters': parameters, 'extensions': extensions}
--
--    def _prepare_syntax_rule(
--            self, syntax_rule, data_rules, description, data_sources):
--        """Overrides method to pull out whether rule is an extension or not."""
--        prepared_template = super(OpenSSLFormatter, self)._prepare_syntax_rule(
--            syntax_rule, data_rules, description, data_sources)
--        is_extension = syntax_rule.options.get('extension', False)
--        return self.SyntaxRule(prepared_template, is_extension)
--
--
--class FieldMapping:
--    """Representation of the rules needed to construct a complete cert field.
--
--    Attributes:
--        description: str, a name or description of this field, to be used in
--            messages
--        syntax_rule: Rule, the rule defining the syntax of this field
--        data_rules: list of Rule, the rules that produce data to be stored in
--            this field
--    """
--    __slots__ = ['description', 'syntax_rule', 'data_rules']
--
--    def __init__(self, description, syntax_rule, data_rules):
--        self.description = description
--        self.syntax_rule = syntax_rule
--        self.data_rules = data_rules
--
--
--class Rule:
--    __slots__ = ['name', 'template', 'options']
--
--    def __init__(self, name, template, options):
--        self.name = name
--        self.template = template
--        self.options = options
--
--
--class RuleProvider:
--    def rules_for_profile(self, profile_id):
--        """
--        Return the rules needed to build a CSR using the given profile.
--
--        :param profile_id: str, name of the CSR generation profile to use
--
--        :returns: list of FieldMapping, filled out with the appropriate rules
--        """
--        raise NotImplementedError('RuleProvider class must be subclassed')
--
--
--class FileRuleProvider(RuleProvider):
--    def __init__(self, csr_data_dir=None):
--        self.rules = {}
--        self._csrgen_data_dirs = []
--        if csr_data_dir is not None:
--            self._csrgen_data_dirs.append(csr_data_dir)
--        self._csrgen_data_dirs.append(
--            os.path.join(api.env.confdir, 'csrgen')
--        )
--        self._csrgen_data_dirs.append(
--            pkg_resources.resource_filename('ipaclient', 'csrgen')
--        )
--
--    def _open(self, subdir, filename):
--        for data_dir in self._csrgen_data_dirs:
--            path = os.path.join(data_dir, subdir, filename)
--            try:
--                return open(path)
--            except IOError as e:
--                if e.errno != errno.ENOENT:
--                    raise
--        raise IOError(
--            errno.ENOENT,
--            "'{}' not found in {}".format(
--                os.path.join(subdir, filename),
--                ", ".join(self._csrgen_data_dirs)
--            )
--        )
--
--    def _rule(self, rule_name):
--        if rule_name not in self.rules:
--            try:
--                with self._open('rules', '%s.json' % rule_name) as f:
--                    ruleconf = json.load(f)
--            except IOError:
--                raise errors.NotFound(
--                    reason=_('No generation rule %(rulename)s found.') %
--                    {'rulename': rule_name})
--
--            try:
--                rule = ruleconf['rule']
--            except KeyError:
--                raise errors.EmptyResult(
--                    reason=_('Generation rule "%(rulename)s" is missing the'
--                             ' "rule" key') % {'rulename': rule_name})
--
--            options = ruleconf.get('options', {})
--
--            self.rules[rule_name] = Rule(
--                rule_name, rule['template'], options)
--
--        return self.rules[rule_name]
--
--    def rules_for_profile(self, profile_id):
--        try:
--            with self._open('profiles', '%s.json' % profile_id) as f:
--                profile = json.load(f)
--        except IOError:
--            raise errors.NotFound(
--                reason=_('No CSR generation rules are defined for profile'
--                         ' %(profile_id)s') % {'profile_id': profile_id})
--
--        field_mappings = []
--        for field in profile:
--            syntax_rule = self._rule(field['syntax'])
--            data_rules = [self._rule(name) for name in field['data']]
--            field_mappings.append(FieldMapping(
--                syntax_rule.name, syntax_rule, data_rules))
--        return field_mappings
--
--
--class CSRGenerator:
--    def __init__(self, rule_provider, formatter_class=OpenSSLFormatter):
--        self.rule_provider = rule_provider
--        self.formatter = formatter_class()
--
--    def csr_config(self, principal, config, profile_id):
--        render_data = {'subject': principal, 'config': config}
--
--        rules = self.rule_provider.rules_for_profile(profile_id)
--        template = self.formatter.build_template(rules)
--
--        try:
--            config = template.render(render_data)
--        except jinja2.UndefinedError:
--            logger.debug(traceback.format_exc())
--            raise errors.CSRTemplateError(reason=_(
--                'Template error when formatting certificate data'))
--
--        return config
--
--
--class CSRLibraryAdaptor:
--    def get_subject_public_key_info(self):
--        raise NotImplementedError('Use a subclass of CSRLibraryAdaptor')
--
--    def sign_csr(self, certification_request_info):
--        """Sign a CertificationRequestInfo.
--
--        :returns: bytes, a DER-encoded signed CSR.
--        """
--        raise NotImplementedError('Use a subclass of CSRLibraryAdaptor')
--
--
--class OpenSSLAdaptor:
--    def __init__(self, key=None, key_filename=None, password_filename=None):
--        """
--        Must provide either ``key_filename`` or ``key``.
--
--        """
--        if key_filename is not None:
--            with open(key_filename, 'rb') as key_file:
--                key_bytes = key_file.read()
--
--            password = None
--            if password_filename is not None:
--                with open(password_filename, 'rb') as password_file:
--                    password = password_file.read().strip()
--
--            self._key = load_pem_private_key(
--                key_bytes, password, default_backend())
--
--        elif key is not None:
--            self._key = key
--
--        else:
--            raise ValueError("Must provide 'key' or 'key_filename'")
--
--    def key(self):
--        return self._key
--
--    def get_subject_public_key_info(self):
--        pubkey_info = self.key().public_key().public_bytes(
--            Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
--        return pubkey_info
--
--    def sign_csr(self, certification_request_info):
--        reqinfo = decoder.decode(
--            certification_request_info, rfc2314.CertificationRequestInfo())[0]
--        csr = rfc2314.CertificationRequest()
--        csr.setComponentByName('certificationRequestInfo', reqinfo)
--
--        algorithm = rfc2314.SignatureAlgorithmIdentifier()
--        algorithm.setComponentByName(
--            'algorithm', univ.ObjectIdentifier(
--                '1.2.840.113549.1.1.11'))  # sha256WithRSAEncryption
--        csr.setComponentByName('signatureAlgorithm', algorithm)
--
--        signature = self.key().sign(
--            certification_request_info,
--            padding.PKCS1v15(),
--            hashes.SHA256()
--        )
--        asn1sig = univ.BitString("'{sig}'H".format(
--                                    sig=codecs.encode(signature, 'hex')
--                                    .decode('ascii'))
--                                 )
--        csr.setComponentByName('signature', asn1sig)
--        return encoder.encode(csr)
--
--
--class NSSAdaptor:
--    def __init__(self, database, password_filename):
--        self.database = database
--        self.password_filename = password_filename
--        self.nickname = base64.b32encode(os.urandom(40))
--
--    def get_subject_public_key_info(self):
--        temp_cn = base64.b32encode(os.urandom(40)).decode('ascii')
--
--        password_args = []
--        if self.password_filename is not None:
--            password_args = ['-f', self.password_filename]
--
--        subprocess.check_call(
--            ['certutil', '-S', '-n', self.nickname, '-s', 'CN=%s' % temp_cn,
--             '-x', '-t', ',,', '-d', self.database] + password_args)
--        cert_pem = subprocess.check_output(
--            ['certutil', '-L', '-n', self.nickname, '-a',
--             '-d', self.database] + password_args)
--
--        cert = load_pem_x509_certificate(cert_pem, default_backend())
--        pubkey_info = cert.public_key().public_bytes(
--            Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
--
--        return pubkey_info
--
--    def sign_csr(self, certification_request_info):
--        raise NotImplementedError('NSS is not yet supported')
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py freeipa-4.7.90.pre1/ipaclient/plugins/cert.py
---- freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py	2019-04-29 17:06:41.645221012 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/plugins/cert.py	2019-05-06 18:31:28.384751096 +0200
-@@ -21,8 +21,6 @@
- 
- import base64
- 
--import six
--
- from ipaclient.frontend import MethodOverride
- from ipalib import errors
- from ipalib import x509
-@@ -31,9 +29,6 @@
- from ipalib.plugable import Registry
- from ipalib.text import _
- 
--if six.PY3:
--    unicode = str
--
- register = Registry()
- 
- 
-@@ -73,87 +68,12 @@
- 
- @register(override=True, no_fail=True)
- class cert_request(CertRetrieveOverride):
--    takes_options = CertRetrieveOverride.takes_options + (
--        Str(
--            'database?',
--            label=_('Path to NSS database'),
--            doc=_('Path to NSS database to use for private key'),
--        ),
--        Str(
--            'private_key?',
--            label=_('Path to private key file'),
--            doc=_('Path to PEM file containing a private key'),
--        ),
--        Str(
--            'password_file?',
--            label=_(
--                'File containing a password for the private key or database'),
--        ),
--        Str(
--            'csr_profile_id?',
--            label=_('Name of CSR generation profile (if not the same as'
--                    ' profile_id)'),
--        ),
--    )
--
-     def get_args(self):
-         for arg in super(cert_request, self).get_args():
-             if arg.name == 'csr':
-                 arg = arg.clone_retype(arg.name, File, required=False)
-             yield arg
- 
--    def forward(self, csr=None, **options):
--        database = options.pop('database', None)
--        private_key = options.pop('private_key', None)
--        csr_profile_id = options.pop('csr_profile_id', None)
--        password_file = options.pop('password_file', None)
--
--        if csr is None:
--            # Deferred import, ipaclient.csrgen is expensive to load.
--            # see https://pagure.io/freeipa/issue/7484
--            from ipaclient import csrgen
--
--            if database:
--                adaptor = csrgen.NSSAdaptor(database, password_file)
--            elif private_key:
--                adaptor = csrgen.OpenSSLAdaptor(
--                    key_filename=private_key, password_filename=password_file)
--            else:
--                raise errors.InvocationError(
--                    message=u"One of 'database' or 'private_key' is required")
--
--            pubkey_info = adaptor.get_subject_public_key_info()
--            pubkey_info_b64 = base64.b64encode(pubkey_info)
--
--            # If csr_profile_id is passed, that takes precedence.
--            # Otherwise, use profile_id. If neither are passed, the default
--            # in cert_get_requestdata will be used.
--            profile_id = csr_profile_id
--            if profile_id is None:
--                profile_id = options.get('profile_id')
--
--            response = self.api.Command.cert_get_requestdata(
--                profile_id=profile_id,
--                principal=options.get('principal'),
--                public_key_info=pubkey_info_b64)
--
--            req_info_b64 = response['result']['request_info']
--            req_info = base64.b64decode(req_info_b64)
--
--            csr = adaptor.sign_csr(req_info)
--
--            if not csr:
--                raise errors.CertificateOperationError(
--                    error=(_('Generated CSR was empty')))
--
--        else:
--            if database is not None or private_key is not None:
--                raise errors.MutuallyExclusiveError(reason=_(
--                    "Options 'database' and 'private_key' are not compatible"
--                    " with 'csr'"))
--
--        return super(cert_request, self).forward(csr, **options)
--
- 
- @register(override=True, no_fail=True)
- class cert_show(CertRetrieveOverride):
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py.orig freeipa-4.7.90.pre1/ipaclient/plugins/cert.py.orig
---- freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py.orig	1970-01-01 01:00:00.000000000 +0100
-+++ freeipa-4.7.90.pre1/ipaclient/plugins/cert.py.orig	2019-04-29 17:06:41.645221012 +0200
-@@ -0,0 +1,215 @@
-+# Authors:
-+#   Andrew Wnuk <awnuk@redhat.com>
-+#   Jason Gerard DeRose <jderose@redhat.com>
-+#   John Dennis <jdennis@redhat.com>
-+#
-+# Copyright (C) 2009  Red Hat
-+# see file 'COPYING' for use and warranty information
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation, either version 3 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+
-+import base64
-+
-+import six
-+
-+from ipaclient.frontend import MethodOverride
-+from ipalib import errors
-+from ipalib import x509
-+from ipalib import util
-+from ipalib.parameters import BinaryFile, File, Flag, Str
-+from ipalib.plugable import Registry
-+from ipalib.text import _
-+
-+if six.PY3:
-+    unicode = str
-+
-+register = Registry()
-+
-+
-+class CertRetrieveOverride(MethodOverride):
-+    takes_options = (
-+        Str(
-+            'certificate_out?',
-+            doc=_('Write certificate (chain if --chain used) to file'),
-+            include='cli',
-+            cli_metavar='FILE',
-+        ),
-+    )
-+
-+    def forward(self, *args, **options):
-+        if 'certificate_out' in options:
-+            certificate_out = options.pop('certificate_out')
-+            try:
-+                util.check_writable_file(certificate_out)
-+            except errors.FileError as e:
-+                raise errors.ValidationError(name='certificate-out',
-+                                             error=str(e))
-+        else:
-+            certificate_out = None
-+
-+        result = super(CertRetrieveOverride, self).forward(*args, **options)
-+
-+        if certificate_out is not None:
-+            if options.get('chain', False):
-+                certs = result['result']['certificate_chain']
-+            else:
-+                certs = [base64.b64decode(result['result']['certificate'])]
-+            certs = (x509.load_der_x509_certificate(cert) for cert in certs)
-+            x509.write_certificate_list(certs, certificate_out)
-+
-+        return result
-+
-+
-+@register(override=True, no_fail=True)
-+class cert_request(CertRetrieveOverride):
-+    takes_options = CertRetrieveOverride.takes_options + (
-+        Str(
-+            'database?',
-+            label=_('Path to NSS database'),
-+            doc=_('Path to NSS database to use for private key'),
-+        ),
-+        Str(
-+            'private_key?',
-+            label=_('Path to private key file'),
-+            doc=_('Path to PEM file containing a private key'),
-+        ),
-+        Str(
-+            'password_file?',
-+            label=_(
-+                'File containing a password for the private key or database'),
-+        ),
-+        Str(
-+            'csr_profile_id?',
-+            label=_('Name of CSR generation profile (if not the same as'
-+                    ' profile_id)'),
-+        ),
-+    )
-+
-+    def get_args(self):
-+        for arg in super(cert_request, self).get_args():
-+            if arg.name == 'csr':
-+                arg = arg.clone_retype(arg.name, File, required=False)
-+            yield arg
-+
-+    def forward(self, csr=None, **options):
-+        database = options.pop('database', None)
-+        private_key = options.pop('private_key', None)
-+        csr_profile_id = options.pop('csr_profile_id', None)
-+        password_file = options.pop('password_file', None)
-+
-+        if csr is None:
-+            # Deferred import, ipaclient.csrgen is expensive to load.
-+            # see https://pagure.io/freeipa/issue/7484
-+            from ipaclient import csrgen
-+
-+            if database:
