[El-errata] ELBA-2018-1985 Oracle Linux 7 ipa bug fix update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Jun 27 11:38:35 PDT 2018

Oracle Linux Bug Fix Advisory ELBA-2018-1985


The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:



Description of changes:

- Blank out header-logo.png product-name.png
- Replace login-screen-logo.png [20362818]

- Resolves: #1579190 Improve Custodia client and key distribution handling
   - Use single Custodia instance in installers

- Resolves: #1579189 nsds5ReplicaReleaseTimeout should be set by default
   - Add nsds5ReplicaReleaseTimeout to replica config
   - Fix upgrade (update_replica_config) in single master mode
- Resolves: #1579190 Improve Custodia client and key distribution handling
   - Use single Custodia instance in installers
- Resolves: #1579203 4.5.0 -> 4.5.4 upgrade breaks in 
ipa-server-upgrade: No such file or directory: 
   - Don't try to backup CS.cfg during upgrade if CA is not configured

- Resolves: #1565519 Clarify the need to restart services in 
   - Add a notice to restart ipa services after certs are installed
- Resolves: #1564390 OTP and Radius Authentication does not work in FIPS 
   - Fix OTP validation in FIPS mode
   - Increase the default token key size
   - Revert "Don't allow OTP or RADIUS in FIPS mode"
   - Log errors from NSS during FIPS OTP key import
- Resolves: #1565520 ipa client pointing to replica shows KDC has no 
support for encryption type
   - ipa-replica-install: make sure that certmonger picks the right master
- Resolves: #1565605 DNS records updated with all IPAddresses of an 
interface when IPA server/replica try to install with Specific IP 
address of that interface
   - replica-install: pass --ip-address to client install

- Resolves: #1540361 ipa-advise for smartcards is out-of-date
   - ipa-advise for smartcards updated

- Resolves: #1458169 --force-join option is not mentioned in 
ipa-replica-install man page
   - Add --force-join into ipa-replica-install manpage
- Resolves: #1457876 ipa-backup fails silently
   - Changed ownership of ldiffile to DS_USER
- Resolves: #1409786 Second phase of --external-ca ipa-server-install 
setup fails when dirsrv is not running
   - Checks if Dir Server is installed and running before IPA installation
- Resolves: #1452086 Pagination Size under Customization in IPA WebUI 
accepts negative values
   - WebUI: Add positive number validator
   - WebUI: change validator of page size settings
   - WebUI: fix jslint error

- Resolves: #1477531 Incorrect attribute level rights 
(ipaallowedtoperform) of service object
   - WebUI: make keytab tables on service and host pages writable
- Resolves: #1529444 ObjectclassViolation seen while adding idview with 
domain-resolution-order option
   - Idviews: fix objectclass violation on idview-add
- Resolves: #1451576 ipa cert-request failed to generate certificate 
from csr
   - Fixing the cert-request comparing whole email address case-sensitively.

- Resolves: #1421869 Unable to re-add broken AD trust - Unexpected 
Information received
   - adtrust: filter out subdomains when defining our topology to AD
- Resolves: #1486286 IPA failing to authenticate via password+OTP on 
RHEL7.4 with fips enabled
   - Don't allow OTP or RADIUS in FIPS mode
- Resolves: #1494226 IPA User Details not being displayed in WebUI
   - Fix cert-find for CA-less installations
- Resolves: #1498387 389-ds-base crashed as part of ipa-server-intall in 
   - 389-ds-base crashed as part of ipa-server-intall in ipa-uuid
- Resolves: #1503022 ipa-getkeytab man page should have more details 
about consequences of krb5 key renewal
   - ipa-getkeytab man page: add more details about the -r option
- Resolves: #1509288 IPA trust-add internal error (expected 
security.dom_sid got None)
   - ipaserver/plugins/trust.py; fix some indenting issues
   - trust: detect and error out when non-AD trust with IPA domain name 
   - ipaserver/plugins/trust.py: pep8 compliance
- Resolves: #1511019 ipa-restore broken with python2
   - Fix ipa-restore (python2)
- Resolves: #1511607 ipa-backup does not backup Custodia keys and files
   - Backup ipa-custodia conf and keys
- Resolves: #1512482 kra install fails after ipa cert renewed
   - Don't use admin cert during KRA installation
   - Prevent set_directive from clobbering other keys
   - pep8: reduce line lengths in CAInstance.__enable_crl_publish
   - installutils: refactor set_directive
   - Add tests for installutils.set_directive
   - Add safe DirectiveSetter context manager
   - Old pylint doesn't support bad python3 option
- Resolves: #1514163 CA less IPA install with external certificates 
fails on RHEL 7 in FIPS mode
   - Fix ca less IPA install on fips mode

- Resolves: #1520279 - rebuild against samba 4.7

- Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads
- Resolves: #1378892 host-find slowness caused by missing host 
attributes in index

- Resolves: #1388135 [RFE] limit the retro changelog to dns subtree.
   - ldap: limit the retro changelog to dns subtree
- Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead
   - Include the CA basic constraint in CSRs when renewing a CA
- Resolves: #1493145 ipa-replica-install might fail because of an already
   existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
   - Checks if replica-s4u2proxy.ldif should be applied
- Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default
   - ds: ignore time skew during initial replication step
   - ipa-replica-manage: implicitly ignore initial time skew in force-sync
- Resolves: #1500218 Replica installation at domain-level 0 fails against
   upgraded ipa-server
   - Fix ipa-replica-conncheck when called with --principal
- Resolves: #1506188 server-del doesn't remove dns-server configuration
   from ldap

- Drop workaround for building on AArch64 (#1482244)
- Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485)

- Resolves: #1461177 ipa-otptoken-import  - XML file is missing PBKDF2
- Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during
   search in cn=ad, cn=trusts,dc=example,dc=com
- Resolves: #1467887 iommu platform support for ipxe
- Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to
   validate message: Incorrect number of results (0) searching forpublic 
key for
- Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to
- Resolves: #1480102 ipa-server-upgrade failes with "This entry already
- Resolves: #1482802 Unable to set ca renewal master on replica
- Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found
- Resolves: #1484826 FreeIPA/IdM installations which were upgraded from
   versions with 389 DS prior to doesn't have whomai plugin 
enabled and
   thus startup of Web UI fails
- Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back
   to self-signed CA
- Resolves: #1469246 Replica install fails to configure IPA-specific
   temporary files/directories
- Resolves: #1469480 bind package is not automatically updated during
   ipa-server upgrade process
- Resolves: #1475238 Use CommonNameToSANDefault in default profile (new
   installs only)
- Resolves: #1477703 IPA upgrade fails for latest ipa package

- Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in
- Resolves: #1470177 - Rebase IPA to latest 4.5.x version
- Resolves: #1398594 ipa topologysuffix-verify should only warn about
   maximum number of replication agreements.
- Resolves: #1404236 Web UI: Change "Host Based" and "Role Based"
   to "Host-Based" and "Role-Based"
- Resolves: #1409786 Second phase of --external-ca ipa-server-install
   setup fails when dirsrv is not running
- Resolves: #1451576 ipa cert-request failed to generate certificate 
from csr
- Resolves: #1452086 Pagination Size under Customization in IPA WebUI
   accepts negative values
- Resolves: #1458169 --force-join option is not mentioned in
   ipa-replica-install man page
- Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower 
- Resolves: #1478322 user-show command fails when sizelimit is configured
   to number <= number of entity which is user member of
- Resolves: #1496775 Enterprise principals should be able to trigger
   a refresh of the trusted domain data in the KDC
- Resolves: #1502533 Changing cert-find to go through the proxy
   instead of using the port 8080
- Resolves: #1502663 pkinit-status command fails after an upgrade from
   a pre-4.5 IPA
- Resolves: #1498168 Error when trying to modify a PTR record
- Resolves: #1457876 ipa-backup fails silently
- Resolves: #1493531 In case full PKINIT configuration is failing during
   server/replica install the error message should be more meaningful.
- Resolves: #1449985 Suggest CA installation command in KRA installation

- Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports
   expecting IPA services listening on IPv6 ports
     - Make sure upgrade also checks for IPv6 stack
     - control logging of host_port_open from caller
     - log progress of wait_for_open_ports
- Resolves: #1477243 ipa help command returns traceback when no cache
   is present
     - Store help in Schema before writing to disk
     - Disable pylint in get_help function because of type confusion.

- Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to
   validate message: Incorrect number of results (0) searching forpublic
   key for host
     - Always check peer has keys before connecting
- Resolves: #1482802 - Unable to set ca renewal master on replica
     - Fix ipa config-mod --ca-renewal-master
- Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching
   back to self-signed CA
     - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca)
- Resolves: #1480102 - ipa-server-upgrade failes with "This entry 
already exists"
     - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry 
already exists
- Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from
   versions with 389 DS prior to doesn't have whomai plugin 
enabled and
   thus startup of Web UI fails
     - Adds whoami DS plugin in case that plugin is missing
- Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 
4.4 to 4.5
     - Fixing how sssd.conf is updated when promoting a client to replica
- Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2
     - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace
- Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not 
     - Backport 4-5: Fix ipa-server-upgrade with server cert tracking

- Resolves: #1477703 IPA upgrade fails for latest ipa package
     - Restore old version of caIPAserviceCert for upgrade only

- Resolves: #1475238 Use CommonNameToSANDefault in default profile
   (new installs only)
   - Restore old version of caIPAserviceCert for upgrade only

- Resolves: #1455946 Provide a tooling automating the configuration
   of Smart Card authentication on a FreeIPA master
   - smart-card advises: configure systemwide NSS DB also on master
   - smart-card advises: add steps to store smart card signing CA cert
   - Allow to pass in multiple CA cert paths to the smart card advises
   - add a class that tracks the indentation in the generated advises
   - delegate the indentation handling in advises to dedicated class
   - advise: add an infrastructure for formatting Bash compound statements
   - delegate formatting of compound Bash statements to dedicated classes
   - Fix indentation of statements in Smart card advises
   - Use the compound statement formatting API for configuring PKINIT
   - smart card advises: use a wrapper around Bash `for` loops
   - smart card advise: use password when changing trust flags on HTTP cert
   - smart-card-advises: ensure that krb5-pkinit is installed on client
- Resolves: #1475238 Use CommonNameToSANDefault in default profile
   (new installs only)
   - Add CommonNameToSANDefault to default cert profile
- Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s
   during search in cn=ad,cn=trusts,dc=example,dc=com
   - NULL LDAP context in call to ldap_search_ext_s during search

- Resolves: #1469246 Replica install fails to configure IPA-specific
   temporary files/directories
   - replica install: drop-in IPA specific config to tmpfiles.d
- Resolves: #1469480 bind package is not automatically updated during
   ipa-server upgrade process
   - Bumped Required version of bind-dyndb-ldap and bind package

- Resolves: #1452216 Replica installation grants HTTP principal
   access in WebUI
   - Make sure we check ccaches in all rpcserver paths

- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL
   internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
   - ipa-sam: replace encode_nt_key() with E_md4hash()
   - ipa_pwd_extop: do not generate NT hashes in FIPS mode
- Resolves: #1377973 ipa-server-install fails when the provided or resolved
   IP address is not found on local interfaces
   - Fix local IP address validation
   - ipa-dns-install: remove check for local ip address
   - refactor CheckedIPAddress class
   - CheckedIPAddress: remove match_local param
   - Remove ip_netmask from option parser
   - replica install: add missing check for non-local IP address
   - Remove network and broadcast address warnings

- Resolves: #1449189 ipa-kra-install timeouts on replica
   - kra: promote: Get ticket before calling custodia

- Resolve: #1455946 Provide a tooling automating the configuration
   of Smart Card authentication on a FreeIPA master
   - server certinstall: update KDC master entry
   - pkinit manage: introduce ipa-pkinit-manage
   - server upgrade: do not enable PKINIT by default
   - Extend the advice printing code by some useful abstractions
   - Prepare advise plugin for smart card auth configuration
- Resolve: #1461053 allow to modify list of UPNs of a trusted forest
   - trust-mod: allow modifying list of UPNs of a trusted forest
   - WebUI: add support for changing trust UPN suffixes

