diff --git a/SOURCES/0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch b/SOURCES/0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch
new file mode 100644
index 0000000..caf5574
--- /dev/null
+++ b/SOURCES/0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch
@@ -0,0 +1,29 @@
+From 762573b429c4465aabde8d1a7d8b3bdaa1c3b15b Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Tue, 20 Dec 2016 23:29:22 +1000
+Subject: [PATCH] Set up DS TLS on replica in CA-less topology
+
+Fixes: https://fedorahosted.org/freeipa/ticket/6226
+Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
+---
+ ipaserver/install/dsinstance.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
+index c93b3b4ff58c4102a9de448247966ad3dd8e4e7c..1249a86d2c4c83eb9426885bfed8910aa3274d21 100644
+--- a/ipaserver/install/dsinstance.py
++++ b/ipaserver/install/dsinstance.py
+@@ -382,7 +382,9 @@ class DsInstance(service.Service):
+
+ if self.promote:
+ self.step("creating DS keytab", self.__get_ds_keytab)
+- if self.ca_is_configured:
++ if self.pkcs12_info:
++ self.step("configuring ssl for ds instance", self.__enable_ssl)
++ else:
+ self.step("retrieving DS Certificate", self.__get_ds_cert)
+ self.step("restarting directory server", self.__restart_instance)
+
+--
+2.9.3
+
diff --git a/SOURCES/0154-wait_for_entry-use-only-DN-as-parameter.patch b/SOURCES/0154-wait_for_entry-use-only-DN-as-parameter.patch
new file mode 100644
index 0000000..f159361
--- /dev/null
+++ b/SOURCES/0154-wait_for_entry-use-only-DN-as-parameter.patch
@@ -0,0 +1,63 @@
+From a9a9d67637c394ca1490e8e7df790c06b3480c56 Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Wed, 18 Jan 2017 12:55:13 +0100
+Subject: [PATCH] wait_for_entry: use only DN as parameter
+
+Using the whole entry is not needed as parameter because only DN is used
+and it prevents easier usage of this function
+
+https://fedorahosted.org/freeipa/ticket/6588
+
+Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
+---
+ ipaserver/install/dogtaginstance.py | 2 +-
+ ipaserver/install/replication.py | 6 ++----
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
+index b65628277d9e361a3ab5674dfd2689e258b1887b..2a2ab6fc7f90514013b5a6f368739c2f1706ed9b 100644
+--- a/ipaserver/install/dogtaginstance.py
++++ b/ipaserver/install/dogtaginstance.py
+@@ -470,7 +470,7 @@ class DogtagInstance(service.Service):
+ port=389,
+ protocol='ldap')
+ master_conn.do_sasl_gssapi_bind()
+- replication.wait_for_entry(master_conn, entry)
++ replication.wait_for_entry(master_conn, entry.dn)
+ del master_conn
+
+ def __remove_admin_from_group(self, group):
+diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
+index 5f03ddeadfc515255509a1f49d3b38687e561b9f..be4de6dd0037a028bcaf1743be74a80855ba3541 100644
+--- a/ipaserver/install/replication.py
++++ b/ipaserver/install/replication.py
+@@ -150,7 +150,7 @@ def wait_for_task(conn, dn):
+ return exit_code
+
+
+-def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True):
++def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
+ """Wait for entry and/or attr to show up"""
+
+ filter = "(objectclass=*)"
+@@ -160,8 +160,6 @@ def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True):
+ attrlist.append(attr)
+ timeout += int(time.time())
+
+- dn = entry.dn
+-
+ if not quiet:
+ sys.stdout.write("Waiting for %s %s:%s " % (connection, dn, attr))
+ sys.stdout.flush()
+@@ -732,7 +730,7 @@ class ReplicationManager(object):
+ # that we will have to set the memberof fixup task
+ self.need_memberof_fixup = True
+
+- wait_for_entry(a_conn, entry)
++ wait_for_entry(a_conn, entry.dn)
+
+ def needs_memberof_fixup(self):
+ return self.need_memberof_fixup
+--
+2.9.3
+
diff --git a/SOURCES/0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch b/SOURCES/0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch
new file mode 100644
index 0000000..7c63b72
--- /dev/null
+++ b/SOURCES/0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch
@@ -0,0 +1,45 @@
+From ea3848ae6729fda734ec60167129f4cae5253a44 Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Wed, 18 Jan 2017 13:56:24 +0100
+Subject: [PATCH] Wait until HTTPS principal entry is replicated to replica
+
+Without HTTP principal the steps later fails.