-+                adaptor = csrgen.NSSAdaptor(database, password_file)
-+            elif private_key:
-+                adaptor = csrgen.OpenSSLAdaptor(
-+                    key_filename=private_key, password_filename=password_file)
-+            else:
-+                raise errors.InvocationError(
-+                    message=u"One of 'database' or 'private_key' is required")
-+
-+            pubkey_info = adaptor.get_subject_public_key_info()
-+            pubkey_info_b64 = base64.b64encode(pubkey_info)
-+
-+            # If csr_profile_id is passed, that takes precedence.
-+            # Otherwise, use profile_id. If neither are passed, the default
-+            # in cert_get_requestdata will be used.
-+            profile_id = csr_profile_id
-+            if profile_id is None:
-+                profile_id = options.get('profile_id')
-+
-+            response = self.api.Command.cert_get_requestdata(
-+                profile_id=profile_id,
-+                principal=options.get('principal'),
-+                public_key_info=pubkey_info_b64)
-+
-+            req_info_b64 = response['result']['request_info']
-+            req_info = base64.b64decode(req_info_b64)
-+
-+            csr = adaptor.sign_csr(req_info)
-+
-+            if not csr:
-+                raise errors.CertificateOperationError(
-+                    error=(_('Generated CSR was empty')))
-+
-+        else:
-+            if database is not None or private_key is not None:
-+                raise errors.MutuallyExclusiveError(reason=_(
-+                    "Options 'database' and 'private_key' are not compatible"
-+                    " with 'csr'"))
-+
-+        return super(cert_request, self).forward(csr, **options)
-+
-+
-+@register(override=True, no_fail=True)
-+class cert_show(CertRetrieveOverride):
-+    def get_options(self):
-+        for option in super(cert_show, self).get_options():
-+            if option.name == 'out':
-+                # skip server-defined --out
-+                continue
-+            if option.name == 'certificate_out':
-+                # add --out as a deprecated alias of --certificate-out
-+                option = option.clone_rename(
-+                    'out',
-+                    cli_name='certificate_out',
-+                    deprecated_cli_aliases={'out'},
-+                )
-+            yield option
-+
-+    def forward(self, *args, **options):
-+        try:
-+            options['certificate_out'] = options.pop('out')
-+        except KeyError:
-+            pass
-+
-+        return super(cert_show, self).forward(*args, **options)
-+
-+
-+@register(override=True, no_fail=True)
-+class cert_remove_hold(MethodOverride):
-+    has_output_params = (
-+        Flag('unrevoked',
-+            label=_('Unrevoked'),
-+        ),
-+        Str('error_string',
-+            label=_('Error'),
-+        ),
-+    )
-+
-+
-+@register(override=True, no_fail=True)
-+class cert_find(MethodOverride):
-+    takes_options = (
-+        BinaryFile(
-+            'file?',
-+            label=_("Input filename"),
-+            doc=_('File to load the certificate from.'),
-+            include='cli',
-+        ),
-+    )
-+
-+    def forward(self, *args, **options):
-+        if self.api.env.context == 'cli':
-+            if 'certificate' in options and 'file' in options:
-+                raise errors.MutuallyExclusiveError(
-+                    reason=_("cannot specify both raw certificate and file"))
-+            if 'certificate' not in options and 'file' in options:
-+                options['certificate'] = x509.load_unknown_x509_certificate(
-+                                            options.pop('file'))
-+
-+        return super(cert_find, self).forward(*args, **options)
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/csrgen.py freeipa-4.7.90.pre1/ipaclient/plugins/csrgen.py
---- freeipa-4.7.90.pre1.orig/ipaclient/plugins/csrgen.py	2019-04-29 17:06:41.669220677 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/plugins/csrgen.py	1970-01-01 01:00:00.000000000 +0100
-@@ -1,128 +0,0 @@
--#
--# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
--#
--
--import base64
--
--import six
--
--from ipalib import api
--from ipalib import errors
--from ipalib import output
--from ipalib import util
--from ipalib.frontend import Local, Str
--from ipalib.parameters import Bytes, Principal
--from ipalib.plugable import Registry
--from ipalib.text import _
--from ipapython import dogtag
--
--
--if six.PY3:
--    unicode = str
--
--register = Registry()
--
--__doc__ = _("""
--Commands to build certificate requests automatically
--""")
--
--
--@register()
--class cert_get_requestdata(Local):
--    __doc__ = _('Gather data for a certificate signing request.')
--
--    NO_CLI = True
--
--    takes_options = (
--        Principal(
--            'principal',
--            label=_('Principal'),
--            doc=_('Principal for this certificate (e.g.'
--                  ' HTTP/test.example.com)'),
--        ),
--        Str(
--            'profile_id?',
--            label=_('Profile ID'),
--            doc=_('CSR Generation Profile to use'),
--        ),
--        Bytes(
--            'public_key_info',
--            label=_('Subject Public Key Info'),
--            doc=_('DER-encoded SubjectPublicKeyInfo structure'),
--        ),
--        Str(
--            'out?',
--            doc=_('Write CertificationRequestInfo to file'),
--        ),
--    )
--
--    has_output = (
--        output.Output(
--            'result',
--            type=dict,
--            doc=_('Dictionary mapping variable name to value'),
--        ),
--    )
--
--    has_output_params = (
--        Str(
--            'request_info',
--            label=_('CertificationRequestInfo structure'),
--        )
--    )
--
--    def execute(self, *args, **options):
--        # Deferred import, ipaclient.csrgen is expensive to load.
--        # see https://pagure.io/freeipa/issue/7484
--        from ipaclient import csrgen
--        from ipaclient import csrgen_ffi
--
--        if 'out' in options:
--            util.check_writable_file(options['out'])
--
--        principal = options.get('principal')
--        profile_id = options.get('profile_id')
--        if profile_id is None:
--            profile_id = dogtag.DEFAULT_PROFILE
--        public_key_info = options.get('public_key_info')
--        public_key_info = base64.b64decode(public_key_info)
--
--        if self.api.env.in_server:
--            backend = self.api.Backend.ldap2
--        else:
--            backend = self.api.Backend.rpcclient
--        if not backend.isconnected():
--            backend.connect()
--
--        try:
--            if principal.is_host:
--                principal_obj = api.Command.host_show(
--                    principal.hostname, all=True)
--            elif principal.is_service:
--                principal_obj = api.Command.service_show(
--                    unicode(principal), all=True)
--            elif principal.is_user:
--                principal_obj = api.Command.user_show(
--                    principal.username, all=True)
--        except errors.NotFound:
--            raise errors.NotFound(
--                reason=_("The principal for this request doesn't exist."))
--        principal_obj = principal_obj['result']
--        config = api.Command.config_show()['result']
--
--        generator = csrgen.CSRGenerator(csrgen.FileRuleProvider())
--
--        csr_config = generator.csr_config(principal_obj, config, profile_id)
--        request_info = base64.b64encode(csrgen_ffi.build_requestinfo(
--            csr_config.encode('utf8'), public_key_info))
--
--        result = {}
--        if 'out' in options:
--            with open(options['out'], 'wb') as f:
--                f.write(request_info)
--        else:
--            result = dict(request_info=request_info)
--
--        return dict(
--            result=result
--        )
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/setup.py freeipa-4.7.90.pre1/ipaclient/setup.py
---- freeipa-4.7.90.pre1.orig/ipaclient/setup.py	2019-04-29 17:06:41.393224529 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/setup.py	2019-05-06 18:33:16.002443738 +0200
-@@ -41,13 +41,6 @@
-             "ipaclient.remote_plugins.2_156",
-             "ipaclient.remote_plugins.2_164",
-         ],
--        package_data={
--            'ipaclient': [
--                'csrgen/profiles/*.json',
--                'csrgen/rules/*.json',
--                'csrgen/templates/*.tmpl',
--            ],
--        },
-         install_requires=[
-             "cryptography",
-             "ipalib",
-@@ -63,7 +56,6 @@
-         extras_require={
-             "install": ["ipaplatform"],
-             "otptoken_yubikey": ["python-yubico", "pyusb"],
--            "csrgen": ["cffi", "jinja2"],
-             "ldap": ["python-ldap"],  # ipapython.ipaldap
-         },
-         zip_safe=False,
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
---- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf	2019-04-29 17:06:49.265114643 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf	1970-01-01 01:00:00.000000000 +0100
-@@ -1,16 +0,0 @@
--[ req ]
--prompt = no
--encrypt_key = no
--
--distinguished_name = sec0
--req_extensions = sec2
--
--[ sec0 ]
--O=DOMAIN.EXAMPLE.COM
--CN=machine.example.com
--
--[ sec1 ]
--DNS = machine.example.com
--
--[ sec2 ]
--subjectAltName = @sec1
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
---- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf	2019-04-29 17:06:49.277114475 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf	1970-01-01 01:00:00.000000000 +0100
-@@ -1,16 +0,0 @@
--[ req ]
--prompt = no
--encrypt_key = no
--
--distinguished_name = sec0
--req_extensions = sec2
--
--[ sec0 ]
--O=DOMAIN.EXAMPLE.COM
--CN=testuser
--
--[ sec1 ]
--email = testuser@example.com
--
--[ sec2 ]
--subjectAltName = @sec1
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json
---- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json	2019-04-29 17:06:49.283114391 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--[
--    {
--        "syntax": "basic",
--        "data": [
--            "options"
--        ]
--    }
--]
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json
---- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json	2019-04-29 17:06:49.294114238 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,5 +0,0 @@
--{
--  "rule": {
--    "template": "openssl_rule"
--  }
--}
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rules/options.json freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/rules/options.json
---- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rules/options.json	2019-04-29 17:06:49.300114154 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/rules/options.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "openssl_rule"
--  },
--  "options": {
--    "rule_option": true
--  }
--}
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
---- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl	2019-04-29 17:06:49.313113973 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl	1970-01-01 01:00:00.000000000 +0100
-@@ -1 +0,0 @@
--{{ options|join(";") }}
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/test_csrgen.py freeipa-4.7.90.pre1/ipatests/test_ipaclient/test_csrgen.py
---- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/test_csrgen.py	2019-04-29 17:06:49.251114838 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/test_csrgen.py	1970-01-01 01:00:00.000000000 +0100
-@@ -1,304 +0,0 @@
--#
--# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
--#
--
--import os
--import pytest
--
--from cryptography.hazmat.backends import default_backend
--from cryptography.hazmat.primitives.asymmetric import rsa
--from cryptography import x509
--
--from ipaclient import csrgen, csrgen_ffi
--from ipalib import errors
--
--BASE_DIR = os.path.dirname(__file__)
--CSR_DATA_DIR = os.path.join(BASE_DIR, 'data', 'test_csrgen')
--
--
--@pytest.fixture
--def formatter():
--    return csrgen.Formatter(csr_data_dir=CSR_DATA_DIR)
--
--
--@pytest.fixture
--def rule_provider():
--    return csrgen.FileRuleProvider(csr_data_dir=CSR_DATA_DIR)
--
--
--@pytest.fixture
--def generator():
--    return csrgen.CSRGenerator(csrgen.FileRuleProvider())
--
--
--class StubRuleProvider(csrgen.RuleProvider):
--    def __init__(self):
--        self.syntax_rule = csrgen.Rule(
--            'syntax', '{{datarules|join(",")}}', {})
--        self.data_rule = csrgen.Rule('data', 'data_template', {})
--        self.field_mapping = csrgen.FieldMapping(
--            'example', self.syntax_rule, [self.data_rule])
--        self.rules = [self.field_mapping]
--
--    def rules_for_profile(self, profile_id):
--        return self.rules
--
--
--class IdentityFormatter(csrgen.Formatter):
--    base_template_name = 'identity_base.tmpl'
--
--    def __init__(self):
--        super(IdentityFormatter, self).__init__(csr_data_dir=CSR_DATA_DIR)
--
--    def _get_template_params(self, syntax_rules):
--        return {'options': syntax_rules}
--
--
--class test_Formatter:
--    def test_prepare_data_rule_with_data_source(self, formatter):
--        data_rule = csrgen.Rule('uid', '{{subject.uid.0}}',
--                                {'data_source': 'subject.uid.0'})
--        prepared = formatter._prepare_data_rule(data_rule)
--        assert prepared == '{% if subject.uid.0 %}{{subject.uid.0}}{% endif %}'
--
--    def test_prepare_data_rule_no_data_source(self, formatter):
--        """Not a normal case, but we should handle it anyway"""
--        data_rule = csrgen.Rule('uid', 'static_text', {})
--        prepared = formatter._prepare_data_rule(data_rule)
--        assert prepared == 'static_text'
--
--    def test_prepare_syntax_rule_with_data_sources(self, formatter):
--        syntax_rule = csrgen.Rule(
--            'example', '{{datarules|join(",")}}', {})
--        data_rules = ['{{subject.field1}}', '{{subject.field2}}']
--        data_sources = ['subject.field1', 'subject.field2']
--        prepared = formatter._prepare_syntax_rule(
--            syntax_rule, data_rules, 'example', data_sources)
--
--        assert prepared == (
--            '{% if subject.field1 or subject.field2 %}{{subject.field1}},'
--            '{{subject.field2}}{% endif %}')
--
--    def test_prepare_syntax_rule_with_combinator(self, formatter):
--        syntax_rule = csrgen.Rule('example', '{{datarules|join(",")}}',
--                                  {'data_source_combinator': 'and'})
--        data_rules = ['{{subject.field1}}', '{{subject.field2}}']
--        data_sources = ['subject.field1', 'subject.field2']
--        prepared = formatter._prepare_syntax_rule(
--            syntax_rule, data_rules, 'example', data_sources)
--
--        assert prepared == (
--            '{% if subject.field1 and subject.field2 %}{{subject.field1}},'
--            '{{subject.field2}}{% endif %}')
--
--    def test_prepare_syntax_rule_required(self, formatter):
--        syntax_rule = csrgen.Rule('example', '{{datarules|join(",")}}',
--                                  {'required': True})
--        data_rules = ['{{subject.field1}}']
--        data_sources = ['subject.field1']
--        prepared = formatter._prepare_syntax_rule(
--            syntax_rule, data_rules, 'example', data_sources)
--
--        assert prepared == (
--            '{% filter required("example") %}{% if subject.field1 %}'
--            '{{subject.field1}}{% endif %}{% endfilter %}')
--
--    def test_prepare_syntax_rule_passthrough(self, formatter):
--        """
--        Calls to macros defined as passthrough are still call tags in the final
--        template.
--        """
--        formatter._define_passthrough('example.macro')
--
--        syntax_rule = csrgen.Rule(
--            'example',
--            '{% call example.macro() %}{{datarules|join(",")}}{% endcall %}',
--            {})
--        data_rules = ['{{subject.field1}}']
--        data_sources = ['subject.field1']
--        prepared = formatter._prepare_syntax_rule(
--            syntax_rule, data_rules, 'example', data_sources)
--
--        assert prepared == (
--            '{% if subject.field1 %}{% call example.macro() %}'
--            '{{subject.field1}}{% endcall %}{% endif %}')
--
--    def test_prepare_syntax_rule_no_data_sources(self, formatter):
--        """Not a normal case, but we should handle it anyway"""
--        syntax_rule = csrgen.Rule(
--            'example', '{{datarules|join(",")}}', {})
--        data_rules = ['rule1', 'rule2']
--        data_sources = []
--        prepared = formatter._prepare_syntax_rule(
--            syntax_rule, data_rules, 'example', data_sources)
--
--        assert prepared == 'rule1,rule2'
--
--