- Resolves: #1377973 ipa-server-install fails when the provided or resolved
   IP address is not found on local interfaces
   - Only warn when specified server IP addresses don't match intf
- Resolves: #1438016 gssapi errors after IPA server upgrade
   - Bump version of python-gssapi
- Resolves: #1457942 certauth: use canonical principal for lookups
   - ipa-kdb: use canonical principal in certauth plugin
- Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid
   breaking older clients
   - Add code to be able to set default kinit lifetime
   - Revert setting sessionMaxAge for old clients

- Resolves: #1442233 IPA client commands fail when pointing to replica
   - httpinstance: wait until the service entry is replicated
- Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then
   not indexed
   - Fix index definition for ipaAnchorUUID
- Resolves: #1438016 gssapi errors after IPA server upgrade
   - Avoid possible endless recursion in RPC call
   - rpc: preparations for recursion fix
   - rpc: avoid possible recursion in create_connection
- Resolves: #1446087 services entries missing krbCanonicalName attribute.
   - Changing cert-find to do not use only primary key to search in LDAP.
- Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers
   - ipa-kdb: reload certificate mapping rules periodically
- Resolves: #1455541 after upgrade login from web ui breaks
   - kdc.key should not be visible to all
- Resolves: #1435606 Add pkinit_indicator option to KDC configuration
   - ipa-kdb: add pkinit authentication indicator in case of a successful
- Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate
   issuance when ipa-ca records are not resolvable
   - Turn off OCSP check
- Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 -
   server_del - TypeError: 'NoneType' object is not iterable
   - fix incorrect suffix handling in topology checks

- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to
   handle PKINIT certificates/anchors
   - certdb: add named trust flag constants
   - certdb, certs: make trust flags argument mandatory
   - certdb: use custom object for trust flags
   - install: trust IPA CA for PKINIT
   - client install: fix client PKINIT configuration
   - install: introduce generic Kerberos Augeas lens
   - server install: fix KDC PKINIT configuration
   - ipapython.ipautil.run: Add option to set umask before executing command
   - certs: do not export keys world-readable in install_key_from_p12
   - certs: do not export CA certs in install_pem_from_p12
   - server install: fix KDC certificate validation in CA-less
   - replica install: respect --pkinit-cert-file
   - cacert manage: support PKINIT
   - server certinstall: support PKINIT
- Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file
   - certs: do not export CA certs in install_pem_from_p12
   - server install: fix KDC certificate validation in CA-less
- Resolves: #1451228 ipa-kra-install fails when primary KRA server has been
   - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
- Resolves: #1451712 KRA installation fails on server that was originally
   installed as CA-less
   - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
- Resolves: #1441499 ipa cert-show does not raise error if no file name
   - ca/cert-show: check certificate_out in options
- Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 
   - Remove pkinit-anonymous command
- Resolves: #1449523 Provide an API command to retrieve PKINIT status
   in the FreeIPA topology
   - Allow for multivalued server attributes
   - Refactor the role/attribute member reporting code
   - Add an attribute reporting client PKINIT-capable servers
   - Add the list of PKINIT servers as a virtual attribute to global config
   - Add `pkinit-status` command
   - test_serverroles: Get rid of MockLDAP and use ldap2 instead
- Resolves: #1452216 Replica installation grants HTTP principal access 
in WebUI
   - Fix rare race condition with missing ccache file
- Resolves: #1455045 Simple service uninstallers must be able to handle
   missing service files gracefully
   - only stop/disable simple service if it is installed
- Resolves: #1455541 after upgrade login from web ui breaks
   - krb5: make sure KDC certificate is readable
- Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on 
   command "ipa cert-request --add" after upgrade
   - Change python-cryptography to python2-cryptography

- Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 
   error observed during ipa upgrade with latest package.
   - ipa-server-install: fix uninstall
- Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break
   - ca install: merge duplicated code for DM password
   - installutils: add DM password validator
   - ca, kra install: validate DM password

- Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy
   - python2-ipalib: add missing python dependency
   - installer service: fix typo in service entry
   - upgrade: add missing suffix to http instance
- Resolves: #1444791 Update man page of ipa-kra-install
   - ipa-kra-install manpage: document domain-level 1
- Resolves: #1441493 ipa cert-show raises stack traces when
   - cert-show: writable files does not mean dirs
- Resolves: #1441192 Add the name of URL parameter which will be check for
   username during cert login
   - Bump version of ipa.conf file
- Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login
   - Turn on NSSOCSP check in mod_nss conf
- Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting
   template on
   - renew agent: respect CA renewal master setting
   - server upgrade: always fix certmonger tracking request
   - cainstance: use correct profile for lightweight CA certificates
   - renew agent: allow reusing existing certs
   - renew agent: always export CSR on IPA CA certificate renewal
   - renew agent: get rid of virtual profiles
   - ipa-cacert-manage: add --external-ca-type
- Resolves: #1441593 error adding authenticator indicators to host
   - Fixing adding authenticator indicators to host
- Resolves: #1449525 Set directory ownership in spec file
   - Added plugins directory to ipaclient subpackages
   - ipaclient: fix missing RPM ownership
- Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits'
   - otptoken-add-yubikey: When --digits not provided use default value

- Resolves: #1449189 ipa-kra-install timeouts on replica
   - ipa-kra-install: fix check_host_keys

- Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to
   validate message: Incorrect number of results (0) searching forpublic 
key for
   - Make sure remote hosts have our keys
- Resolves: #1442815 Replica install fails during migration from older IPA
   - Refresh Dogtag RestClient.ca_host property
   - Remove the cachedproperty class
- Resolves: #1444787 Update warning message when KRA installation fails
   - kra install: update installation failure message
- Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode
   - ipa-server-install with external CA: fix pkinit cert issuance
- Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition()
   must use FreeIPA CA
   - kerberos session: use CA cert with full cert chain for obtaining cookie
- Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors
   - ipa-client-install: remove extra space in pkinit_anchors definition
- Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade
   - Use proper SELinux context with http.keytab

- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with
   certificates on smart cards (pkinit)
   - spec file: bump krb5 Requires for certauth fixes
- Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' 
   is used
   - separate function to set ipaConfigString values on service entry
   - Allow for configuration of all three PKINIT variants when deploying KDC
   - API for retrieval of master's PKINIT status and publishing it in LDAP
   - Use only anonymous PKINIT to fetch armor ccache
   - Stop requesting anonymous keytab and purge all references of it
   - Use local anchor when armoring password requests
   - Upgrade: configure local/full PKINIT depending on the master status
   - Do not test anonymous PKINIT after install/upgrade
- Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust.
   update_tdo_gidnumber: ERROR Default SMB Group not found
   - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is
- Resolves: #1442932 ipa restore fails to restore IPA user
   - restore: restart/reload gssproxy after restore
- Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode
   - Fix CA/server cert validation in FIPS
- Resolves: #1444947 Deadlock between topology and schema-compat plugins
   - compat-manage: behave the same for all users
   - Move the compat plugin setup at the end of install
   - compat: ignore cn=topology,cn=ipa,cn=etc subtree
- Resolves: #1445358 ipa vault-add raises TypeError
   - vault: piped input for ipa vault-add fails
- Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault
   - Vault: Explicitly default to 3DES CBC
- Resolves: #1445432 uninstall ipa client automount failed with 
   - automount install: fix checking of SSSD functionality on uninstall
- Resolves: #1446137 pki_client_database_password is shown in
   - Hide PKI Client database password in log file

- Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade
   - Fix CAInstance.import_ra_cert for empty passwords

- Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA
   WebUI is slow to display user details page
   - cert: defer cert-find result post-processing
- Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit
   helper when installing replica
   - server-install: No double Kerberos install
- Resolves: #1437502 ipa-replica-install fails with requirement to
   use --force-join that is a client install option.
   - Add the force-join option to replica install
   - replicainstall: better client install exception handling
- Resolves: #1437953 Server CA-less impossible option check
   - server-install: remove broken no-pkinit check
- Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies
   - Add debug log in case cookie retrieval went wrong
- Resolves: #1441548 ipa server install fails with --external-ca option
   - ext. CA: correctly write the cert chain
- Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance
   - Fix CA-less to CA-full upgrade
- Resolves: #1442133 Do not link libkrad, liblber, libldap_r and
   libsss_nss_idmap to every binary in IPA
   - configure: fix AC_CHECK_LIB usage
- Resolves: #1442815 Replica install fails during migration from older IPA
   - Fix RA cert import during DL0 replication
- Related: #1442004 Building IdM/FreeIPA internally on all architectures -
   filtering unsupported packages
   - Build all subpackages on all architectures

- Resolves: #1382053 Need to have validation for idrange names
   - idrange-add: properly handle empty --dom-name option
- Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit
   helper when installing replica
   - dsinstance: reconnect ldap2 after DS is restarted by certmonger
   - httpinstance: avoid httpd restart during certificate request
   - dsinstance, httpinstance: consolidate certificate request code
   - install: request service certs after host keytab is set up
   - renew agent: revert to host keytab authentication
   - renew agent, restart scripts: connect to LDAP after kinit
- Resolves: #1436987 ipasam: gidNumber attribute is not created in the 
   domain entry
   - ipa-sam: create the gidNumber attribute in the trusted domain entry
   - Upgrade: add gidnumber to trusted domain entry
- Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException:
   Incorrect client security database password
   - Add pki_pin only when needed
- Resolves: #1438348 Console output message while adding trust should be
   mapped with texts changed in Samba.
   - ipaserver/dcerpc: unify error processing
- Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid
   'Credentials': Missing credentials for cross-forest communication
   - trust: always use oddjobd helper for fetching trust information
- Resolves: #1441192 Add the name of URL parameter which will be check for
   username during cert login
   - WebUI: cert login: Configure name of parameter used to pass username
- Resolves: #1437879 [copr] Replica install failing
   - Create system users for FreeIPA services during package installation
- Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install
   - Fix s4u2self with adtrust

- Resolves: #1318186 Misleading error message during external-ca IPA master
   - httpinstance: make sure NSS database is backed up
- Resolves: #1331443 Re-installing ipa-server after uninstall fails with 
   CA certificate chain in ... incomplete"
   - httpinstance: make sure NSS database is backed up
- Resolves: #1393726 Enumerate all available request type options in ipa
   cert-request help
   - Hide request_type doc string in cert-request help
- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping
   - spec file: bump libsss_nss_idmap-devel BuildRequires
   - server: make sure we test for sss_nss_getlistbycert
- Resolves: #1437378 ipa-adtrust-install produced an error and failed on
   starting smb when hostname is not FQDN
   - adtrust: make sure that runtime hostname result is consistent with the
- Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous
   - Always check and create anonymous principal during KDC install
   - Remove duplicate functionality in upgrade
- Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous
   principal for PKINIT
   - Upgrade: configure PKINIT after adding anonymous principal
   - Remove unused variable from failed anonymous PKINIT handling
   - Split out anonymous PKINIT test to a separate method
   - Ensure KDC is propery configured after upgrade
- Resolves: #1437951 Remove pkinit-related options from 
   on DL0
   - Fix the order of cert-files check
   - Don't allow setting pkinit-related options on DL0
   - replica-prepare man: remove pkinit option refs
   - Remove redundant option check for cert files
- Resolves: #1438490 CA-less installation fails on publishing CA certificate
   - Get correct CA cert nickname in CA-less
   - Remove publish_ca_cert() method from NSSDatabase
- Resolves: #1438838 Avoid arch-specific path in 
   - IPA-KDB: use relative path in ipa-certmap config snippet
- Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute
   - Allow erasing ipaDomainResolutionOrder attribute

- Resolves: #1434032 Run ipa-custodia with custom SELinux context
   - Require correct custodia version