+
+https://fedorahosted.org/freeipa/ticket/6588
+
+Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
+---
+ ipaserver/install/server/replicainstall.py | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
+index f54ff7da06c57b9c8251429cbdacc5c300805f84..2a1c290351d8ce1dade5eea2f67539659555af2e 100644
+--- a/ipaserver/install/server/replicainstall.py
++++ b/ipaserver/install/server/replicainstall.py
+@@ -36,7 +36,7 @@ from ipaserver.install import (
+ from ipaserver.install.installutils import (
+ create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured)
+ from ipaserver.install.replication import (
+- ReplicationManager, replica_conn_check)
++ ReplicationManager, replica_conn_check, wait_for_entry)
+ import SSSDConfig
+ from subprocess import CalledProcessError
+ from binascii import hexlify
+@@ -86,6 +86,14 @@ def install_http_certs(config, fstore, remote_api):
+ config.master_host_name,
+ paths.IPA_KEYTAB,
+ force_service_add=True)
++ dn = DN(
++ ('krbprincipalname', principal),
++ api.env.container_service, api.env.basedn
++ )
++ conn = ipaldap.IPAdmin(realm=config.realm_name, ldapi=True)
++ conn.do_external_bind()
++ wait_for_entry(conn, dn)
++ conn.unbind()
+
+ # Obtain certificate for the HTTP service
+ nssdir = certs.NSS_DIR
+--
+2.9.3
+
diff --git a/SOURCES/0156-Use-proper-logging-for-error-messages.patch b/SOURCES/0156-Use-proper-logging-for-error-messages.patch
new file mode 100644
index 0000000..624d1ea
--- /dev/null
+++ b/SOURCES/0156-Use-proper-logging-for-error-messages.patch
@@ -0,0 +1,45 @@
+From 999042579802d0443307ed18e8bb0b993c102c95 Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Wed, 18 Jan 2017 17:08:19 +0100
+Subject: [PATCH] Use proper logging for error messages
+
+https://fedorahosted.org/freeipa/ticket/6588r
+
+Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
+---
+ ipaserver/install/replication.py | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
+index be4de6dd0037a028bcaf1743be74a80855ba3541..1f437dad4ed850ebfd59fe9f72a5127df8f56f3e 100644
+--- a/ipaserver/install/replication.py
++++ b/ipaserver/install/replication.py
+@@ -171,7 +171,7 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
+ except errors.NotFound:
+ pass # no entry yet
+ except Exception as e: # badness
+- print("\nError reading entry", dn, e)
++ root_logger.error("Error reading entry %s: %s", dn, e)
+ break
+ if not entry:
+ if not quiet:
+@@ -180,11 +180,13 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
+ time.sleep(1)
+
+ if not entry and int(time.time()) > timeout:
+- print("\nwait_for_entry timeout for %s for %s" % (connection, dn))
++ root_logger.error(
++ "wait_for_entry timeout for %s for %s", connection, dn)
+ elif entry and not quiet:
+- print("\nThe waited for entry is:", entry)
++ root_logger.error("The waited for entry is: %s", entry)
+ elif not entry:
+- print("\nError: could not read entry %s from %s" % (dn, connection))
++ root_logger.error(
++ "Error: could not read entry %s from %s", dn, connection)
+
+
+ class ReplicationManager(object):
+--
+2.9.3
+
diff --git a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
index 949554b..e7d7586 100644
--- a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
+++ b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
@@ -1,4 +1,4 @@
-From 4651261af43a311d23efa759e61143a6413c5dc5 Mon Sep 17 00:00:00 2001
+From 0ae346b514a1bd093c8ae6166f206138a5035efa Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 5 Sep 2014 11:24:27 +0200
Subject: [PATCH] Hide pkinit functionality from production version
@@ -174,10 +174,10 @@ index b33b0243d4d909a561b59d93f0014c390146b333..c292c4d24bfde1484769698ee2a7ef59
subject = Knob(BaseServerCA.subject)
ca_signing_algorithm = Knob(BaseServerCA.ca_signing_algorithm)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index f54ff7da06c57b9c8251429cbdacc5c300805f84..7695adf0d537237b24660e8871011f04f242e744 100644
+index 2a1c290351d8ce1dade5eea2f67539659555af2e..aaa56c4691ae47d764d86b627df913c5e320c411 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
-@@ -1587,7 +1587,6 @@ class Replica(BaseServer):