--class test_FileRuleProvider:
--    def test_rule_basic(self, rule_provider):
--        rule_name = 'basic'
--
--        rule = rule_provider._rule(rule_name)
--
--        assert rule.template == 'openssl_rule'
--
--    def test_rule_global_options(self, rule_provider):
--        rule_name = 'options'
--
--        rule = rule_provider._rule(rule_name)
--
--        assert rule.options['rule_option'] is True
--
--    def test_rule_nosuchrule(self, rule_provider):
--        with pytest.raises(errors.NotFound):
--            rule_provider._rule('nosuchrule')
--
--    def test_rules_for_profile_success(self, rule_provider):
--        rules = rule_provider.rules_for_profile('profile')
--
--        assert len(rules) == 1
--        field_mapping = rules[0]
--        assert field_mapping.syntax_rule.name == 'basic'
--        assert len(field_mapping.data_rules) == 1
--        assert field_mapping.data_rules[0].name == 'options'
--
--    def test_rules_for_profile_nosuchprofile(self, rule_provider):
--        with pytest.raises(errors.NotFound):
--            rule_provider.rules_for_profile('nosuchprofile')
--
--
--class test_CSRGenerator:
--    def test_userCert_OpenSSL(self, generator):
--        principal = {
--            'uid': ['testuser'],
--            'mail': ['testuser@example.com'],
--        }
--        config = {
--            'ipacertificatesubjectbase': [
--                'O=DOMAIN.EXAMPLE.COM'
--            ],
--        }
--
--        script = generator.csr_config(principal, config, 'userCert')
--        with open(os.path.join(
--                CSR_DATA_DIR, 'configs', 'userCert.conf')) as f:
--            expected_script = f.read()
--        assert script == expected_script
--
--    def test_caIPAserviceCert_OpenSSL(self, generator):
--        principal = {
--            'krbprincipalname': [
--                'HTTP/machine.example.com@DOMAIN.EXAMPLE.COM'
--            ],
--        }
--        config = {
--            'ipacertificatesubjectbase': [
--                'O=DOMAIN.EXAMPLE.COM'
--            ],
--        }
--
--        script = generator.csr_config(
--            principal, config, 'caIPAserviceCert')
--        with open(os.path.join(
--                CSR_DATA_DIR, 'configs', 'caIPAserviceCert.conf')) as f:
--            expected_script = f.read()
--        assert script == expected_script
--
--    def test_works_with_lowercase_attr_type_shortname(self, generator):
--        principal = {
--            'uid': ['testuser'],
--            'mail': ['testuser@example.com'],
--        }
--        template_env = {
--            'ipacertificatesubjectbase': [
--                'o=DOMAIN.EXAMPLE.COM'  # lower-case attr type shortname
--            ],
--        }
--        config = generator.csr_config(principal, template_env, 'userCert')
--
--        key = rsa.generate_private_key(
--            public_exponent=65537,
--            key_size=2048,
--            backend=default_backend(),
--        )
--        adaptor = csrgen.OpenSSLAdaptor(key=key)
--
--        reqinfo = bytes(csrgen_ffi.build_requestinfo(
--            config.encode('utf-8'), adaptor.get_subject_public_key_info()))
--        csr_der = adaptor.sign_csr(reqinfo)
--        csr = x509.load_der_x509_csr(csr_der, default_backend())
--        assert (
--            csr.subject.get_attributes_for_oid(x509.NameOID.COMMON_NAME)
--            == [x509.NameAttribute(x509.NameOID.COMMON_NAME, u'testuser')]
--        )
--        assert (
--            csr.subject.get_attributes_for_oid(x509.NameOID.ORGANIZATION_NAME)
--            == [x509.NameAttribute(
--                x509.NameOID.ORGANIZATION_NAME, u'DOMAIN.EXAMPLE.COM')]
--        )
--
--    def test_unrecognised_attr_type_raises(self, generator):
--        principal = {
--            'uid': ['testuser'],
--            'mail': ['testuser@example.com'],
--        }
--        template_env = {
--            'ipacertificatesubjectbase': [
--                'X=DOMAIN.EXAMPLE.COM'  # unrecognised attr type
--            ],
--        }
--        config = generator.csr_config(principal, template_env, 'userCert')
--
--        key = rsa.generate_private_key(
--            public_exponent=65537,
--            key_size=2048,
--            backend=default_backend(),
--        )
--        adaptor = csrgen.OpenSSLAdaptor(key=key)
--
--        with pytest.raises(
--                errors.CSRTemplateError,
--                message='unrecognised attribute type: X'):
--            csrgen_ffi.build_requestinfo(
--                config.encode('utf-8'), adaptor.get_subject_public_key_info())
--
--
--class test_rule_handling:
--    def test_optionalAttributeMissing(self, generator):
--        principal = {'uid': 'testuser'}
--        rule_provider = StubRuleProvider()
--        rule_provider.data_rule.template = '{{subject.mail}}'
--        rule_provider.data_rule.options = {'data_source': 'subject.mail'}
--        generator = csrgen.CSRGenerator(
--            rule_provider, formatter_class=IdentityFormatter)
--
--        script = generator.csr_config(
--            principal, {}, 'example')
--        assert script == '\n'
--
--    def test_twoDataRulesOneMissing(self, generator):
--        principal = {'uid': 'testuser'}
--        rule_provider = StubRuleProvider()
--        rule_provider.data_rule.template = '{{subject.mail}}'
--        rule_provider.data_rule.options = {'data_source': 'subject.mail'}
--        rule_provider.field_mapping.data_rules.append(csrgen.Rule(
--            'data2', '{{subject.uid}}', {'data_source': 'subject.uid'}))
--        generator = csrgen.CSRGenerator(
--            rule_provider, formatter_class=IdentityFormatter)
--
--        script = generator.csr_config(principal, {}, 'example')
--        assert script == ',testuser\n'
--
--    def test_requiredAttributeMissing(self):
--        principal = {'uid': 'testuser'}
--        rule_provider = StubRuleProvider()
--        rule_provider.data_rule.template = '{{subject.mail}}'
--        rule_provider.data_rule.options = {'data_source': 'subject.mail'}
--        rule_provider.syntax_rule.options = {'required': True}
--        generator = csrgen.CSRGenerator(
--            rule_provider, formatter_class=IdentityFormatter)
--
--        with pytest.raises(errors.CSRTemplateError):
--            _script = generator.csr_config(
--                principal, {}, 'example')
diff --git a/SOURCES/1002-4.8.0-Remove-csrgen.patch b/SOURCES/1002-4.8.0-Remove-csrgen.patch
new file mode 100644
index 0000000..8b7e374
--- /dev/null
+++ b/SOURCES/1002-4.8.0-Remove-csrgen.patch
@@ -0,0 +1,2051 @@
+Addtional patches that need to be partly reverted that are touching csrgen
+related files:
+
+7b8a2af2197381058ca532d1ae206defb16fac88
+ac6568dcf58ec8d06df5493d14a28aa41845d4ef
+9c86d35a3f0af4a793fada7dfe726e9cc66782ea
+9836511a2b6d7cf48b1a54cb3158e5eac674081a
+b431e9b684df11c811892bd9d2a5711355f0076e
+
+This is a collection of an existing patch to remove csrgen for 4.7.1 and
+additional patches that have been added for 4.7.90 pre1.
+
+Additional reverted csrgen patches:
+
+852618fd6529fbdd7b03077fae37c6fbbe45b51b
+0ac1d3ea62efd9751fcc59cea46bcdafe1f11c37
+7633d62d858c14523a99143aa0ff36f76bb4ff68
+53f87ee5cd9d19f6fb91a9a1eafc8ea798095954
+395a68d20887d0ac010e480e68b225d6dfeff726
+03786ad9f3bd5edc351040847b8a49c9cd9288b2
+c9d710a446d10aad72795e15bf041b87102628c1
+2b90c8a20e45ade9bfd27731cccc94a34cf3f61e
+61dde27f70b9f8dd1b57ad1fbc3744f3c380613a
+806784dbd9e69a89c7a705c89bf42ba1fd4265c9
+79378c90512a1cdd5f3d5ec6482e434caea06e01
+bd5a5012d24820b54cdca2955f5405b84de1178c
+26ab51ddf47f421f3404709052db89f08c05adaa
+a53e17830c3d4fd59a62248d4447491675c6a80e
+e7588ab2dc73e7f66ebc6cdcfb99470540e37731
+136c6c3e2a4f77a27f435efd4a1cd95c9e089314
+5420e9cfbe7803808b6e26d2dae64f2a6a50149a
+
+Original patch from 4.7.1:
+
+From 468bcf90cb985e2b1eb394bd752dc39aa4b75582 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 19 Jul 2018 18:37:18 -0400
+Subject: [PATCH] Remove csrgen
+
+This reverts commits:
+* 72de679eb445c975ec70cd265d37d4927823ce5b
+* 177f07e163d6d591a1e609d35e0a6f6f5347551e
+* 80be18162921268be9c8981495c9e8a4de0c85cd
+* 83e2c2b65eeb5a3aa4a59c0535e9177aac5e4637
+* ada91c20588046bb147fc701718d3da4d2c080ca
+* 4350dcdea22fd2284836315d0ae7d38733a7620e
+* 39a5d9c5aae77687f67d9be02457733bdfb99ead
+* a26cf0d7910dd4c0a4da08682b4be8d3d94ba520
+* afd7c05d11432304bfdf183832a21d419f363689
+* f1a1c6eca1b294f24174d7b0e1f78de46d9d5b05
+* fc58eff6a3d7fe805e612b8b002304d8b9cd4ba9
+* 10ef5947860f5098182b1f95c08c1158e2da15f9
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1432630
+---
+ freeipa.spec.in                                    |  14 -
+ ipaclient/csrgen.py                                | 488 ---------------------
+ ipaclient/csrgen/profiles/caIPAserviceCert.json    |  15 -
+ ipaclient/csrgen/profiles/userCert.json            |  15 -
+ ipaclient/csrgen/rules/dataDNS.json                |   8 -
+ ipaclient/csrgen/rules/dataEmail.json              |   8 -
+ ipaclient/csrgen/rules/dataHostCN.json             |   8 -
+ ipaclient/csrgen/rules/dataSubjectBase.json        |   8 -
+ ipaclient/csrgen/rules/dataUsernameCN.json         |   8 -
+ ipaclient/csrgen/rules/syntaxSAN.json              |   8 -
+ ipaclient/csrgen/rules/syntaxSubject.json          |   9 -
+ ipaclient/csrgen/templates/openssl_base.tmpl       |  17 -
+ ipaclient/csrgen/templates/openssl_macros.tmpl     |  29 --
+ ipaclient/csrgen_ffi.py                            | 331 --------------
+ ipaclient/plugins/cert.py                          |  80 ----
+ ipaclient/plugins/csrgen.py                        | 128 ------
+ ipaclient/setup.py                                 |   8 -
+ .../data/test_csrgen/configs/caIPAserviceCert.conf |  16 -
+ .../data/test_csrgen/configs/userCert.conf         |  16 -
+ .../data/test_csrgen/profiles/profile.json         |   8 -
+ .../data/test_csrgen/rules/basic.json              |   5 -
+ .../data/test_csrgen/rules/options.json            |   8 -
+ .../data/test_csrgen/templates/identity_base.tmpl  |   1 -
+ ipatests/test_ipaclient/test_csrgen.py             | 304 -------------
+ 24 files changed, 1540 deletions(-)
+ delete mode 100644 ipaclient/csrgen.py
+ delete mode 100644 ipaclient/csrgen/profiles/caIPAserviceCert.json
+ delete mode 100644 ipaclient/csrgen/profiles/userCert.json
+ delete mode 100644 ipaclient/csrgen/rules/dataDNS.json
+ delete mode 100644 ipaclient/csrgen/rules/dataEmail.json
+ delete mode 100644 ipaclient/csrgen/rules/dataHostCN.json
+ delete mode 100644 ipaclient/csrgen/rules/dataSubjectBase.json
+ delete mode 100644 ipaclient/csrgen/rules/dataUsernameCN.json
+ delete mode 100644 ipaclient/csrgen/rules/syntaxSAN.json
+ delete mode 100644 ipaclient/csrgen/rules/syntaxSubject.json
+ delete mode 100644 ipaclient/csrgen/templates/openssl_base.tmpl
+ delete mode 100644 ipaclient/csrgen/templates/openssl_macros.tmpl
+ delete mode 100644 ipaclient/csrgen_ffi.py
+ delete mode 100644 ipaclient/plugins/csrgen.py
+ delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
+ delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
+ delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json
+ delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/rules/basic.json
+ delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/rules/options.json
+ delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
+ delete mode 100644 ipatests/test_ipaclient/test_csrgen.py
+
+diff -urN freeipa-4.8.0/freeipa.spec.in freeipa-4.8.0.removed_csrgen/freeipa.spec.in
+--- freeipa-4.8.0/freeipa.spec.in	2019-06-29 10:01:30.458735813 +0200
++++ freeipa-4.8.0.removed_csrgen/freeipa.spec.in	2019-07-03 13:24:38.471222723 +0200
+@@ -1247,13 +1247,6 @@
+ %dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
+ %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
+ %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
+-%dir %{python3_sitelib}/ipaclient/csrgen
+-%dir %{python3_sitelib}/ipaclient/csrgen/profiles
+-%{python3_sitelib}/ipaclient/csrgen/profiles/*.json
+-%dir %{python3_sitelib}/ipaclient/csrgen/rules
+-%{python3_sitelib}/ipaclient/csrgen/rules/*.json
+-%dir %{python3_sitelib}/ipaclient/csrgen/templates
+-%{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl
+ %{python3_sitelib}/ipaclient-*.egg-info
+ 
+ 
+diff -urN freeipa-4.8.0/ipaclient/csrgen/profiles/caIPAserviceCert.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/caIPAserviceCert.json
+--- freeipa-4.8.0/ipaclient/csrgen/profiles/caIPAserviceCert.json	2019-07-03 08:42:41.844539797 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/caIPAserviceCert.json	1970-01-01 01:00:00.000000000 +0100
+@@ -1,15 +0,0 @@
+-[
+-    {
+-        "syntax": "syntaxSubject",
+-        "data": [
+-            "dataHostCN",
+-            "dataSubjectBase"
+-        ]
+-    },
+-    {
+-        "syntax": "syntaxSAN",
+-        "data": [
+-            "dataDNS"
+-        ]
+-    }
+-]
+diff -urN freeipa-4.8.0/ipaclient/csrgen/profiles/userCert.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/userCert.json
+--- freeipa-4.8.0/ipaclient/csrgen/profiles/userCert.json	2019-07-03 08:42:41.848539737 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/userCert.json	1970-01-01 01:00:00.000000000 +0100
+@@ -1,15 +0,0 @@
+-[
+-    {
+-        "syntax": "syntaxSubject",
+-        "data": [
+-            "dataUsernameCN",
+-            "dataSubjectBase"
+-        ]
+-    },
+-    {
+-        "syntax": "syntaxSAN",
+-        "data": [
+-            "dataEmail"
+-        ]
+-    }
+-]
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataDNS.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataDNS.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/dataDNS.json	2019-07-03 08:42:41.853539663 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataDNS.json	1970-01-01 01:00:00.000000000 +0100
+@@ -1,8 +0,0 @@
+-{
+-  "rule": {
+-    "template": "DNS = {{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
+-  },
+-  "options": {
+-    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
+-  }
+-}
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataEmail.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataEmail.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/dataEmail.json	2019-07-03 08:42:41.857539603 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataEmail.json	1970-01-01 01:00:00.000000000 +0100
+@@ -1,8 +0,0 @@
+-{
+-  "rule": {
+-    "template": "email = {{subject.mail.0}}"
+-  },
+-  "options": {
+-    "data_source": "subject.mail.0"
+-  }
+-}
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataHostCN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataHostCN.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/dataHostCN.json	2019-07-03 08:42:41.861539544 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataHostCN.json	1970-01-01 01:00:00.000000000 +0100
+@@ -1,8 +0,0 @@
+-{
+-  "rule": {
+-    "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
+-  },
+-  "options": {
+-    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
+-  }
+-}
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataSubjectBase.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataSubjectBase.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/dataSubjectBase.json	2019-07-03 08:42:41.865539484 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataSubjectBase.json	1970-01-01 01:00:00.000000000 +0100
+@@ -1,8 +0,0 @@
+-{
+-  "rule": {
+-    "template": "{{config.ipacertificatesubjectbase.0}}"
+-  },
+-  "options": {
+-    "data_source": "config.ipacertificatesubjectbase.0"
+-  }
+-}
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataUsernameCN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataUsernameCN.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/dataUsernameCN.json	2019-07-03 08:42:41.869539424 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataUsernameCN.json	1970-01-01 01:00:00.000000000 +0100
+@@ -1,8 +0,0 @@
+-{
+-  "rule": {
+-    "template": "CN={{subject.uid.0}}"
+-  },
+-  "options": {
+-    "data_source": "subject.uid.0"
+-  }
+-}
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSAN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSAN.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSAN.json	2019-07-03 08:42:41.874539350 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSAN.json	1970-01-01 01:00:00.000000000 +0100
+@@ -1,8 +0,0 @@
+-{
+-  "rule": {
+-    "template": "subjectAltName = @{% call openssl.section() %}{{ datarules|join('\n') }}{% endcall %}"
+-  },
+-  "options": {
+-    "extension": true
+-  }
+-}
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSubject.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSubject.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSubject.json	2019-07-03 08:42:41.878539290 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSubject.json	1970-01-01 01:00:00.000000000 +0100