- Resolves: #800545 [RFE] Support SUDO command rename
   - Reworked the renaming mechanism
   - Allow renaming of the sudorule objects
- Resolves: #872671 IPA WebUI login for AD Trusted User fails
   - WebUI: check principals in lowercase
   - WebUI: add method for disabling item in user dropdown menu
   - WebUI: Add support for login for AD users
- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with
   certificates on smart cards (pkinit)
   - ipa-kdb: add ipadb_fetch_principals_with_extra_filter()
   - IPA certauth plugin
   - ipa-kdb: do not depend on certauth_plugin.h
   - spec file: bump krb5-devel BuildRequires for certauth
- Resolves: #1264370 RFE: disable last successful authentication by 
default in
   - Set "KDC:Disable Last Success" by default
- Resolves: #1318186 Misleading error message during external-ca IPA master
   - certs: do not implicitly create DS pin.txt
   - httpinstance: clean up /etc/httpd/alias on uninstall
- Resolves: #1331443 Re-installing ipa-server after uninstall fails with 
   CA certificate chain in ... incomplete"
   - certs: do not implicitly create DS pin.txt
   - httpinstance: clean up /etc/httpd/alias on uninstall
- Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication
   - configure: fix --disable-server with certauth plugin
   - rpcserver.login_x509: Actually return reply from __call__ method
   - spec file: Bump requires to make Certificate Login in WebUI work
- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping
   - extdom: do reverse search for domain separator
   - extdom: improve cert request
- Resolves: #1430363 [RFE] HBAC rule names command rename
   - Reworked the renaming mechanism
   - Allow renaming of the HBAC rule objects
- Resolves: #1433082 systemctl daemon-reload needs to be called after
   httpd.service.d/ipa.conf is manipulated
   - tasks: run `systemctl daemon-reload` after httpd.service.d updates
- Resolves: #1434032 Run ipa-custodia with custom SELinux context
   - Use Custodia 0.3.1 features
- Resolves: #1434384 RPC client should use HTTP persistent connection
   - Use connection keep-alive
   - Add debug logging for keep-alive
   - Increase Apache HTTPD's default keep alive timeout
- Resolves: #1434729 man ipa-cacert-manage install needs clarification
   - man ipa-cacert-manage install needs clarification
- Resolves: #1434910 replica install against IPA v3 master fails with 
   - Fixing replica install: fix ldap connection in domlvl 0
- Resolves: #1435394 Ipa-kra-install fails with weird output when 
backspace is
   used during typing Directory Manager password
   - ipapython.ipautil.nolog_replace: Do not replace empty value
- Resolves: #1435397 ipa-replica-install can't install replica file 
produced by
   ipa-replica-prepare on 4.5
   - replica prepare: fix wrong IPA CA nickname in replica file
- Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if
   KRA is not installed
   - WebUI: Fix showing vault in selfservice view
- Resolves: #1435718 As a ID user I cannot call a command with --rights 
   - ldap2: use LDAP whoami operation to retrieve bind DN for current 
- Resolves: #1436319 "Truncated search results" pop-up appears in user 
   in WebUI
   - WebUI: Add support for suppressing warnings
   - WebUI: suppress truncation warning in select widget
- Resolves: #1436333 Uninstall fails with No such file or directory:
   - Create temporaty directories at the begining of uninstall
- Resolves: #1436334 WebUI: Adding certificate mapping data using 
   - WebUI: Allow to add certs to certmapping with CERT LINES around
- Resolves: #1436338 CLI doesn't work after ipa-restore
   - Backup ipa-specific httpd unit-file
   - Backup CA cert from kerberos folder
- Resolves: #1436342 Bump samba version, required for FIPS mode and 
   - Bump samba version for FIPS and priv. separation
- Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth 
exceeded" with
   ipa vault commands
   - Avoid growing FILE ccaches unnecessarily
   - Handle failed authentication via cookie
   - Work around issues fetching session data
   - Prevent churn on ccaches
- Resolves: #1436657 Add workaround for pki_pin for FIPS
   - Generate PIN for PKI to help Dogtag in FIPS
- Resolves: #1436714 [vault] cache KRA transport cert
   - Simplify KRA transport cert cache
- Resolves: #1436723 cert-find does not find all certificates without
   - cert: do not limit internal searches in cert-find
- Resolves: #1436724 Renewal of IPA RA fails on replica
   - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
- Resolves: #1436753 Master tree fails to install
   - httpinstance.disable_system_trust: Don't fail if module 'Root 
Certs' is not

- Resolves: #1432630 python2-jinja2 needed for python2-ipaclient
   - Remove csrgen
- Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets
   - Add options to allow ticket caching

- Resolves: #828866 [RFE] enhance --subject option for ipa-server-install
- Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in
- Resolves: #1286288 Insufficient 'write' privilege to the 
- Resolves: #1321652 ipa-server-install fails when using external 
   that encapsulate RDN components in double quotes
- Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on
   revocation reasons
- Resolves: #1340880 ipa-server-install: improve prompt on interactive
- Resolves: #1353841 ipa-replica-install fails to install when resolv.conf
   incomplete entries
- Resolves: #1356104 cert-show command does not display Subject Alternative
- Resolves: #1357511 Traceback message seen when ipa is provided with 
   configuration file name
- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is
   converted from CA-less to CA-full
- Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication
- Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa
   config-mod --enable-migration=TRUE
- Resolves: #1367868 Add options to retrieve lightweight CA 
- Resolves: #1371927 Implement ca-enable/disable commands.
- Resolves: #1372202 Add Users into User Group editors fails to show 
Full names
- Resolves: #1373091 Adding an auth indicator from the CLI creates an extra
   check box in the UI
- Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong 
- Resolves: #1375905 "Normal" group type in the UI is confusing
- Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback
- Resolves: #1376630 IDM admin password gets written to
- Resolves: #1376729 ipa-server-install script option --no_hbac_allow should
   match other options
- Resolves: #1378461 IPA Allows Password Reuse with History value 
defined when
   admin resets the password.
- Resolves: #1379029 conncheck failing intermittently during single step
   replica installs
- Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck
- Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace
- Resolves: #1392778 Update man page for ipa-adtrust-install by
   removing --no-msdcs option
- Resolves: #1392858 Rebase to FreeIPA 4.5+
   - Rebase to 4.5.0
- Resolves: #1399133 Delete option shouldn't be available for hosts 
applied to
- Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA
   should contain full trust chain
- Resolves: #1400416 RFE: Provide option to take backup of IPA server before
   uninstalling IPA server
- Resolves: #1400529 cert-request is not aware of Kerberos principal aliases
- Resolves: #1401526 IPA WebUI certificates are grayed out on overview 
page but
   not on details page
- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping
- Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when
   non-FQDN name of IPA server is first in /etc/hosts
- Resolves: #1409628 [RFE] Semi-automatic integration with external DNS 
- Resolves: #1413742 Backport request for bug/issue Change IP address
   validation errors to warnings
- Resolves: #1415652 IPA replica install log shows password in plain text
- Resolves: #1427897 different behavior regarding system wide certs in 
   and replica.
- Resolves: #1430314 The ipa-managed-entries command failed, exception:
   AttributeError: ldap2