+@@ -1595,7 +1595,6 @@ class Replica(BaseServer):
mkhomedir = Knob(BaseServer.mkhomedir)
no_host_dns = Knob(BaseServer.no_host_dns)
no_ntp = Knob(BaseServer.no_ntp)
diff --git a/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch
index e06d7ff..899cd0b 100644
--- a/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
-From d9499d8d1a40b96e40c956dca25464fc129a9dec Mon Sep 17 00:00:00 2001
+From 9095fee099069989d93bcb62a4bf6f8e259e4099 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 5 Sep 2014 11:46:59 +0200
Subject: [PATCH] Change branding to IPA and Identity Management
@@ -736,10 +736,10 @@ index c292c4d24bfde1484769698ee2a7ef59a6fcc52c..101af640d2a990d4f4f99ad2c0bb0826
print("This includes:")
if setup_ca:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index 7695adf0d537237b24660e8871011f04f242e744..582df08094335554edffaed21bcaf4ab5a74e899 100644
+index aaa56c4691ae47d764d86b627df913c5e320c411..ad7164c5e2774e448742e6416e40fe9af2dcac83 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
-@@ -673,7 +673,7 @@ def install_check(installer):
+@@ -681,7 +681,7 @@ def install_check(installer):
above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
if under_lower_bound or above_upper_bound:
diff --git a/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch b/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
new file mode 100644
index 0000000..aed3a5a
--- /dev/null
+++ b/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
@@ -0,0 +1,42 @@
+From e4cee2aa50396b18713092ba7f4a9b4f232a3ea0 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Fri, 13 Jan 2017 20:33:45 +1000
+Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable
+
+CAs consist of a FreeIPA and a corresponding Dogtag object. When
+executing ca-del, ca-enable and ca-disable, changes are made to the
+Dogtag object. In the case of ca-del, the corresponding FreeIPA
+object is deleted after the Dogtag CA is deleted.
+
+These operations were not correctly authorised; the FreeIPA
+permissions are not checked before the Dogtag operations are
+executed. This allows any user to delete, enable or disable a
+lightweight CA (except the main IPA CA, for which there are
+additional check to prevent deletion or disablement).
+
+Add the proper authorisation checks to the ca-del, ca-enable and
+ca-disable commands.
+---
+ ipaserver/plugins/ca.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
+index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..b642a5d1d6e03b415ba562491e8a38569b116563 100644
+--- a/ipaserver/plugins/ca.py
++++ b/ipaserver/plugins/ca.py
+@@ -192,6 +192,12 @@ class ca_del(LDAPDelete):
+ def pre_callback(self, ldap, dn, *keys, **options):
+ ca_enabled_check()
+
++ # ensure operator has permission to delete CA
++ # before contacting Dogtag
++ if not ldap.can_delete(dn):
++ raise errors.ACIError(info=_(
++ "Insufficient privilege to delete a CA."))
++
+ if keys[0] == IPA_CA_CN:
+ raise errors.ProtectedEntryError(
+ label=_("CA"),
+--
+2.9.3
+
diff --git a/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch b/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
new file mode 100644
index 0000000..1838e70
--- /dev/null
+++ b/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
@@ -0,0 +1,63 @@
+From 1de12ed5ec503708454e76227d646e4bd63802f7 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Thu, 12 Jan 2017 18:17:15 +0100
+Subject: [PATCH] Do not configure PKI ajp redirection to use "::1"
+
+When ipa-server-install configures PKI, it provides a configuration file
+with the parameter pki_ajp_host set to ::1. This parameter is used to configure
+Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
+ <Connector port="8009"
+ protocol="AJP/1.3"
+ redirectPort="8443"
+ address="::1" />
+ie all requests to port 8009 are redirected to port 8443 on address ::1.
+
+If the /etc/hosts config file does not define ::1 for localhost, then AJP
+redirection fails and replica install is not able to request a certificate
+for the replica.
+
+Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
+redirection with "localhost", FreeIPA does not need any more to override
+this setting.