+@@ -1,9 +0,0 @@
+-{
+-  "rule": {
+-    "template": "distinguished_name = {% call openssl.section() %}{{ datarules|reverse|join('\n') }}{% endcall %}"
+-  },
+-  "options": {
+-    "required": true,
+-    "data_source_combinator": "and"
+-  }
+-}
+diff -urN freeipa-4.8.0/ipaclient/csrgen/templates/openssl_base.tmpl freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_base.tmpl
+--- freeipa-4.8.0/ipaclient/csrgen/templates/openssl_base.tmpl	2019-07-03 08:42:41.882539231 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_base.tmpl	1970-01-01 01:00:00.000000000 +0100
+@@ -1,17 +0,0 @@
+-{% raw -%}
+-{% import "openssl_macros.tmpl" as openssl -%}
+-{% endraw -%}
+-[ req ]
+-prompt = no
+-encrypt_key = no
+-
+-{{ parameters|join('\n') }}
+-{% raw %}{% set rendered_extensions -%}{% endraw %}
+-{{ extensions|join('\n') }}
+-{% raw -%}
+-{%- endset -%}
+-{% if rendered_extensions -%}
+-req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall %}
+-{% endif %}
+-{{ openssl.openssl_sections|join('\n\n') }}
+-{%- endraw %}
+diff -urN freeipa-4.8.0/ipaclient/csrgen/templates/openssl_macros.tmpl freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_macros.tmpl
+--- freeipa-4.8.0/ipaclient/csrgen/templates/openssl_macros.tmpl	2019-07-03 08:42:41.886539171 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_macros.tmpl	1970-01-01 01:00:00.000000000 +0100
+@@ -1,29 +0,0 @@
+-{# List containing rendered sections to be included at end #}
+-{% set openssl_sections = [] %}
+-
+-{#
+-List containing one entry for each section name allocated. Because of
+-scoping rules, we need to use a list so that it can be a "per-render global"
+-that gets updated in place. Real globals are shared by all templates with the
+-same environment, and variables defined in the macro don't persist after the
+-macro invocation ends.
+-#}
+-{% set openssl_section_num = [] %}
+-
+-{% macro section() -%}
+-{% set name -%}
+-sec{{ openssl_section_num|length -}}
+-{% endset -%}
+-{% do openssl_section_num.append('') -%}
+-{% set contents %}{{ caller() }}{% endset -%}
+-{% if contents -%}
+-{% set sectiondata = formatsection(name, contents) -%}
+-{% do openssl_sections.append(sectiondata) -%}
+-{% endif -%}
+-{{ name -}}
+-{% endmacro %}
+-
+-{% macro formatsection(name, contents) -%}
+-[ {{ name }} ]
+-{{ contents -}}
+-{% endmacro %}
+diff -urN freeipa-4.8.0/ipaclient/csrgen_ffi.py freeipa-4.8.0.removed_csrgen/ipaclient/csrgen_ffi.py
+--- freeipa-4.8.0/ipaclient/csrgen_ffi.py	2019-07-03 08:42:41.816540214 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen_ffi.py	1970-01-01 01:00:00.000000000 +0100
+@@ -1,387 +0,0 @@
+-from cffi import FFI
+-import ctypes.util
+-
+-from ipalib import errors
+-
+-_ffi = FFI()
+-
+-_ffi.cdef('''
+-/* libcrypto/crypto.h */
+-unsigned long OpenSSL_version_num(void);
+-unsigned long SSLeay(void);
+-const char * OpenSSL_version(int t);
+-const char * SSLeay_version(int t);
+-
+-#define OPENSSL_VERSION 0
+-''')
+-
+-_libcrypto = _ffi.dlopen(ctypes.util.find_library('crypto'))
+-
+-# SSLeay_version has been renamed with OpenSSL_version in OpenSSL 1.1.0
+-# LibreSSL has OpenSSL_version since 2.7.0
+-try:
+-    OpenSSL_version = _libcrypto.OpenSSL_version
+-except AttributeError:
+-    OpenSSL_version = _libcrypto.SSLeay_version
+-
+-_version = OpenSSL_version(_libcrypto.OPENSSL_VERSION)
+-_version = _ffi.string(_version).decode('utf-8')
+-LIBRESSL = _version.startswith('LibreSSL')
+-if not _version.startswith("OpenSSL") and not LIBRESSL:
+-    raise ImportError("Only LibreSSL and OpenSSL are supported")
+-
+-# SSLeay has been renamed with OpenSSL_version_num in OpenSSL 1.1.0
+-# LibreSSL has OpenSSL_version_num since 2.7.0
+-try:
+-    OpenSSL_version_num = _libcrypto.OpenSSL_version_num
+-except AttributeError:
+-    OpenSSL_version_num = _libcrypto.SSLeay
+-
+-# OpenSSL_version_num()/SSLeay() returns the value of OPENSSL_VERSION_NUMBER
+-#
+-# OPENSSL_VERSION_NUMBER is a numeric release version identifier:
+-# MNNFFPPS: major minor fix patch status
+-# For example,
+-# 0x000906000 == 0.9.6 dev
+-# 0x000906023 == 0.9.6b beta 3
+-# 0x00090605f == 0.9.6e release
+-_openssl_version = OpenSSL_version_num()
+-
+-_ffi.cdef('''
+-typedef ... CONF;
+-typedef ... CONF_METHOD;
+-typedef ... BIO;
+-typedef ... ipa_STACK_OF_CONF_VALUE;
+-
+-/* openssl/conf.h */
+-typedef struct {
+-    char *section;
+-    char *name;
+-    char *value;
+-} CONF_VALUE;
+-
+-CONF *NCONF_new(CONF_METHOD *meth);
+-void NCONF_free(CONF *conf);
+-int NCONF_load_bio(CONF *conf, BIO *bp, long *eline);
+-ipa_STACK_OF_CONF_VALUE *NCONF_get_section(const CONF *conf,
+-                                        const char *section);
+-char *NCONF_get_string(const CONF *conf, const char *group, const char *name);
+-
+-/* openssl/safestack.h */
+-// int sk_CONF_VALUE_num(ipa_STACK_OF_CONF_VALUE *);
+-// CONF_VALUE *sk_CONF_VALUE_value(ipa_STACK_OF_CONF_VALUE *, int);
+-
+-/* openssl/stack.h */
+-typedef ... _STACK;
+-
+-int OPENSSL_sk_num(const _STACK *);
+-void *OPENSSL_sk_value(const _STACK *, int);
+-
+-int sk_num(const _STACK *);
+-void *sk_value(const _STACK *, int);
+-
+-/* openssl/bio.h */
+-BIO *BIO_new_mem_buf(const void *buf, int len);
+-int BIO_free(BIO *a);
+-
+-/* openssl/asn1.h */
+-typedef struct ASN1_ENCODING_st {
+-    unsigned char *enc;         /* DER encoding */
+-    long len;                   /* Length of encoding */
+-    int modified;               /* set to 1 if 'enc' is invalid */
+-} ASN1_ENCODING;
+-
+-/* openssl/evp.h */
+-typedef ... EVP_PKEY;
+-
+-void EVP_PKEY_free(EVP_PKEY *pkey);
+-
+-/* openssl/x509.h */
+-typedef ... ASN1_INTEGER;
+-typedef ... ASN1_BIT_STRING;
+-typedef ... ASN1_OBJECT;
+-typedef ... X509;
+-typedef ... X509_CRL;
+-typedef ... X509_NAME;
+-typedef ... X509_PUBKEY;
+-typedef ... ipa_STACK_OF_X509_ATTRIBUTE;
+-
+-typedef struct X509_req_info_st {
+-    ASN1_ENCODING enc;
+-    ASN1_INTEGER *version;
+-    X509_NAME *subject;
+-    X509_PUBKEY *pubkey;
+-    /*  d=2 hl=2 l=  0 cons: cont: 00 */
+-    ipa_STACK_OF_X509_ATTRIBUTE *attributes; /* [ 0 ] */
+-} X509_REQ_INFO;
+-''')
+-
+-# since OpenSSL 1.1.0 req_info field is no longer pointer to X509_REQ_INFO
+-if _openssl_version >= 0x10100000 and not LIBRESSL:
+-    _ffi.cdef('''
+-    typedef struct X509_req_st {
+-        X509_REQ_INFO req_info;
+-    } X509_REQ;
+-    ''')
+-else:
+-    _ffi.cdef('''
+-    typedef struct X509_req_st {
+-        X509_REQ_INFO *req_info;
+-    } X509_REQ;
+-    ''')
+-
+-_ffi.cdef('''
+-X509_REQ *X509_REQ_new(void);
+-void X509_REQ_free(X509_REQ *);
+-EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
+-int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
+-int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type,
+-                               const unsigned char *bytes, int len, int loc,
+-                               int set);
+-int X509_NAME_entry_count(X509_NAME *name);
+-int i2d_X509_REQ_INFO(X509_REQ_INFO *a, unsigned char **out);
+-
+-/* openssl/objects.h */
+-ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name);
+-
+-/* openssl/x509v3.h */
+-typedef ... X509V3_CONF_METHOD;
+-
+-typedef struct v3_ext_ctx {
+-    int flags;
+-    X509 *issuer_cert;
+-    X509 *subject_cert;
+-    X509_REQ *subject_req;
+-    X509_CRL *crl;
+-    X509V3_CONF_METHOD *db_meth;
+-    void *db;
+-} X509V3_CTX;
+-
+-void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
+-                    X509_REQ *req, X509_CRL *crl, int flags);
+-void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
+-int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
+-                             X509_REQ *req);
+-
+-/* openssl/x509v3.h */
+-unsigned long ERR_get_error(void);
+-char *ERR_error_string(unsigned long e, char *buf);
+-''')  # noqa: E501
+-
+-NULL = _ffi.NULL
+-# openssl/conf.h
+-NCONF_new = _libcrypto.NCONF_new
+-NCONF_free = _libcrypto.NCONF_free
+-NCONF_load_bio = _libcrypto.NCONF_load_bio
+-NCONF_get_section = _libcrypto.NCONF_get_section
+-NCONF_get_string = _libcrypto.NCONF_get_string
+-
+-# openssl/stack.h
+-try:
+-    sk_num = _libcrypto.OPENSSL_sk_num
+-    sk_value = _libcrypto.OPENSSL_sk_value
+-except AttributeError:
+-    sk_num = _libcrypto.sk_num
+-    sk_value = _libcrypto.sk_value
+-
+-
+-def sk_CONF_VALUE_num(sk):
+-    return sk_num(_ffi.cast("_STACK *", sk))
+-
+-
+-def sk_CONF_VALUE_value(sk, i):
+-    return _ffi.cast("CONF_VALUE *", sk_value(_ffi.cast("_STACK *", sk), i))
+-
+-
+-# openssl/bio.h
+-BIO_new_mem_buf = _libcrypto.BIO_new_mem_buf
+-BIO_free = _libcrypto.BIO_free
+-
+-# openssl/x509.h
+-X509_REQ_new = _libcrypto.X509_REQ_new
+-X509_REQ_free = _libcrypto.X509_REQ_free
+-X509_REQ_set_pubkey = _libcrypto.X509_REQ_set_pubkey
+-d2i_PUBKEY_bio = _libcrypto.d2i_PUBKEY_bio
+-i2d_X509_REQ_INFO = _libcrypto.i2d_X509_REQ_INFO
+-X509_NAME_add_entry_by_OBJ = _libcrypto.X509_NAME_add_entry_by_OBJ
+-X509_NAME_entry_count = _libcrypto.X509_NAME_entry_count
+-
+-
+-def X509_REQ_get_subject_name(req):
+-    return req.req_info.subject
+-
+-
+-# openssl/objects.h
+-OBJ_txt2obj = _libcrypto.OBJ_txt2obj
+-
+-# openssl/evp.h
+-EVP_PKEY_free = _libcrypto.EVP_PKEY_free
+-
+-# openssl/asn1.h
+-MBSTRING_UTF8 = 0x1000
+-
+-# openssl/x509v3.h
+-X509V3_set_ctx = _libcrypto.X509V3_set_ctx
+-X509V3_set_nconf = _libcrypto.X509V3_set_nconf
+-X509V3_EXT_REQ_add_nconf = _libcrypto.X509V3_EXT_REQ_add_nconf
+-
+-# openssl/err.h
+-ERR_get_error = _libcrypto.ERR_get_error
+-ERR_error_string = _libcrypto.ERR_error_string
+-
+-
+-def _raise_openssl_errors():
+-    msgs = []
+-
+-    code = ERR_get_error()
+-    while code != 0:
+-        msg = _ffi.string(ERR_error_string(code, NULL))
+-        try:
+-            strmsg = msg.decode('utf-8')
+-        except UnicodeDecodeError:
+-            strmsg = repr(msg)
+-        msgs.append(strmsg)
+-        code = ERR_get_error()
+-
+-    raise errors.CSRTemplateError(reason='\n'.join(msgs))
+-
+-
+-def _parse_dn_section(subj, dn_sk):
+-    for i in range(sk_CONF_VALUE_num(dn_sk)):
+-        v = sk_CONF_VALUE_value(dn_sk, i)
+-        rdn_type = _ffi.string(v.name)
+-
+-        # Skip past any leading X. X: X, etc to allow for multiple instances
+-        for idx, c in enumerate(rdn_type):
+-            if c in b':,.':
+-                if idx+1 < len(rdn_type):
+-                    rdn_type = rdn_type[idx+1:]
+-                break
+-        if rdn_type.startswith(b'+'):
+-            rdn_type = rdn_type[1:]
+-            mval = -1
+-        else:
+-            mval = 0
+-
+-        # convert rdn_type to an OID
+-        #
+-        # OpenSSL is fussy about the case of the string.  For example,
+-        # lower-case 'o' (for "organization name") is not recognised.
+-        # Therefore, try to convert the given string into an OID.  If
+-        # that fails, convert it upper case and try again.
+-        #
+-        oid = OBJ_txt2obj(rdn_type, 0)
+-        if oid == NULL:
+-            oid = OBJ_txt2obj(rdn_type.upper(), 0)
+-        if oid == NULL:
+-            raise errors.CSRTemplateError(
+-                reason='unrecognised attribute type: {}'
+-                .format(rdn_type.decode('utf-8')))
+-
+-        if not X509_NAME_add_entry_by_OBJ(
+-                subj, oid, MBSTRING_UTF8,
+-                _ffi.cast("unsigned char *", v.value), -1, -1, mval):
+-            _raise_openssl_errors()
+-
+-    if not X509_NAME_entry_count(subj):
+-        raise errors.CSRTemplateError(
+-            reason='error, subject in config file is empty')
+-
+-
+-def build_requestinfo(config, public_key_info):
+-    '''
+-    Return a cffi buffer containing a DER-encoded CertificationRequestInfo.
+-
+-    The returned object implements the buffer protocol.
+-
+-    '''
+-    reqdata = NULL
+-    req = NULL
+-    nconf_bio = NULL
+-    pubkey_bio = NULL
+-    pubkey = NULL
+-
+-    try:
+-        reqdata = NCONF_new(NULL)
+-        if reqdata == NULL:
+-            _raise_openssl_errors()
+-
+-        nconf_bio = BIO_new_mem_buf(config, len(config))
+-        errorline = _ffi.new('long[1]', [-1])
+-        i = NCONF_load_bio(reqdata, nconf_bio, errorline)
+-        if i < 0:
+-            if errorline[0] < 0:
+-                raise errors.CSRTemplateError(reason="Can't load config file")
+-            else:
+-                raise errors.CSRTemplateError(
+-                    reason='Error on line %d of config file' % errorline[0])
+-
+-        dn_sect = NCONF_get_string(reqdata, b'req', b'distinguished_name')
+-        if dn_sect == NULL:
+-            raise errors.CSRTemplateError(
+-                reason='Unable to find "distinguished_name" key in config')
+-
+-        dn_sk = NCONF_get_section(reqdata, dn_sect)
+-        if dn_sk == NULL:
+-            raise errors.CSRTemplateError(
+-                reason='Unable to find "%s" section in config' %
+-                _ffi.string(dn_sect))
+-
+-        pubkey_bio = BIO_new_mem_buf(public_key_info, len(public_key_info))
+-        pubkey = d2i_PUBKEY_bio(pubkey_bio, NULL)
+-        if pubkey == NULL:
+-            _raise_openssl_errors()
+-
+-        req = X509_REQ_new()
+-        if req == NULL:
+-            _raise_openssl_errors()
+-
+-        subject = X509_REQ_get_subject_name(req)
+-
+-        _parse_dn_section(subject, dn_sk)
+-
+-        if not X509_REQ_set_pubkey(req, pubkey):
+-            _raise_openssl_errors()
+-
+-        ext_ctx = _ffi.new("X509V3_CTX[1]")
+-        X509V3_set_ctx(ext_ctx, NULL, NULL, req, NULL, 0)
+-        X509V3_set_nconf(ext_ctx, reqdata)
+-
+-        extn_section = NCONF_get_string(reqdata, b"req", b"req_extensions")
+-        if extn_section != NULL:
+-            if not X509V3_EXT_REQ_add_nconf(
+-                    reqdata, ext_ctx, extn_section, req):
+-                _raise_openssl_errors()
+-
+-        if _openssl_version < 0x10100000 or LIBRESSL:
+-            der_len = i2d_X509_REQ_INFO(req.req_info, NULL)
+-        else:
+-            req_info = _ffi.new("X509_REQ_INFO *", req.req_info)
+-            der_len = i2d_X509_REQ_INFO(req_info, NULL)
+-            req.req_info = req_info[0]
+-        if der_len < 0:
+-            _raise_openssl_errors()
+-
+-        der_buf = _ffi.new("unsigned char[%d]" % der_len)
+-        der_out = _ffi.new("unsigned char **", der_buf)
+-        if _openssl_version < 0x10100000 or LIBRESSL:
+-            der_len = i2d_X509_REQ_INFO(req.req_info, der_out)
+-        else:
+-            der_len = i2d_X509_REQ_INFO(req_info, der_out)
+-            req.req_info = req_info[0]
+-        if der_len < 0:
+-            _raise_openssl_errors()
+-
+-        return _ffi.buffer(der_buf, der_len)
+-
+-    finally:
+-        if reqdata != NULL:
+-            NCONF_free(reqdata)
+-        if req != NULL:
+-            X509_REQ_free(req)
+-        if nconf_bio != NULL:
+-            BIO_free(nconf_bio)
+-        if pubkey_bio != NULL:
+-            BIO_free(pubkey_bio)
+-        if pubkey != NULL:
+-            EVP_PKEY_free(pubkey)
+diff -urN freeipa-4.8.0/ipaclient/csrgen.py freeipa-4.8.0.removed_csrgen/ipaclient/csrgen.py
+--- freeipa-4.8.0/ipaclient/csrgen.py	2019-07-03 08:42:41.811540288 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen.py	1970-01-01 01:00:00.000000000 +0100
+@@ -1,488 +0,0 @@
+-#
+-# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+-#
+-
+-import base64
+-import collections
+-import errno
+-import json
+-import logging
+-import os
+-import os.path
+-import pipes
+-import subprocess
+-import traceback
+-import codecs
+-
+-import pkg_resources
+-
+-from cryptography.hazmat.backends import default_backend
+-from cryptography.hazmat.primitives.asymmetric import padding
+-from cryptography.hazmat.primitives import hashes
+-from cryptography.hazmat.primitives.serialization import (
+-    load_pem_private_key, Encoding, PublicFormat)
+-from cryptography.x509 import load_pem_x509_certificate
+-import jinja2
+-import jinja2.ext
+-import jinja2.sandbox
+-from pyasn1.codec.der import decoder, encoder
+-from pyasn1.type import univ
+-from pyasn1_modules import rfc2314
+-import six
+-
+-from ipalib import api
+-from ipalib import errors
+-from ipalib.text import _
+-
+-if six.PY3:
+-    unicode = str
+-
+-__doc__ = _("""
+-Routines for constructing certificate signing requests using IPA data and
+-stored templates.
+-""")
+-
+-logger = logging.getLogger(__name__)
+-
+-
+-class IndexableUndefined(jinja2.Undefined):
+-    def __getitem__(self, key):
+-        return jinja2.Undefined(
+-            hint=self._undefined_hint, obj=self._undefined_obj,
+-            name=self._undefined_name, exc=self._undefined_exception)
+-
+-
+-class IPAExtension(jinja2.ext.Extension):
+-    """Jinja2 extension providing useful features for CSR generation rules."""
+-
+-    def __init__(self, environment):
+-        super(IPAExtension, self).__init__(environment)