- Resolves: #1419735 ipa-replica-install fails 
   with cert errors (untrusted)
   - added ssl verification using IPA trust anchor
- Resolves: #1428472 batch param compatibility is incorrect
   - compat: fix `Any` params in `batch` and `dnsrecord`
- Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged 

- Resolves: #1416454 replication race condition prevents IPA to install
   - wait_for_entry: use only DN as parameter
   - Wait until HTTPS principal entry is replicated to replica
   - Use proper logging for error messages

- Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is
   installed without CA
   - Set up DS TLS on replica in CA-less topology
- Resolves: #1398600 IPA replica install fails with dirsrv errors.
   - Do not configure PKI ajp redirection to use "::1"
- Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for
   ca-del, ca-disable and ca-enable commands
   - ca: correctly authorise ca-del, ca-enable and ca-disable

- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized 
   by abusing password policy
   - ipa-kdb: search for password policies globally
- Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged 

- Resolves: #1398670 Check IdM Topology for broken record caused by 
   conflict before upgrading it
   - Check for conflict entries before raising domain level

- Resolves: #1382812 Creation of replica for disconnected environment is
   failing with CA issuance errors; Need good steps.
   - gracefully handle setting replica bind dn group on old masters
- Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a
   temporary CA admin
   - replication: ensure bind DN group check interval is set on replica 
   - add missing attribute to ipaca replica during CA topology update
- Resolves: #1401088 IPA upgrade of replica without DNS fails during 
restart of
   - bindinstance: use data in named.conf to determine configuration status

- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized 
   by abusing password policy
   - password policy: Add explicit default password policy for hosts and
- Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in
   - certprofile-mod: correctly authorise config update

- Resolves: #1378353 Replica install fails with old IPA master sometimes 
   replication process
   - spec file: bump minimal required version of 389-ds-base
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
   - Fix missing file that fails DL1 replica installation
- Resolves: #1387782 WebUI: Services are not displayed correctly after 
   - WebUI: services without canonical name are shown correctly
- Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run
   - trustdomain-del: fix the way how subdomain is searched

- Resolves: #1318616 CA fails to start after doing ipa-ca-install 
   - Keep NSS trust flags of existing certificates
- Resolves: #1360813 ipa-server-certinstall does not update all certificate
   stores and doesn't set proper trust permissions
   - Add cert checks in ipa-server-certinstall
- Resolves: #1371479 cert-find --all does not show information about 
   - cert: add revocation reason back to cert-find output
- Resolves: #1375133 WinSync users who have First.Last casing creates 
users who
   can have their password set
   - ipa passwd: use correct normalizer for user principals
- Resolves: #1377858 Users with 2FA tokens are not able to login to IPA 
   - Properly handle LDAP socket closures in ipa-otpd
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
   - Make httpd publish its CA certificate on DL1

- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors.
- Resolves: #1375269 ipa trust-fetch-domains throws internal error

- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
   - Fix regression introduced in ipa-certupdate

- Resolves: #1355753 adding two way non transitive(external) trust displays
   internal error on the console
   - Always fetch forest info from root DCs when establishing two-way trust
   - factor out `populate_remote_domain` method into module-level function
   - Always fetch forest info from root DCs when establishing one-way trust
- Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger
   after `ipa-replica-install`
   - Track lightweight CAs on replica installation
- Resolves: #1357488 ipa command stuck forever on higher versioned 
client with
   lower versioned server
   - compat: Save server's API version in for pre-schema servers
   - compat: Fix ping command call
   - schema cache: Store and check info for pre-schema servers
- Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag
   - Fix man page ipa-replica-manage: remove duplicate -c option
     from --no-lookup
- Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA
   when revoking certificate
   - cert: include CA name in cert command output
   - WebUI add support for sub-CAs while revoking certificates
- Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI
   - Add support for additional options taken from table facet
   - WebUI: Fix showing certificates issued by sub-CA
- Resolves: #1368557 dnsrecord-add does not prompt for missing record parts
   - dns: normalize record type read interactively in dnsrecord_add
   - dns: prompt for missing record parts in CLI
   - dns: fix crash in interactive mode against old servers
- Resolves: #1370519 Certificate revocation in service-del and host-del 
   aware of Sub CAs
   - cert: fix cert-find --certificate when the cert is not in LDAP
   - Make host/service cert revocation aware of lightweight CAs
- Resolves: #1371901 Use OAEP padding with custodia
   - Use RSA-OAEP instead of RSA PKCS#1 v1.5
- Resolves: #1371915 When establishing external two-way trust, forest root
   Administrator account is used to fetch domain info
   - do not use trusted forest name to construct domain admin principal
- Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in
   certificate request
   - Fix CA ACL Check on SubjectAltNames
- Resolves: #1373272 CLI always sends default command version
   - cli: use full name when executing a command
- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
   - Fix ipa-certupdate for CA-less installation
- Resolves: #1373540 client-install with IPv6 address fails on link-local
   address (always)
   - Fix parse errors with link-local addresses

- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env
   - Fix ipa-server-install in pure IPv6 environment
- Resolves: #1318169 Tree-root domains in a trusted AD forest aren't 
marked as
   reachable via the forest root
   - trust: make sure ID range is created for the child domain even if 
it exists
   - ipa-kdb: simplify trusted domain parent search
- Resolves: #1335567 Update Warning in IdM Web UI API browser
   - WebUI: add API browser is tech preview warning
- Resolves: #1348560 Mulitple domain Active Directory Trust conflict
   - ipaserver/dcerpc: reformat to make the code closer to pep8
   - trust: automatically resolve DNS trust conflicts for triangle trusts
- Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in
   certificate revocation
   - cert-revoke: fix permission check bypass (CVE-2016-5404)
- Resolves: #1353936 custodia.conf and server.keys file is world-readable.
   - Remove Custodia server keys from LDAP
   - Secure permissions of Custodia server.keys
- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is
   converted from CA-less to CA-full
   - custodia: include known CA certs in the PKCS#12 file for Dogtag
   - custodia: force reconnect before retrieving CA certs from LDAP
- Resolves: #1362333 ipa vault container owner cannot add vault
   - Fix: container owner should be able to add vault
- Resolves: #1365546 External trust with root domain is transitive
   - trust: make sure external trust topology is correctly rendered
- Resolves: #1365572 IPA server broken after upgrade
   - Require pki-core-10.3.3-7
- Resolves: #1367864 Server assumes latest version of command instead of
   version 1 for old / 3rd party clients
   - rpcserver: assume version 1 for unversioned command calls
   - rpcserver: fix crash in XML-RPC system commands
- Resolves: #1367773 thin client ignores locale change
   - schema cache: Fallback to 'en_us' when locale is not available
- Resolves: #1368754 ipa server uninstall fails with Python "Global Name 
   - Fail on topology disconnect/last role removal
- Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP
   - otptoken, permission: Convert custom type parameters on server
- Resolves: #1369414 ipa server-del fails with Python stack trace
   - Handled empty hostname in server-del command
- Resolves: #1369761 ipa-server must depend on a version of httpd that 
   mod_proxy with UDS
   - Require httpd 2.4.6-31 with mod_proxy Unix socket support
- Resolves: #1370512 Received ACIError instead of DuplicatedError in
   - Raise DuplicatedEnrty error when user exists in delete_container
- Resolves: #1371479 cert-find --all does not show information about 
   - cert: add missing param values to cert-find output
- Renamed patch 1011 to 0100, as it was merged upstream

- Resolves: #1298288 [RFE] Improve performance in large environments.
   - cert: speed up cert-find
- Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card
   - service: add flag to allow S4U2Self
   - Add 'trusted to auth as user' checkbox
   - Added new authentication method
- Resolves: #1353881 ipa-replica-install suggests about
   non-existent --force-ntpd option
   - Don't show --force-ntpd option in replica install
- Resolves: #1354441 DNS forwarder check is too strict: unable to add
   sub-domain to already-broken domain
   - DNS: allow to add forward zone to already broken sub-domain
- Resolves: #1356146 performance regression in CLI help
   - schema: Speed up schema cache
   - frontend: Change doc, summary, topic and NO_CLI to class properties
   - schema: Introduce schema cache format
   - schema: Generate bits for help load them on request
   - help: Do not create instances to get information about commands and 
   - schema cache: Do not reset ServerInfo dirty flag
   - schema cache: Do not read fingerprint and format from cache
   - Access data for help separately
   - frontent: Add summary class property to CommandOverride
   - schema cache: Read server info only once
   - schema cache: Store API schema cache in memory
   - client: Do not create instance just to check isinstance
   - schema cache: Read schema instead of rewriting it when SchemaUpToDate
- Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file
   - server install: do not prompt for cert file PIN repeatedly
- Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to 
   cache directory: [Errno 13] Permission denied: '/home/test_user'
   - schema: Speed up schema cache
- Resolves: #1366604 `cert-find` crashes on invalid certificate data
   - cert: do not crash on invalid data in cert-find
- Resolves: #1366612 Middle replica uninstallation in line topology works
   without '--ignore-topology-disconnect'
   - Fail on topology disconnect/last role removal
- Resolves: #1366626 caacl-add-service: incorrect error message when service
   does not exists
   - Fix ipa-caalc-add-service error message
- Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11
   does not happen to run during dnf upgrade
   - DNS server upgrade: do not fail when DNS server did not respond
- Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA 
   with CA
   - Add warning about only one existing CA server
   - Set servers list as default facet in topology facet group
- Resolves: #1367773 thin client ignores locale change
   - schema check: Check current client language against cached one

- Resolves: #1361119 UPN-based search for AD users does not match an 
entry in
   slapi-nis map cache
   - support multiple uid values in schema compatibility tree

- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6
   - Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
- Resolves: #1341249 Subsequent external CA installation fails
   - install: fix external CA cert validation
- Resolves: #1353831 ipa-server-install fails in container because of
   hostnamectl set-hostname
   - server-install: Fix --hostname option to always override api.env values
   - install: Call hostnamectl set-hostname only if --hostname option is 
- Resolves: #1356091 ipa-cacert-manage --help and man differ
   - Improvements for the ipa-cacert-manage man and help
- Resolves: #1360631 ipa-backup is not keeping the
   - ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
- Resolves: #1361047 ipa-replica-install --help usage line suggests the 
   file is needed
   - Update ipa-replica-install documentation
- Resolves: #1361545 ipa-client-install starts rhel-domainname.service 
but does
   not rpm-require it
   - client: RPM require initscripts to get *-domainname.service
- Resolves: #1364197 caacl: error when instantiating rules with service
   - caacl: fix regression in rule instantiation
- Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm
   - parameters: move the `confirm` kwarg to Param
- Resolves: #1364464 Topology graph: ca and domain adders shows question 
   instead of plus icon
   - Fix unicode characters in ca and domain adders
- Resolves: #1365083 Incomplete output returned for command ipa vault-add
   - client: add missing output params to client-side commands
- Resolves: #1365526 build fails during "make check"
   - ipa-kdb: Fix unit test after packaging changes in krb5

- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file.
   - Do not initialize API in ipa-client-automount uninstall
- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update 
after thin
   client changes
   - idrange: fix unassigned global variable
- Resolves: #1360792 Migrating users doesn't update krbCanonicalName
   - re-set canonical principal name on migrated users
- Resolves: #1362012 ipa hbactest produces error about cannot 
concatenate 'str'
   and 'bool' objects
   - Fix ipa hbactest output
- Resolves: #1362260 ipa vault-mod no longer allows defining salt
   - vault: add missing salt option to vault_mod
- Resolves: #1362312 ipa vault-retrieve internal error when using the wrong
   public key
   - vault: Catch correct exception in decrypt
- Resolves: #1362537 ipa-server-install fails to create symlink from
   /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/
   - Correct path to HTTPD's systemd service directory
- Resolves: #1363756 Increase length of passwords generated by installer
   - Increase default length of auto generated passwords