+
+https://fedorahosted.org/freeipa/ticket/6575
+
+Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
+---
+ freeipa.spec.in | 4 ++--
+ ipaserver/install/cainstance.py | 4 ----
+ 2 files changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3..d5eb76ac3c13fbbfc645bd3e42e72e3e17b4d68c 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -159,8 +159,8 @@ Requires(post): systemd-units
+ Requires: selinux-policy >= %{selinux_policy_version}
+ Requires(post): selinux-policy-base >= %{selinux_policy_version}
+ Requires: slapi-nis >= %{slapi_nis_version}
+-Requires: pki-ca >= 10.3.4
+-Requires: pki-kra >= 10.3.4
++Requires: pki-ca >= 10.3.5-11
++Requires: pki-kra >= 10.3.5-11
+ Requires(preun): python systemd-units
+ Requires(postun): python systemd-units
+ Requires: zip
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 6c57aadfcdc2864f8cdc84c16556dce7163737fc..3e0d5fb40356ccf5f8053fb1c8af11c547c4d19c 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -577,10 +577,6 @@ class CAInstance(DogtagInstance):
+ config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
+ config.set("CA", "pki_external_step_two", "True")
+
+- # PKI IPv6 Configuration
+- config.add_section("Tomcat")
+- config.set("Tomcat", "pki_ajp_host", "::1")
+-
+ # Generate configuration file
+ with open(cfg_file, "wb") as f:
+ config.write(f)
+--
+2.9.3
+
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
- PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
- PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
- ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+ ETC_CENTOS_RELEASE = "/etc/centos-release"
- RESOLV_CONF = "/etc/resolv.conf"
- SAMBA_KEYTAB = "/etc/samba/samba.keytab"
- SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
- os = "fedora"
-+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+ os = "centos"
- elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
- os = "rhel"
-
---
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index be4fd8b..ad0a7d6 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -43,7 +43,7 @@
Name: ipa
Version: 4.4.0
-Release: 14%{?dist}.4
+Release: 14%{?dist}.6
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -51,10 +51,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -211,6 +211,10 @@ Patch0149: 0149-Check-for-conflict-entries-before-raising-domain-lev.patch
Patch0150: 0150-certprofile-mod-correctly-authorise-config-update.patch
Patch0151: 0151-password-policy-Add-explicit-default-password-policy.patch
Patch0152: 0152-ipa-kdb-search-for-password-policies-globally.patch
+Patch0153: 0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch
+Patch0154: 0154-wait_for_entry-use-only-DN-as-parameter.patch
+Patch0155: 0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch
+Patch0156: 0156-Use-proper-logging-for-error-messages.patch
Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002: 1002-Remove-pkinit-plugin.patch
@@ -222,7 +226,8 @@ Patch1007: 1007-Do-not-build-tests.patch
Patch1008: 1008-RCUE.patch
Patch1009: 1009-Revert-Increased-mod_wsgi-socket-timeout.patch
Patch1010: 1010-WebUI-add-API-browser-is-tech-preview-warning.patch
-Patch1011: ipa-centos-branding.patch
+Patch1011: 1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
+Patch1012: 1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -342,8 +347,8 @@ Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base >= %{selinux_policy_version}
Requires: slapi-nis >= %{slapi_nis_version}
-Requires: pki-ca >= 10.3.3-7
-Requires: pki-kra >= 10.3.3-7
+Requires: pki-ca >= 10.3.3-17
+Requires: pki-kra >= 10.3.3-17
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: zip
@@ -802,10 +807,10 @@ for p in %patches ; do
done
# Red Hat's Identity Management branding
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
@@ -1541,8 +1546,21 @@ fi
%changelog
-* Tue Jan 17 2017 CentOS Sources <bugs@centos.org> - 4.4.0-14.el7.centos.4
-- Roll in CentOS Branding
+* Tue Jan 31 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.6
+- Resolves: #1416488 replication race condition prevents IPA to install
+ - wait_for_entry: use only DN as parameter
+ - Wait until HTTPS principal entry is replicated to replica
+ - Use proper logging for error messages
+
+* Tue Jan 31 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.5
+- Resolves: #1410760 ipa-ca-install fails on replica when IPA Master is
+ installed without CA
+ - Set up DS TLS on replica in CA-less topology
+- Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for
+ ca-del, ca-disable and ca-enable commands
+ - ca: correctly authorise ca-del, ca-enable and ca-disable
+- Resolves: #1416481 IPA replica install fails with dirsrv errors.
+ - Do not configure PKI ajp redirection to use "::1"
* Fri Dec 16 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.4
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services