+-
+-        environment.filters.update(
+-            quote=self.quote,
+-            required=self.required,
+-        )
+-
+-    def quote(self, data):
+-        return pipes.quote(data)
+-
+-    def required(self, data, name):
+-        if not data:
+-            raise errors.CSRTemplateError(
+-                reason=_(
+-                    'Required CSR generation rule %(name)s is missing data') %
+-                {'name': name})
+-        return data
+-
+-
+-class Formatter:
+-    """
+-    Class for processing a set of CSR generation rules into a template.
+-
+-    The template can be rendered with user and database data to produce a
+-    config, which specifies how to build a CSR.
+-
+-    Subclasses of Formatter should set the value of base_template_name to the
+-    filename of a base template with spaces for the processed rules.
+-    Additionally, they should override the _get_template_params method to
+-    produce the correct output for the base template.
+-    """
+-    base_template_name = None
+-
+-    def __init__(self, csr_data_dir=None):
+-        # chain loaders:
+-        # 1) csr_data_dir/templates
+-        # 2) /etc/ipa/csrgen/templates
+-        # 3) ipaclient/csrgen/templates
+-        loaders = []
+-        if csr_data_dir is not None:
+-            loaders.append(jinja2.FileSystemLoader(
+-                os.path.join(csr_data_dir, 'templates'))
+-            )
+-        loaders.append(jinja2.FileSystemLoader(
+-            os.path.join(api.env.confdir, 'csrgen/templates'))
+-        )
+-        loaders.append(jinja2.PackageLoader('ipaclient', 'csrgen/templates'))
+-
+-        self.jinja2 = jinja2.sandbox.SandboxedEnvironment(
+-            loader=jinja2.ChoiceLoader(loaders),
+-            extensions=[jinja2.ext.ExprStmtExtension, IPAExtension],
+-            keep_trailing_newline=True, undefined=IndexableUndefined)
+-
+-        self.passthrough_globals = {}
+-
+-    def _define_passthrough(self, call):
+-        """Some macros are meant to be interpreted during the final render, not
+-        when data rules are interpolated into syntax rules. This method allows
+-        those macros to be registered so that calls to them are passed through
+-        to the prepared rule rather than interpreted.
+-        """
+-
+-        def passthrough(caller):
+-            return u'{%% call %s() %%}%s{%% endcall %%}' % (call, caller())
+-
+-        parts = call.split('.')
+-        current_level = self.passthrough_globals
+-        for part in parts[:-1]:
+-            if part not in current_level:
+-                current_level[part] = {}
+-            current_level = current_level[part]
+-        current_level[parts[-1]] = passthrough
+-
+-    def build_template(self, rules):
+-        """
+-        Construct a template that can produce CSR generator strings.
+-
+-        :param rules: list of FieldMapping to use to populate the template.
+-
+-        :returns: jinja2.Template that can be rendered to produce the CSR data.
+-        """
+-        syntax_rules = []
+-        for field_mapping in rules:
+-            data_rules_prepared = [
+-                self._prepare_data_rule(rule)
+-                for rule in field_mapping.data_rules]
+-
+-            data_sources = []
+-            for xrule in field_mapping.data_rules:
+-                data_source = xrule.options.get('data_source')
+-                if data_source:
+-                    data_sources.append(data_source)
+-
+-            syntax_rules.append(self._prepare_syntax_rule(
+-                field_mapping.syntax_rule, data_rules_prepared,
+-                field_mapping.description, data_sources))
+-
+-        template_params = self._get_template_params(syntax_rules)
+-        base_template = self.jinja2.get_template(
+-            self.base_template_name, globals=self.passthrough_globals)
+-
+-        try:
+-            combined_template_source = base_template.render(**template_params)
+-        except jinja2.UndefinedError:
+-            logger.debug(traceback.format_exc())
+-            raise errors.CSRTemplateError(reason=_(
+-                'Template error when formatting certificate data'))
+-
+-        logger.debug(
+-            'Formatting with template: %s', combined_template_source)
+-        combined_template = self.jinja2.from_string(combined_template_source)
+-
+-        return combined_template
+-
+-    def _wrap_conditional(self, rule, condition):
+-        rule = '{%% if %s %%}%s{%% endif %%}' % (condition, rule)
+-        return rule
+-
+-    def _wrap_required(self, rule, description):
+-        template = '{%% filter required("%s") %%}%s{%% endfilter %%}' % (
+-            description, rule)
+-
+-        return template
+-
+-    def _prepare_data_rule(self, data_rule):
+-        template = data_rule.template
+-
+-        data_source = data_rule.options.get('data_source')
+-        if data_source:
+-            template = self._wrap_conditional(template, data_source)
+-
+-        return template
+-
+-    def _prepare_syntax_rule(
+-            self, syntax_rule, data_rules, description, data_sources):
+-        logger.debug('Syntax rule template: %s', syntax_rule.template)
+-        template = self.jinja2.from_string(
+-            syntax_rule.template, globals=self.passthrough_globals)
+-        is_required = syntax_rule.options.get('required', False)
+-        try:
+-            prepared_template = template.render(datarules=data_rules)
+-        except jinja2.UndefinedError:
+-            logger.debug(traceback.format_exc())
+-            raise errors.CSRTemplateError(reason=_(
+-                'Template error when formatting certificate data'))
+-
+-        if data_sources:
+-            combinator = ' %s ' % syntax_rule.options.get(
+-                'data_source_combinator', 'or')
+-            condition = combinator.join(data_sources)
+-            prepared_template = self._wrap_conditional(
+-                prepared_template, condition)
+-
+-        if is_required:
+-            prepared_template = self._wrap_required(
+-                prepared_template, description)
+-
+-        return prepared_template
+-
+-    def _get_template_params(self, syntax_rules):
+-        """
+-        Package the syntax rules into fields expected by the base template.
+-
+-        :param syntax_rules: list of prepared syntax rules to be included in
+-            the template.
+-
+-        :returns: dict of values needed to render the base template.
+-        """
+-        raise NotImplementedError('Formatter class must be subclassed')
+-
+-
+-class OpenSSLFormatter(Formatter):
+-    """Formatter class generating the openssl config-file format."""
+-
+-    base_template_name = 'openssl_base.tmpl'
+-
+-    # Syntax rules are wrapped in this data structure, to keep track of whether
+-    # each goes in the extension or the root section
+-    SyntaxRule = collections.namedtuple(
+-        'SyntaxRule', ['template', 'is_extension'])
+-
+-    def __init__(self, *args, **kwargs):
+-        super(OpenSSLFormatter, self).__init__(*args, **kwargs)
+-        self._define_passthrough('openssl.section')
+-
+-    def _get_template_params(self, syntax_rules):
+-        parameters = [rule.template for rule in syntax_rules
+-                      if not rule.is_extension]
+-        extensions = [rule.template for rule in syntax_rules
+-                      if rule.is_extension]
+-
+-        return {'parameters': parameters, 'extensions': extensions}
+-
+-    def _prepare_syntax_rule(
+-            self, syntax_rule, data_rules, description, data_sources):
+-        """Overrides method to pull out whether rule is an extension or not."""
+-        prepared_template = super(OpenSSLFormatter, self)._prepare_syntax_rule(
+-            syntax_rule, data_rules, description, data_sources)
+-        is_extension = syntax_rule.options.get('extension', False)
+-        return self.SyntaxRule(prepared_template, is_extension)
+-
+-
+-class FieldMapping:
+-    """Representation of the rules needed to construct a complete cert field.
+-
+-    Attributes:
+-        description: str, a name or description of this field, to be used in
+-            messages
+-        syntax_rule: Rule, the rule defining the syntax of this field
+-        data_rules: list of Rule, the rules that produce data to be stored in
+-            this field
+-    """
+-    __slots__ = ['description', 'syntax_rule', 'data_rules']
+-
+-    def __init__(self, description, syntax_rule, data_rules):
+-        self.description = description
+-        self.syntax_rule = syntax_rule
+-        self.data_rules = data_rules
+-
+-
+-class Rule:
+-    __slots__ = ['name', 'template', 'options']
+-
+-    def __init__(self, name, template, options):
+-        self.name = name
+-        self.template = template
+-        self.options = options
+-
+-
+-class RuleProvider:
+-    def rules_for_profile(self, profile_id):
+-        """
+-        Return the rules needed to build a CSR using the given profile.
+-
+-        :param profile_id: str, name of the CSR generation profile to use
+-
+-        :returns: list of FieldMapping, filled out with the appropriate rules
+-        """
+-        raise NotImplementedError('RuleProvider class must be subclassed')
+-
+-
+-class FileRuleProvider(RuleProvider):
+-    def __init__(self, csr_data_dir=None):
+-        self.rules = {}
+-        self._csrgen_data_dirs = []
+-        if csr_data_dir is not None:
+-            self._csrgen_data_dirs.append(csr_data_dir)
+-        self._csrgen_data_dirs.append(
+-            os.path.join(api.env.confdir, 'csrgen')
+-        )
+-        self._csrgen_data_dirs.append(
+-            pkg_resources.resource_filename('ipaclient', 'csrgen')
+-        )
+-
+-    def _open(self, subdir, filename):
+-        for data_dir in self._csrgen_data_dirs:
+-            path = os.path.join(data_dir, subdir, filename)
+-            try:
+-                return open(path)
+-            except IOError as e:
+-                if e.errno != errno.ENOENT:
+-                    raise
+-        raise IOError(
+-            errno.ENOENT,
+-            "'{}' not found in {}".format(
+-                os.path.join(subdir, filename),
+-                ", ".join(self._csrgen_data_dirs)
+-            )
+-        )
+-
+-    def _rule(self, rule_name):
+-        if rule_name not in self.rules:
+-            try:
+-                with self._open('rules', '%s.json' % rule_name) as f:
+-                    ruleconf = json.load(f)
+-            except IOError:
+-                raise errors.NotFound(
+-                    reason=_('No generation rule %(rulename)s found.') %
+-                    {'rulename': rule_name})
+-
+-            try:
+-                rule = ruleconf['rule']
+-            except KeyError:
+-                raise errors.EmptyResult(
+-                    reason=_('Generation rule "%(rulename)s" is missing the'
+-                             ' "rule" key') % {'rulename': rule_name})
+-
+-            options = ruleconf.get('options', {})
+-
+-            self.rules[rule_name] = Rule(
+-                rule_name, rule['template'], options)
+-
+-        return self.rules[rule_name]
+-
+-    def rules_for_profile(self, profile_id):
+-        try:
+-            with self._open('profiles', '%s.json' % profile_id) as f:
+-                profile = json.load(f)
+-        except IOError:
+-            raise errors.NotFound(
+-                reason=_('No CSR generation rules are defined for profile'
+-                         ' %(profile_id)s') % {'profile_id': profile_id})
+-
+-        field_mappings = []
+-        for field in profile:
+-            syntax_rule = self._rule(field['syntax'])
+-            data_rules = [self._rule(name) for name in field['data']]
+-            field_mappings.append(FieldMapping(
+-                syntax_rule.name, syntax_rule, data_rules))
+-        return field_mappings
+-
+-
+-class CSRGenerator:
+-    def __init__(self, rule_provider, formatter_class=OpenSSLFormatter):
+-        self.rule_provider = rule_provider
+-        self.formatter = formatter_class()
+-
+-    def csr_config(self, principal, config, profile_id):
+-        render_data = {'subject': principal, 'config': config}
+-
+-        rules = self.rule_provider.rules_for_profile(profile_id)
+-        template = self.formatter.build_template(rules)
+-
+-        try:
+-            config = template.render(render_data)
+-        except jinja2.UndefinedError:
+-            logger.debug(traceback.format_exc())
+-            raise errors.CSRTemplateError(reason=_(
+-                'Template error when formatting certificate data'))
+-
+-        return config
+-
+-
+-class CSRLibraryAdaptor:
+-    def get_subject_public_key_info(self):
+-        raise NotImplementedError('Use a subclass of CSRLibraryAdaptor')
+-
+-    def sign_csr(self, certification_request_info):
+-        """Sign a CertificationRequestInfo.
+-
+-        :returns: bytes, a DER-encoded signed CSR.
+-        """
+-        raise NotImplementedError('Use a subclass of CSRLibraryAdaptor')
+-
+-
+-class OpenSSLAdaptor:
+-    def __init__(self, key=None, key_filename=None, password_filename=None):
+-        """
+-        Must provide either ``key_filename`` or ``key``.
+-
+-        """
+-        if key_filename is not None:
+-            with open(key_filename, 'rb') as key_file:
+-                key_bytes = key_file.read()
+-
+-            password = None
+-            if password_filename is not None:
+-                with open(password_filename, 'rb') as password_file:
+-                    password = password_file.read().strip()
+-
+-            self._key = load_pem_private_key(
+-                key_bytes, password, default_backend())
+-
+-        elif key is not None:
+-            self._key = key
+-
+-        else:
+-            raise ValueError("Must provide 'key' or 'key_filename'")
+-
+-    def key(self):
+-        return self._key
+-
+-    def get_subject_public_key_info(self):
+-        pubkey_info = self.key().public_key().public_bytes(
+-            Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
+-        return pubkey_info
+-
+-    def sign_csr(self, certification_request_info):
+-        reqinfo = decoder.decode(
+-            certification_request_info, rfc2314.CertificationRequestInfo())[0]
+-        csr = rfc2314.CertificationRequest()
+-        csr.setComponentByName('certificationRequestInfo', reqinfo)
+-
+-        algorithm = rfc2314.SignatureAlgorithmIdentifier()
+-        algorithm.setComponentByName(
+-            'algorithm', univ.ObjectIdentifier(
+-                '1.2.840.113549.1.1.11'))  # sha256WithRSAEncryption
+-        csr.setComponentByName('signatureAlgorithm', algorithm)
+-
+-        signature = self.key().sign(
+-            certification_request_info,
+-            padding.PKCS1v15(),
+-            hashes.SHA256()
+-        )
+-        asn1sig = univ.BitString("'{sig}'H".format(
+-                                    sig=codecs.encode(signature, 'hex')
+-                                    .decode('ascii'))
+-                                 )
+-        csr.setComponentByName('signature', asn1sig)
+-        return encoder.encode(csr)
+-
+-
+-class NSSAdaptor:
+-    def __init__(self, database, password_filename):
+-        self.database = database
+-        self.password_filename = password_filename
+-        self.nickname = base64.b32encode(os.urandom(40))
+-
+-    def get_subject_public_key_info(self):
+-        temp_cn = base64.b32encode(os.urandom(40)).decode('ascii')
+-
+-        password_args = []
+-        if self.password_filename is not None:
+-            password_args = ['-f', self.password_filename]
+-
+-        subprocess.check_call(
+-            ['certutil', '-S', '-n', self.nickname, '-s', 'CN=%s' % temp_cn,
+-             '-x', '-t', ',,', '-d', self.database] + password_args)
+-        cert_pem = subprocess.check_output(
+-            ['certutil', '-L', '-n', self.nickname, '-a',
+-             '-d', self.database] + password_args)
+-
+-        cert = load_pem_x509_certificate(cert_pem, default_backend())
+-        pubkey_info = cert.public_key().public_bytes(
+-            Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
+-
+-        return pubkey_info
+-
+-    def sign_csr(self, certification_request_info):
+-        raise NotImplementedError('NSS is not yet supported')
+diff -urN freeipa-4.8.0/ipaclient/plugins/cert.py freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py
+--- freeipa-4.8.0/ipaclient/plugins/cert.py	2019-07-03 08:42:41.978537802 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py	2019-07-03 13:24:38.477222594 +0200
+@@ -21,8 +21,6 @@
+ 
+ import base64
+ 
+-import six
+-
+ from ipaclient.frontend import MethodOverride
+ from ipalib import errors
+ from ipalib import x509
+@@ -31,9 +29,6 @@
+ from ipalib.plugable import Registry
+ from ipalib.text import _
+ 
+-if six.PY3:
+-    unicode = str
+-
+ register = Registry()
+ 
+ 
+@@ -73,87 +68,12 @@
+ 
+ @register(override=True, no_fail=True)
+ class cert_request(CertRetrieveOverride):
+-    takes_options = CertRetrieveOverride.takes_options + (
+-        Str(
+-            'database?',
+-            label=_('Path to NSS database'),
+-            doc=_('Path to NSS database to use for private key'),
+-        ),
+-        Str(
+-            'private_key?',
+-            label=_('Path to private key file'),
+-            doc=_('Path to PEM file containing a private key'),
+-        ),
+-        Str(
+-            'password_file?',
+-            label=_(
+-                'File containing a password for the private key or database'),
+-        ),
+-        Str(
+-            'csr_profile_id?',
+-            label=_('Name of CSR generation profile (if not the same as'
+-                    ' profile_id)'),
+-        ),
+-    )
+-
+     def get_args(self):
+         for arg in super(cert_request, self).get_args():
+             if arg.name == 'csr':
+                 arg = arg.clone_retype(arg.name, File, required=False)
+             yield arg
+ 
+-    def forward(self, csr=None, **options):
+-        database = options.pop('database', None)
+-        private_key = options.pop('private_key', None)
+-        csr_profile_id = options.pop('csr_profile_id', None)
+-        password_file = options.pop('password_file', None)
+-
+-        if csr is None:
+-            # Deferred import, ipaclient.csrgen is expensive to load.
+-            # see https://pagure.io/freeipa/issue/7484
+-            from ipaclient import csrgen
+-
+-            if database:
+-                adaptor = csrgen.NSSAdaptor(database, password_file)
+-            elif private_key:
+-                adaptor = csrgen.OpenSSLAdaptor(
+-                    key_filename=private_key, password_filename=password_file)
+-            else:
+-                raise errors.InvocationError(
+-                    message=u"One of 'database' or 'private_key' is required")
+-
+-            pubkey_info = adaptor.get_subject_public_key_info()
+-            pubkey_info_b64 = base64.b64encode(pubkey_info)
+-
+-            # If csr_profile_id is passed, that takes precedence.
+-            # Otherwise, use profile_id. If neither are passed, the default
+-            # in cert_get_requestdata will be used.
+-            profile_id = csr_profile_id
+-            if profile_id is None:
+-                profile_id = options.get('profile_id')
+-
+-            response = self.api.Command.cert_get_requestdata(
+-                profile_id=profile_id,
+-                principal=options.get('principal'),
+-                public_key_info=pubkey_info_b64)
+-
+-            req_info_b64 = response['result']['request_info']
+-            req_info = base64.b64decode(req_info_b64)
+-
+-            csr = adaptor.sign_csr(req_info)
+-
+-            if not csr:
+-                raise errors.CertificateOperationError(
+-                    error=(_('Generated CSR was empty')))
+-
+-        else:
+-            if database is not None or private_key is not None:
+-                raise errors.MutuallyExclusiveError(reason=_(
+-                    "Options 'database' and 'private_key' are not compatible"
+-                    " with 'csr'"))
+-
+-        return super(cert_request, self).forward(csr, **options)
+-
+ 
+ @register(override=True, no_fail=True)
+ class cert_show(CertRetrieveOverride):
+diff -urN freeipa-4.8.0/ipaclient/plugins/cert.py.orig freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py.orig
+--- freeipa-4.8.0/ipaclient/plugins/cert.py.orig	1970-01-01 01:00:00.000000000 +0100
++++ freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py.orig	2019-07-03 13:24:38.478222573 +0200
+@@ -0,0 +1,215 @@
++# Authors:
++#   Andrew Wnuk <awnuk@redhat.com>
++#   Jason Gerard DeRose <jderose@redhat.com>
++#   John Dennis <jdennis@redhat.com>
++#
++# Copyright (C) 2009  Red Hat
++# see file 'COPYING' for use and warranty information
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++import base64
++
++import six
++
++from ipaclient.frontend import MethodOverride
++from ipalib import errors
++from ipalib import x509
++from ipalib import util
++from ipalib.parameters import BinaryFile, File, Flag, Str
++from ipalib.plugable import Registry
++from ipalib.text import _
++
++if six.PY3:
++    unicode = str
++
++register = Registry()
++
++
++class CertRetrieveOverride(MethodOverride):
++    takes_options = (
++        Str(
++            'certificate_out?',
++            doc=_('Write certificate (chain if --chain used) to file'),
++            include='cli',
++            cli_metavar='FILE',
++        ),
++    )
++
++    def forward(self, *args, **options):
++        if 'certificate_out' in options:
++            certificate_out = options.pop('certificate_out')
++            try:
++                util.check_writable_file(certificate_out)
++            except errors.FileError as e:
++                raise errors.ValidationError(name='certificate-out',
++                                             error=str(e))
++        else:
++            certificate_out = None
++
++        result = super(CertRetrieveOverride, self).forward(*args, **options)
++
++        if certificate_out is not None:
++            if options.get('chain', False):
++                certs = result['result']['certificate_chain']
++            else:
++                certs = [base64.b64decode(result['result']['certificate'])]
++            certs = (x509.load_der_x509_certificate(cert) for cert in certs)
++            x509.write_certificate_list(certs, certificate_out)
++
++        return result
++
++
++@register(override=True, no_fail=True)
++class cert_request(CertRetrieveOverride):
++    takes_options = CertRetrieveOverride.takes_options + (
++        Str(
++            'database?',
++            label=_('Path to NSS database'),
++            doc=_('Path to NSS database to use for private key'),
++        ),
++        Str(
++            'private_key?',
++            label=_('Path to private key file'),
++            doc=_('Path to PEM file containing a private key'),
++        ),
++        Str(
++            'password_file?',
++            label=_(
++                'File containing a password for the private key or database'),
++        ),
++        Str(
++            'csr_profile_id?',
++            label=_('Name of CSR generation profile (if not the same as'
++                    ' profile_id)'),
++        ),
++    )
++
++    def get_args(self):
++        for arg in super(cert_request, self).get_args():
++            if arg.name == 'csr':
++                arg = arg.clone_retype(arg.name, File, required=False)
++            yield arg
++
++    def forward(self, csr=None, **options):
++        database = options.pop('database', None)
++        private_key = options.pop('private_key', None)
++        csr_profile_id = options.pop('csr_profile_id', None)
++        password_file = options.pop('password_file', None)
++
++        if csr is None:
++            # Deferred import, ipaclient.csrgen is expensive to load.
++            # see https://pagure.io/freeipa/issue/7484
++            from ipaclient import csrgen
++
++            if database:
++                adaptor = csrgen.NSSAdaptor(database, password_file)
++            elif private_key:
++                adaptor = csrgen.OpenSSLAdaptor(
++                    key_filename=private_key, password_filename=password_file)
++            else:
++                raise errors.InvocationError(
++                    message=u"One of 'database' or 'private_key' is required")
++
++            pubkey_info = adaptor.get_subject_public_key_info()
++            pubkey_info_b64 = base64.b64encode(pubkey_info)
++
++            # If csr_profile_id is passed, that takes precedence.
++            # Otherwise, use profile_id. If neither are passed, the default
++            # in cert_get_requestdata will be used.
++            profile_id = csr_profile_id
++            if profile_id is None:
++                profile_id = options.get('profile_id')
++
++            response = self.api.Command.cert_get_requestdata(
++                profile_id=profile_id,
++                principal=options.get('principal'),
++                public_key_info=pubkey_info_b64)
++
++            req_info_b64 = response['result']['request_info']
++            req_info = base64.b64decode(req_info_b64)
++
++            csr = adaptor.sign_csr(req_info)
++
++            if not csr:
++                raise errors.CertificateOperationError(
++                    error=(_('Generated CSR was empty')))
++
++        else:
++            if database is not None or private_key is not None:
++                raise errors.MutuallyExclusiveError(reason=_(
++                    "Options 'database' and 'private_key' are not compatible"
++                    " with 'csr'"))
++
++        return super(cert_request, self).forward(csr, **options)
++
++
++@register(override=True, no_fail=True)
++class cert_show(CertRetrieveOverride):
++    def get_options(self):
++        for option in super(cert_show, self).get_options():
++            if option.name == 'out':
++                # skip server-defined --out
++                continue
++            if option.name == 'certificate_out':
++                # add --out as a deprecated alias of --certificate-out
++                option = option.clone_rename(
++                    'out',
++                    cli_name='certificate_out',
++                    deprecated_cli_aliases={'out'},
++                )
++            yield option
++
++    def forward(self, *args, **options):
++        try:
++            options['certificate_out'] = options.pop('out')
++        except KeyError:
++            pass
++
++        return super(cert_show, self).forward(*args, **options)
++
++
++@register(override=True, no_fail=True)
++class cert_remove_hold(MethodOverride):
++    has_output_params = (
++        Flag('unrevoked',
++            label=_('Unrevoked'),
++        ),
++        Str('error_string',
++            label=_('Error'),
++        ),
++    )
++
++
++@register(override=True, no_fail=True)
++class cert_find(MethodOverride):
++    takes_options = (
++        BinaryFile(
++            'file?',
++            label=_("Input filename"),
++            doc=_('File to load the certificate from.'),
++            include='cli',
++        ),
++    )
++
++    def forward(self, *args, **options):
++        if self.api.env.context == 'cli':
++            if 'certificate' in options and 'file' in options:
++                raise errors.MutuallyExclusiveError(
++                    reason=_("cannot specify both raw certificate and file"))
++            if 'certificate' not in options and 'file' in options:
++                options['certificate'] = x509.load_unknown_x509_certificate(
++                                            options.pop('file'))
++
++        return super(cert_find, self).forward(*args, **options)
+diff -urN freeipa-4.8.0/ipaclient/plugins/csrgen.py freeipa-4.8.0.removed_csrgen/ipaclient/plugins/csrgen.py
+--- freeipa-4.8.0/ipaclient/plugins/csrgen.py	2019-07-03 08:42:41.990537623 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/plugins/csrgen.py	1970-01-01 01:00:00.000000000 +0100
+@@ -1,128 +0,0 @@
+-#
+-# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+-#
+-
+-import base64
+-
+-import six
+-
+-from ipalib import api
+-from ipalib import errors
+-from ipalib import output
+-from ipalib import util
+-from ipalib.frontend import Local, Str
+-from ipalib.parameters import Bytes, Principal
+-from ipalib.plugable import Registry
+-from ipalib.text import _
+-from ipapython import dogtag
+-
+-
+-if six.PY3:
+-    unicode = str
+-
+-register = Registry()
+-
+-__doc__ = _("""
+-Commands to build certificate requests automatically
+-""")
+-
+-
+-@register()
+-class cert_get_requestdata(Local):
+-    __doc__ = _('Gather data for a certificate signing request.')
+-
+-    NO_CLI = True
+-
+-    takes_options = (
+-        Principal(
+-            'principal',
+-            label=_('Principal'),
+-            doc=_('Principal for this certificate (e.g.'
+-                  ' HTTP/test.example.com)'),
+-        ),
+-        Str(
+-            'profile_id?',
+-            label=_('Profile ID'),
+-            doc=_('CSR Generation Profile to use'),
+-        ),
+-        Bytes(
+-            'public_key_info',
+-            label=_('Subject Public Key Info'),
+-            doc=_('DER-encoded SubjectPublicKeyInfo structure'),
+-        ),
+-        Str(
+-            'out?',
+-            doc=_('Write CertificationRequestInfo to file'),
+-        ),
+-    )
+-
+-    has_output = (
+-        output.Output(
+-            'result',
+-            type=dict,
+-            doc=_('Dictionary mapping variable name to value'),
+-        ),
+-    )
+-
+-    has_output_params = (
+-        Str(
+-            'request_info',
+-            label=_('CertificationRequestInfo structure'),
+-        )
+-    )
+-
+-    def execute(self, *args, **options):
+-        # Deferred import, ipaclient.csrgen is expensive to load.
+-        # see https://pagure.io/freeipa/issue/7484
+-        from ipaclient import csrgen
+-        from ipaclient import csrgen_ffi
+-
+-        if 'out' in options:
+-            util.check_writable_file(options['out'])
+-
+-        principal = options.get('principal')
+-        profile_id = options.get('profile_id')
+-        if profile_id is None:
+-            profile_id = dogtag.DEFAULT_PROFILE
+-        public_key_info = options.get('public_key_info')
+-        public_key_info = base64.b64decode(public_key_info)
+-
+-        if self.api.env.in_server:
+-            backend = self.api.Backend.ldap2
+-        else:
+-            backend = self.api.Backend.rpcclient
+-        if not backend.isconnected():
+-            backend.connect()
+-
+-        try:
+-            if principal.is_host:
+-                principal_obj = api.Command.host_show(
+-                    principal.hostname, all=True)
+-            elif principal.is_service:
+-                principal_obj = api.Command.service_show(
+-                    unicode(principal), all=True)
+-            elif principal.is_user:
+-                principal_obj = api.Command.user_show(
+-                    principal.username, all=True)
+-        except errors.NotFound:
+-            raise errors.NotFound(
+-                reason=_("The principal for this request doesn't exist."))
+-        principal_obj = principal_obj['result']
+-        config = api.Command.config_show()['result']
+-
+-        generator = csrgen.CSRGenerator(csrgen.FileRuleProvider())
+-
+-        csr_config = generator.csr_config(principal_obj, config, profile_id)
+-        request_info = base64.b64encode(csrgen_ffi.build_requestinfo(
+-            csr_config.encode('utf8'), public_key_info))
+-
+-        result = {}
+-        if 'out' in options:
+-            with open(options['out'], 'wb') as f:
+-                f.write(request_info)
+-        else:
+-            result = dict(request_info=request_info)
+-
+-        return dict(
+-            result=result
+-        )
+diff -urN freeipa-4.8.0/ipaclient/setup.py freeipa-4.8.0.removed_csrgen/ipaclient/setup.py
+--- freeipa-4.8.0/ipaclient/setup.py	2019-07-03 08:42:41.836539916 +0200
++++ freeipa-4.8.0.removed_csrgen/ipaclient/setup.py	2019-07-03 13:24:38.479222551 +0200
+@@ -41,13 +41,6 @@
+             "ipaclient.remote_plugins.2_156",
+             "ipaclient.remote_plugins.2_164",
+         ],
+-        package_data={
+-            'ipaclient': [
+-                'csrgen/profiles/*.json',
+-                'csrgen/rules/*.json',
+-                'csrgen/templates/*.tmpl',
+-            ],
+-        },
+         install_requires=[
+             "cryptography",
+             "ipalib",
+@@ -63,7 +56,6 @@
+         extras_require={
+             "install": ["ipaplatform"],
+             "otptoken_yubikey": ["python-yubico", "pyusb"],
+-            "csrgen": ["cffi", "jinja2"],
+             "ldap": ["python-ldap"],  # ipapython.ipaldap
+         },
+         zip_safe=False,
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
+--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf	2019-07-03 08:42:45.972478335 +0200
++++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf	1970-01-01 01:00:00.000000000 +0100
+@@ -1,16 +0,0 @@
+-[ req ]
+-prompt = no
+-encrypt_key = no
+-
+-distinguished_name = sec0
+-req_extensions = sec2
+-
+-[ sec0 ]
+-O=DOMAIN.EXAMPLE.COM
+-CN=machine.example.com
+-
+-[ sec1 ]
+-DNS = machine.example.com
+-
+-[ sec2 ]
+-subjectAltName = @sec1
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
+--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf	2019-07-03 08:42:45.976478276 +0200
++++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf	1970-01-01 01:00:00.000000000 +0100
+@@ -1,16 +0,0 @@
+-[ req ]
+-prompt = no
+-encrypt_key = no
+-
+-distinguished_name = sec0
+-req_extensions = sec2
+-
+-[ sec0 ]
+-O=DOMAIN.EXAMPLE.COM
+-CN=testuser
+-
+-[ sec1 ]
+-email = testuser@example.com
+-
+-[ sec2 ]
+-subjectAltName = @sec1
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json
+--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json	2019-07-03 08:42:45.980478216 +0200
++++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json	1970-01-01 01:00:00.000000000 +0100
+@@ -1,8 +0,0 @@
+-[
+-    {
+-        "syntax": "basic",
+-        "data": [
+-            "options"
+-        ]
+-    }
+-]
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json
+--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json	2019-07-03 08:42:45.984478157 +0200
++++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json	1970-01-01 01:00:00.000000000 +0100
+@@ -1,5 +0,0 @@
+-{
+-  "rule": {
+-    "template": "openssl_rule"
+-  }
+-}
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/options.json freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/options.json
+--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/options.json	2019-07-03 08:42:45.988478097 +0200
++++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/options.json	1970-01-01 01:00:00.000000000 +0100
+@@ -1,8 +0,0 @@
+-{
+-  "rule": {
+-    "template": "openssl_rule"
+-  },
+-  "options": {
+-    "rule_option": true
+-  }
+-}
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
+--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl	2019-07-03 08:42:45.993478023 +0200
++++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl	1970-01-01 01:00:00.000000000 +0100
+@@ -1 +0,0 @@
+-{{ options|join(";") }}
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/test_csrgen.py freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/test_csrgen.py
+--- freeipa-4.8.0/ipatests/test_ipaclient/test_csrgen.py	2019-07-03 08:42:45.963478469 +0200
++++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/test_csrgen.py	1970-01-01 01:00:00.000000000 +0100
+@@ -1,304 +0,0 @@
+-#
+-# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+-#
+-
+-import os
+-import pytest
+-
+-from cryptography.hazmat.backends import default_backend
+-from cryptography.hazmat.primitives.asymmetric import rsa
+-from cryptography import x509
+-
+-from ipaclient import csrgen, csrgen_ffi
+-from ipalib import errors
+-
+-BASE_DIR = os.path.dirname(__file__)
+-CSR_DATA_DIR = os.path.join(BASE_DIR, 'data', 'test_csrgen')
+-
+-
+-@pytest.fixture
+-def formatter():
+-    return csrgen.Formatter(csr_data_dir=CSR_DATA_DIR)
+-
+-
+-@pytest.fixture
+-def rule_provider():
+-    return csrgen.FileRuleProvider(csr_data_dir=CSR_DATA_DIR)
+-
+-
+-@pytest.fixture
+-def generator():
+-    return csrgen.CSRGenerator(csrgen.FileRuleProvider())
+-
+-
+-class StubRuleProvider(csrgen.RuleProvider):
+-    def __init__(self):
+-        self.syntax_rule = csrgen.Rule(
+-            'syntax', '{{datarules|join(",")}}', {})
+-        self.data_rule = csrgen.Rule('data', 'data_template', {})
+-        self.field_mapping = csrgen.FieldMapping(
+-            'example', self.syntax_rule, [self.data_rule])
+-        self.rules = [self.field_mapping]
+-
+-    def rules_for_profile(self, profile_id):
+-        return self.rules
+-
+-
+-class IdentityFormatter(csrgen.Formatter):
+-    base_template_name = 'identity_base.tmpl'
+-
+-    def __init__(self):
+-        super(IdentityFormatter, self).__init__(csr_data_dir=CSR_DATA_DIR)
+-
+-    def _get_template_params(self, syntax_rules):
+-        return {'options': syntax_rules}
+-
+-
+-class test_Formatter:
+-    def test_prepare_data_rule_with_data_source(self, formatter):
+-        data_rule = csrgen.Rule('uid', '{{subject.uid.0}}',
+-                                {'data_source': 'subject.uid.0'})
+-        prepared = formatter._prepare_data_rule(data_rule)
+-        assert prepared == '{% if subject.uid.0 %}{{subject.uid.0}}{% endif %}'
+-
+-    def test_prepare_data_rule_no_data_source(self, formatter):
+-        """Not a normal case, but we should handle it anyway"""
+-        data_rule = csrgen.Rule('uid', 'static_text', {})
+-        prepared = formatter._prepare_data_rule(data_rule)
+-        assert prepared == 'static_text'
+-
+-    def test_prepare_syntax_rule_with_data_sources(self, formatter):
+-        syntax_rule = csrgen.Rule(
+-            'example', '{{datarules|join(",")}}', {})
+-        data_rules = ['{{subject.field1}}', '{{subject.field2}}']
+-        data_sources = ['subject.field1', 'subject.field2']
+-        prepared = formatter._prepare_syntax_rule(
+-            syntax_rule, data_rules, 'example', data_sources)
+-
+-        assert prepared == (
+-            '{% if subject.field1 or subject.field2 %}{{subject.field1}},'
+-            '{{subject.field2}}{% endif %}')
+-
+-    def test_prepare_syntax_rule_with_combinator(self, formatter):
+-        syntax_rule = csrgen.Rule('example', '{{datarules|join(",")}}',
+-                                  {'data_source_combinator': 'and'})
+-        data_rules = ['{{subject.field1}}', '{{subject.field2}}']
+-        data_sources = ['subject.field1', 'subject.field2']
+-        prepared = formatter._prepare_syntax_rule(
+-            syntax_rule, data_rules, 'example', data_sources)
+-
+-        assert prepared == (
+-            '{% if subject.field1 and subject.field2 %}{{subject.field1}},'
+-            '{{subject.field2}}{% endif %}')
+-
+-    def test_prepare_syntax_rule_required(self, formatter):
+-        syntax_rule = csrgen.Rule('example', '{{datarules|join(",")}}',
+-                                  {'required': True})
+-        data_rules = ['{{subject.field1}}']
+-        data_sources = ['subject.field1']
+-        prepared = formatter._prepare_syntax_rule(
+-            syntax_rule, data_rules, 'example', data_sources)
+-
+-        assert prepared == (
+-            '{% filter required("example") %}{% if subject.field1 %}'
+-            '{{subject.field1}}{% endif %}{% endfilter %}')
+-
+-    def test_prepare_syntax_rule_passthrough(self, formatter):
+-        """
+-        Calls to macros defined as passthrough are still call tags in the final
+-        template.
+-        """
+-        formatter._define_passthrough('example.macro')
+-
+-        syntax_rule = csrgen.Rule(
+-            'example',
+-            '{% call example.macro() %}{{datarules|join(",")}}{% endcall %}',
+-            {})
+-        data_rules = ['{{subject.field1}}']
+-        data_sources = ['subject.field1']
+-        prepared = formatter._prepare_syntax_rule(
+-            syntax_rule, data_rules, 'example', data_sources)
+-
+-        assert prepared == (
+-            '{% if subject.field1 %}{% call example.macro() %}'
+-            '{{subject.field1}}{% endcall %}{% endif %}')
+-
+-    def test_prepare_syntax_rule_no_data_sources(self, formatter):
+-        """Not a normal case, but we should handle it anyway"""
+-        syntax_rule = csrgen.Rule(
+-            'example', '{{datarules|join(",")}}', {})
+-        data_rules = ['rule1', 'rule2']
+-        data_sources = []
+-        prepared = formatter._prepare_syntax_rule(
+-            syntax_rule, data_rules, 'example', data_sources)
+-
+-        assert prepared == 'rule1,rule2'
+-
+-
+-class test_FileRuleProvider:
+-    def test_rule_basic(self, rule_provider):
+-        rule_name = 'basic'
+-
+-        rule = rule_provider._rule(rule_name)
+-
+-        assert rule.template == 'openssl_rule'
+-
+-    def test_rule_global_options(self, rule_provider):
+-        rule_name = 'options'
+-
+-        rule = rule_provider._rule(rule_name)
+-
+-        assert rule.options['rule_option'] is True
+-
+-    def test_rule_nosuchrule(self, rule_provider):
+-        with pytest.raises(errors.NotFound):
+-            rule_provider._rule('nosuchrule')
+-
+-    def test_rules_for_profile_success(self, rule_provider):
+-        rules = rule_provider.rules_for_profile('profile')
+-
+-        assert len(rules) == 1
+-        field_mapping = rules[0]
+-        assert field_mapping.syntax_rule.name == 'basic'
+-        assert len(field_mapping.data_rules) == 1
+-        assert field_mapping.data_rules[0].name == 'options'
+-
+-    def test_rules_for_profile_nosuchprofile(self, rule_provider):
+-        with pytest.raises(errors.NotFound):
+-            rule_provider.rules_for_profile('nosuchprofile')
+-
+-
+-class test_CSRGenerator:
+-    def test_userCert_OpenSSL(self, generator):
+-        principal = {
+-            'uid': ['testuser'],
+-            'mail': ['testuser@example.com'],
+-        }
+-        config = {
+-            'ipacertificatesubjectbase': [
+-                'O=DOMAIN.EXAMPLE.COM'
+-            ],
+-        }
+-
+-        script = generator.csr_config(principal, config, 'userCert')
+-        with open(os.path.join(
+-                CSR_DATA_DIR, 'configs', 'userCert.conf')) as f:
+-            expected_script = f.read()
+-        assert script == expected_script
+-
+-    def test_caIPAserviceCert_OpenSSL(self, generator):
+-        principal = {
+-            'krbprincipalname': [
+-                'HTTP/machine.example.com@DOMAIN.EXAMPLE.COM'
+-            ],
+-        }
+-        config = {
+-            'ipacertificatesubjectbase': [
+-                'O=DOMAIN.EXAMPLE.COM'
+-            ],
+-        }
+-
+-        script = generator.csr_config(
+-            principal, config, 'caIPAserviceCert')
+-        with open(os.path.join(
+-                CSR_DATA_DIR, 'configs', 'caIPAserviceCert.conf')) as f:
+-            expected_script = f.read()
+-        assert script == expected_script
+-
+-    def test_works_with_lowercase_attr_type_shortname(self, generator):
+-        principal = {
+-            'uid': ['testuser'],
+-            'mail': ['testuser@example.com'],
+-        }
+-        template_env = {
+-            'ipacertificatesubjectbase': [
+-                'o=DOMAIN.EXAMPLE.COM'  # lower-case attr type shortname
+-            ],
+-        }
+-        config = generator.csr_config(principal, template_env, 'userCert')
+-
+-        key = rsa.generate_private_key(
+-            public_exponent=65537,
+-            key_size=2048,
+-            backend=default_backend(),
+-        )
+-        adaptor = csrgen.OpenSSLAdaptor(key=key)
+-
+-        reqinfo = bytes(csrgen_ffi.build_requestinfo(
+-            config.encode('utf-8'), adaptor.get_subject_public_key_info()))
+-        csr_der = adaptor.sign_csr(reqinfo)
+-        csr = x509.load_der_x509_csr(csr_der, default_backend())
+-        assert (
+-            csr.subject.get_attributes_for_oid(x509.NameOID.COMMON_NAME)
+-            == [x509.NameAttribute(x509.NameOID.COMMON_NAME, u'testuser')]
+-        )
+-        assert (
+-            csr.subject.get_attributes_for_oid(x509.NameOID.ORGANIZATION_NAME)
+-            == [x509.NameAttribute(
+-                x509.NameOID.ORGANIZATION_NAME, u'DOMAIN.EXAMPLE.COM')]
+-        )
+-
+-    def test_unrecognised_attr_type_raises(self, generator):
+-        principal = {
+-            'uid': ['testuser'],
+-            'mail': ['testuser@example.com'],
+-        }
+-        template_env = {
+-            'ipacertificatesubjectbase': [
+-                'X=DOMAIN.EXAMPLE.COM'  # unrecognised attr type
+-            ],
+-        }
+-        config = generator.csr_config(principal, template_env, 'userCert')
+-
+-        key = rsa.generate_private_key(
+-            public_exponent=65537,
+-            key_size=2048,
+-            backend=default_backend(),
+-        )
+-        adaptor = csrgen.OpenSSLAdaptor(key=key)
+-
+-        with pytest.raises(
+-                errors.CSRTemplateError,
+-                match=r'^unrecognised attribute type: X$'):
+-            csrgen_ffi.build_requestinfo(
+-                config.encode('utf-8'), adaptor.get_subject_public_key_info())
+-
+-
+-class test_rule_handling:
+-    def test_optionalAttributeMissing(self, generator):
+-        principal = {'uid': 'testuser'}
+-        rule_provider = StubRuleProvider()
+-        rule_provider.data_rule.template = '{{subject.mail}}'
+-        rule_provider.data_rule.options = {'data_source': 'subject.mail'}
+-        generator = csrgen.CSRGenerator(
+-            rule_provider, formatter_class=IdentityFormatter)
+-
+-        script = generator.csr_config(
+-            principal, {}, 'example')
+-        assert script == '\n'
+-
+-    def test_twoDataRulesOneMissing(self, generator):
+-        principal = {'uid': 'testuser'}
+-        rule_provider = StubRuleProvider()
+-        rule_provider.data_rule.template = '{{subject.mail}}'
+-        rule_provider.data_rule.options = {'data_source': 'subject.mail'}
+-        rule_provider.field_mapping.data_rules.append(csrgen.Rule(
+-            'data2', '{{subject.uid}}', {'data_source': 'subject.uid'}))
+-        generator = csrgen.CSRGenerator(
+-            rule_provider, formatter_class=IdentityFormatter)
+-
+-        script = generator.csr_config(principal, {}, 'example')
+-        assert script == ',testuser\n'
+-
+-    def test_requiredAttributeMissing(self):
+-        principal = {'uid': 'testuser'}
+-        rule_provider = StubRuleProvider()
+-        rule_provider.data_rule.template = '{{subject.mail}}'
+-        rule_provider.data_rule.options = {'data_source': 'subject.mail'}
+-        rule_provider.syntax_rule.options = {'required': True}
+-        generator = csrgen.CSRGenerator(
+-            rule_provider, formatter_class=IdentityFormatter)
+-
+-        with pytest.raises(errors.CSRTemplateError):
+-            _script = generator.csr_config(
+-                principal, {}, 'example')
diff --git a/SOURCES/freeipa-4.7.90.pre1.tar.gz.asc b/SOURCES/freeipa-4.7.90.pre1.tar.gz.asc
deleted file mode 100644
index 1353a4c..0000000
--- a/SOURCES/freeipa-4.7.90.pre1.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAlzHE98ACgkQRxniuKu/
-YhrICw/8DE6jyt3bnUmzGiXdsV7q1KZUGSIC7GLpvbmewwpUVcXnplHiVCTjrNGI
-jw/jc6y9bIlvqfYNWjAmXNGXyB3AbXweaYRAEzntOHlAmFDlwMXv/D6JL0849/9/
-uRWEefIpHlw/P++WOxm+us7T9h/d6xEe1xY7vaaXVVPjRBewJqddG6ISJgWZ0DSR
-41b/kgOXEvBMOU+gsKCm1fCgKU6KcfwsFq39uSxmTfhKE/578eOUkSAracOwrP2Z
-RePKA4JKqw/Tttl26bgKAkAD8hxJhv6J1MYOSPKp7zssSKw1s1qiPbR6DdJGF/E0
-gqiJwLynZdkkMOsWqHvUK0NDT5LmDdluHBFDle+zupBy1CAE4y1fchsUh910wbRm
-LnrdtkXKUHtE+WGZianMSc1gHCB6EjipHx9iLTrcsGbjz9ziWRb6P6BLgbw2doPG
-mYQVMWBNLQi3gcAjN7IX1+dRWoam+ON/M0GMi5jSplqONBFUj5xwB8LFNV5VfIAu
-zJa0F5V0Qu5XbO7YFoihDcD1OF8fUyKtK+lGa0O/QazR37tl8m5mgYVjDErBx3F+
-ipiB40w+qA1MsJXqdOljoldTvJZCzN+kEJu8aMdQpKcIfkJjKQsrbrh0Ck3cmRHW
-vE3sApyx1p9XvoVtb6lz69B1XJu+Q+Gljlm7JSRLQ3p7GZTT7/Q=
-=5N4+
------END PGP SIGNATURE-----
diff --git a/SOURCES/freeipa-4.8.4.tar.gz.asc b/SOURCES/freeipa-4.8.4.tar.gz.asc
new file mode 100644
index 0000000..6160d78
--- /dev/null
+++ b/SOURCES/freeipa-4.8.4.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl302dsACgkQRxniuKu/
+Yhrd0RAAvUv30O5rSlww30kxqV3oQb5CIJYSGb/jpWMAhj1Nr+1Ye1P3rCyJLP4R
++fVu23bgIywv8qkWPZdQxohkYCuiTZa8ogl3gXWJDRCp5f5oKWALzwU+Zlu8HlVj
+z8UAOFXEO1fYwvwpOPdr+gGiTS5pLq39EIBZSVjvuviXR0adwVcVvw0R2YXYmiLE
+x5uaM289YQ4hKY/V0rgqNn0nYiogFcFvSlhkM9oi4+JiKypocPqKTjM4n8EcdXv4
+rSJ6Zv6FgnyoREBITCZjKaTn8OTkhqhhzMOgMzWr8QSmNl44UKA9aq5ZIEJgEnMR
+N3vW6Br1f4TDJ3JyWeMoizQcNeTFyuoxN9HhGpvDotx+6g+j2yNfAK7ZZAtjULhm
+m13zb1svCbGtvRxB8QfIQe62l3drooimWRf5o9fgPVU0MIxgL7x7AulxrZekik6J
+NdwXiz75SKfbFZZWVdf9FjJkaBZ3CpJMJnDQiQyCs+xBWOpXYGYkz9a1NRoFgCdC
+y8bY9ErfzhLdcgjbZ3EE24FkWMBeUdW+BC4AYSChZlqUZ9CMTQIdyqPVSG/u5sc9
+2Rn1YasAfu0P3DJgRCI0BUcxkxFet5M8hfB0iuLE4OJTKnyhmmOUKmO2wUSw0QIr
+ogzzN9DF84wwXD1P4X6WFEzOOthCdLPUHyDo3u5fVIy4QWZZDlQ=
+=TTzs
+-----END PGP SIGNATURE-----
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 614659c..2915bea 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -55,26 +55,28 @@
 %if 0%{?rhel}
 %global package_name ipa
 %global alt_name freeipa
-%global krb5_version 1.16.1
+%global krb5_version 1.17-12
 %global krb5_kdb_version 7.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
-%global python_netaddr_version 0.7.16
+%global python_netaddr_version 0.7.19
 # Require 4.7.0 which brings Python 3 bindings
-%global samba_version 4.7.0
-%global selinux_policy_version 3.14.1-14
+%global samba_version 4.10.4-9
+# Require 3.14.3-24 - Allow ipa_ods_exporter_t domain to read krb5_keytab files
+%global selinux_policy_version 3.14.3-24
 %global slapi_nis_version 0.56.1-4
 %global python_ldap_version 3.1.0-1
 # python3-lib389
 # Fix for "Installation fails: Replica Busy"
 # https://pagure.io/389-ds-base/issue/49818
-%global ds_version 1.4.0.16
+# currently set to 1.4.1.3 until 389-ds rebases to 1.4.2
+%global ds_version 1.4.1.3
 
 %else
 # Fedora
 %global package_name freeipa
 %global alt_name ipa
 # Fix for CVE-2018-20217
-%global krb5_version 1.17
+%global krb5_version 1.17-17
 %global krb5_kdb_version 7.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.16
@@ -101,10 +103,10 @@
 # 10.6.7 fixes UpdateNumberRange clone installation issue
 # https://pagure.io/freeipa/issue/7654 and empty token issue
 # and https://pagure.io/dogtagpki/issue/3073
-%global pki_version 10.6.8-3
+%global pki_version 10.8.0
 
 # https://pagure.io/certmonger/issue/90
-%global certmonger_version 0.79.7-1
+%global certmonger_version 0.79.7-3
 
 # NSS release with fix for p11-kit-proxy issue, affects F28
 # https://pagure.io/freeipa/issue/7810
@@ -114,15 +116,9 @@
 %global nss_version 3.41.0-1
 %endif
 
-# There are issues currently with the sssd rebase to 2.1.0, therefore this
-# will be set to 2.0.0-43 for now.
-#global sssd_version 2.1.0-2
-%global sssd_version 2.0.0-43
+%global sssd_version 2.2.0-19
 
-# python3-kdcproxy 0.4.1 is not in the repository, therefore 0.4 will be
-# used for now.
-#global kdcproxy_version 0.4.1
-%global kdcproxy_version 0.4
+%global kdcproxy_version 0.4-3
 
 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
@@ -132,16 +128,16 @@
 
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.7.90.pre1
+%define IPA_VERSION 4.8.4
 %define AT_SIGN @
 # redefine IPA_VERSION only if its value matches the Autoconf placeholder
 %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
-     %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
+    %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
 %endif
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        3%{?dist}
+Release:        2%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -156,16 +152,9 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as
 # RHEL spec file only: END: Change branding to IPA and Identity Management
 
 # RHEL spec file only: START
-Patch0001:      0001-No-need-to-call-rhel-specific-domainname-service.patch
-
-Patch0002:      0001-revert-minssf-defaults.patch
-# https://github.com/freeipa/freeipa/pull/3104
-# Fix an error in the path the webUI uses for fontawesome
-Patch0003:      0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
-Patch0004:      0002-upgrade-adtrust-when-no-trusts.patch
-
+Patch0001:      0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
-Patch1002:      1002-4.7.90pre1-Remove-csrgen.patch
+Patch1002:      1002-4.8.0-Remove-csrgen.patch
 # RHEL spec file only: END
 
 # For the timestamp trick in patch application
@@ -325,6 +314,7 @@ Requires: openldap-clients > 2.4.35-4
 Requires: nss >= %{nss_version}
 Requires: nss-tools >= %{nss_version}
 Requires(post): krb5-server >= %{krb5_version}
+Requires(post): krb5-kdb-version = %{krb5_kdb_version}
 Requires: krb5-pkinit-openssl >= %{krb5_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
@@ -454,7 +444,7 @@ If you are installing an IPA server, you need to install this package.
 Summary: IPA integrated DNS server with support for automatic DNSSEC signing
 BuildArch: noarch
 Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 11.0-2
+Requires: bind-dyndb-ldap >= 11.2-2
 Requires: bind >= 9.11.0-6.P2
 Requires: bind-utils >= 9.11.0-6.P2
 Requires: bind-pkcs11 >= 9.11.0-6.P2
@@ -558,6 +548,22 @@ If your network uses IPA for authentication, this package should be
 installed on every client machine.
 This package provides command-line tools for IPA administrators.
 
+%package client-samba
+Summary: Tools to configure Samba on IPA client
+Group: System Environment/Base
+Requires: %{name}-client = %{version}-%{release}
+Requires: python3-samba
+Requires: samba-client
+Requires: samba-winbind
+Requires: samba-common-tools
+Requires: samba
+Requires: sssd-winbind-idmap
+Requires: tdb-tools
+Requires: cifs-utils
+
+%description client-samba
+This package provides command-line tools to deploy Samba domain member
+on the machine enrolled into a FreeIPA environment
 
 %package -n python3-ipaclient
 Summary: Python libraries used by IPA client
@@ -1001,11 +1007,17 @@ if [ $1 -gt 1 ] ; then
             cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
             cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
         fi
+
+        %{python} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
     fi
 
     if [ $restore -ge 2 ]; then
         %{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
     fi
+
+    if [ $restore -ge 2 ]; then
+        sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config
+    fi
 fi
 
 
@@ -1072,6 +1084,7 @@ fi
 %{_sbindir}/ipa-winsync-migrate
 %{_sbindir}/ipa-pkinit-manage
 %{_sbindir}/ipa-crlgen-manage
+%{_sbindir}/ipa-cert-fix
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
 %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
@@ -1136,6 +1149,7 @@ fi
 %{_mandir}/man1/ipa-winsync-migrate.1*
 %{_mandir}/man1/ipa-pkinit-manage.1*
 %{_mandir}/man1/ipa-crlgen-manage.1*
+%{_mandir}/man1/ipa-cert-fix.1*
 
 
 %files -n python3-ipaserver
@@ -1162,6 +1176,7 @@ fi
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template
+%{_usr}/share/ipa/bind.ipa-ext.conf
 %dir %{_usr}/share/ipa/advise
 %dir %{_usr}/share/ipa/advise/legacy
 %{_usr}/share/ipa/advise/legacy/*.template
@@ -1208,6 +1223,7 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
+%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
@@ -1271,6 +1287,7 @@ fi
 %{_sbindir}/ipa-join
 %{_bindir}/ipa
 %config %{_sysconfdir}/bash_completion.d
+%config %{_sysconfdir}/sysconfig/certmonger
 %{_mandir}/man1/ipa.1*
 %{_mandir}/man1/ipa-getkeytab.1*
 %{_mandir}/man1/ipa-rmkeytab.1*
@@ -1279,6 +1296,11 @@ fi
 %{_mandir}/man1/ipa-certupdate.1*
 %{_mandir}/man1/ipa-join.1*
 
+%files client-samba
+%doc README.md Contributors.txt
+%license COPYING
+%{_sbindir}/ipa-client-samba
+%{_mandir}/man1/ipa-client-samba.1*
 
 %files -n python3-ipaclient
 %doc README.md Contributors.txt
@@ -1370,8 +1392,112 @@ fi
 
 
 %changelog
-* Thu Aug 01 2019 CentOS Sources <bugs@centos.org> - 4.7.90.pre1-3.el8.centos
-- Apply debranding changes
+* Mon Dec 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.4-2
+- DNS install check: Fix overlapping DNS zone from the master itself
+  Resolves: RHBZ#1784003
+
+* Sat Dec 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.4-1
+- Rebase to upstream release 4.8.4
+  - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3
+  Resolves: RHBZ#1782658
+  Resolves: RHBZ#1782169
+  Resolves: RHBZ#1783046
+  Related: RHBZ#1748987
+
+* Mon Dec  2 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.3-3
+- Fix otptoken_sync plugin
+  Resolves: RHBZ#1777811
+
+* Mon Dec  2 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.3-2
+- Use default crypto policy for TLS and enable TLS 1.3 support
+  Resolves: RHBZ#1777809
+- Covscan fixes
+  Resolves: RHBZ#1777920
+- Change pki_version to 10.8.0
+  Related: RHBZ#1748987
+
+* Thu Nov 28 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.3-1
+- Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195)
+  Resolves: RHBZ#1767304
+  Resolves: RHBZ#1776939
+- Support KDC ticket policies for authentication indicators
+  Resolves: RHBZ#1777564
+
+* Tue Nov 26 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.2-4
+- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf()
+  Resolves: RHBZ#1767304
+- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
+  Resolves: RHBZ#1776939
+
+* Fri Nov 22 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-3
+- Use default ssh host key algorithms
+  Resolves: RHBZ#1756432
+- Do not run trust upgrade code if master lacks Samba bindings
+  Resolves: RHBZ#1757064
+- Finish group membership management UI
+  Resolves: RHBZ#1773528
+
+* Mon Nov 18 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-2
+- Update dependency for bind-dndb-ldap to 11.2-2
+  Related: RHBZ#1762813
+
+* Thu Nov 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-1
+- Rebase to upstream release 4.8.2
+  - Removed upstream patches 0001 to 0010 that are part of version 4.8.2
+  - Updated branding patch
+  Resolves: RHBZ#1748987
+
+* Thu Aug 29 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-10
+- Fix automount behavior with authselect
+  Resolves: RHBZ#1740167
+
+* Mon Aug 19 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-9
+- extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT
+  Resolves: RHBZ#1741530
+
+* Thu Aug 15 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-8
+- FreeIPA 4.8.0 tarball lacks two update files that are in git
+  Resolves: RHBZ#1741170
+
+* Tue Aug 13 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-7
+- Allow insecure binds for migration
+  Resolves: RHBZ#1731963
+
+* Fri Aug  2 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-6
+- Fix --external-ca-profile not passed to CSR
+  Resolves: RHBZ#1731813
+
+* Tue Jul 30 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-5
+- Remove posixAccount from service_find search filter
+  Resolves: RHBZ#1731437
+- Fix repeated uninstallation of ipa-client-samba crashes
+  Resolves: RHBZ#1732529
+- WebUI: Add PKINIT status field to 'Configuration' page
+  Resolves: RHBZ#1518153
+
+* Tue Jul 16 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.0-4
+- Fix krb5-kdb-server -> krb5-kdb-version
+  Related: RHBZ#1700121
+
+* Mon Jul 15 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.0-3
+- Make sure ipa-server depends on krb5-kdb-version to pick up
+  right MIT Kerberos KDB ABI
+  Related: RHBZ#1700121
+- User field separator uses '$$' within ipaSELInuxUserMapOrder
+  Fixes: RHBZ#1729099
+
+* Wed Jul  3 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-2
+- Fixed kdcproxy_version to 0.4-3
+- Fixed krb5_version to 1.17-7
+  Related: RHBZ#1684528
+
+* Wed Jul  3 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-1
+- New upstream release 4.8.0
+  - New subpackage: freeipa-client-samba
+  - Added command ipa-cert-fix with man page
+  - New sysconfdir sysconfig/certmonger
+- Updated pki_version, certmonger_version, sssd_version and kdcproxy_version
+  Related: RHBZ#1684528
 
 * Tue May 21 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90-3
 - Fix upgrade issue with AD trust when no trust yet established