- Resolves: #1117306 [RFE] Allow multiple Principals per host entry 
   - harden the check for trust namespace overlap in new principals
- Resolves: #1351142 CLI is not using session cookies for communication with
   - Fix session cookies
- Resolves: #1353888 Fix the help for ipa otp and other topics
   - help: Add dnsserver commands to help topic 'dns'
- Resolves: #1354406 host-del updatedns options complains about missing ptr
   record for host
   - Host-del: fix behavior of --updatedns and PTR records
- Resolves: #1355718 ipa-replica-manage man page example output differs 
   command output
   - Minor fix in ipa-replica-manage MAN page
- Resolves: #1358229 Traceback message should be fixed, seen while editing
   winsync migrated user information in Default trust view.
   - baseldap: Fix MidairCollision instantiation during entry modification
- Resolves: #1358849 CA replica install logs to wrong log file
   - unite log file name of ipa-ca-install
- Resolves: #1359130 ipa-server-install command fails to install IPA server.
   - DNS Locations: fix update-system-records unpacking error
- Resolves: #1359237 AVC on dirsrv config caused by IPA installer
   - Use copy when replacing files to keep SELinux context
- Resolves: #1359692 ipa-client-install join fail with traceback against
   RHEL-6.8 ipa-server
   - compat: fix ping call
- Resolves: #1359738 ipa-replica-install --domain=<IPA primary domain> 
   does not work
   - replica-install: Fix --domain
- Resolves: #1360778 Vault commands are available in CLI even when the 
   does not support them
   - Revert "Enable vault-* commands on client"
   - client: fix hiding of commands which lack server support
- Related: #1281704 Rebase to softhsm 2.1.0
   - Remove the workaround for softhsm bug #1293340
- Related: #1298288 [RFE] Improve performance in large environments.
   - Create indexes for krbCanonicalName attribute

- Resolves: #1296140 Remove redhat-access-plugin-ipa support
   - Obsolete and conflict redhat-access-plugin-ipa
- Resolves: #1351119 Multiple issues while uninstalling ipa-server
   - server uninstall fails to remove krb principals
- Resolves: #1351758 ipa commands not showing expected error messages
   - frontend: copy command arguments to output params on client
   - Show full error message for selinuxusermap-add-hostgroup
- Resolves: #1352883 Traceback on adding default automember group and 
   - allow 'value' output param in commands without primary key
- Resolves: #1353888 Fix the help for ipa otp and other topics
   - schema: Fix subtopic -> topic mapping
- Resolves: #1354348 ipa trustconfig-show throws internal error.
   - allow 'value' output param in commands without primary key
- Resolves: #1354381 ipa trust-add with raw option gives internal error.
   - trust-add: handle `--all/--raw` options properly
- Resolves: #1354493 Replica install fails with old IPA master
   - DNS install: Ensure that DNS servers container exists
- Resolves: #1354628 ipa hostgroup-add-member does not return error message
   when adding itself as member
   - frontend: copy command arguments to output params on client
- Resolves: #1355856 ipa otptoken-add --type=totp gives internal error
   - messages: specify message type for ResultFormattingError
- Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter
   secret key
   - expose `--secret` option in radiusproxy-* commands
   - prevent search for RADIUS proxy servers by secret
- Resolves: #1356099 Bug in the ipapwd plugin
   - Heap corruption in ipapwd plugin
- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update 
after thin
   client changes
   - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper
- Resolves: #1356964 Renaming a user removes all of his principal aliases
   - Preserve user principal aliases during rename operation

- Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas
- Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled 
by AD
- Related: #1356134 'kinit -E' does not work for IPA user

- Resolves: #1356102 Server uninstall does not stop tracking lightweight 
   with certmonger
   - uninstall: untrack lightweight CA certs
- Resolves: #1351807 ipa-nis-manage config.get_dn missing
   - ipa-nis-manage: Use server API to retrieve plugin status
- Resolves: #1353452 ipa-compat-manage command failed,
   exception: NotImplementedError: config.get_dn()
   - ipa-compat-manage: use server API to retrieve plugin status
- Resolves: #1353899 ipa-advise: object of type 'type' has no len()
   - ipa-advise: correct handling of plugin namespace iteration
- Resolves: #1356134 'kinit -E' does not work for IPA user
   - kdb: check for local realm in enterprise principals
- Resolves: #1353072 ipa unknown command vault-add
   - Enable vault-* commands on client
   - vault-add: set the default vault type on the client side if none 
was given
- Resolves: #1353995 Default CA can be used without a CA ACL
   - caacl: expand plugin documentation
- Resolves: #1356144 host-find should not print SSH keys by default, only
   SSH fingerprints
   - host-find: do not show SSH key by default
- Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3
   - Removed unused method parameter from migrate-ds

- Resolves: #747612 [RFE] IPA should support and manage DNS sites
- Resolves: #826790 Disabling password expiration (--maxlife=0 and 
   in the default global_policy in IPA sets user's password expiration
   (krbPasswordExpiration) to be 90 days
- Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records
- Resolves: #1084018 [RFE] Add IdM user password change support for legacy
   client compat tree
- Resolves: #1117306 [RFE] Allow multiple Principals per host entry 
   - Fix incorrect check for principal type when evaluating CA ACLs
- Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in 
the UI
- Resolves: #1238190 ipasam unable to lookup group in directory yet manual
   search works
- Resolves: #1250110 search by users which don't have read rights for 
all attrs
   in search_attributes fails
- Resolves: #1263764 Show Certificate displays in useless format
- Resolves: #1272491 [WebUI] Certificate action dropdown does not 
display all
   the options after adding new certificate
- Resolves: #1292141 Rebase to FreeIPA 4.4+
   - Rebase to 4.4.0
- Resolves: #1294503 IPA fails to issue 3rd party certs
- Resolves: #1298242 [RFE] API compatibility - compatibility of clients
- Resolves: #1298848 [RFE] Centralized topology management
- Resolves: #1298966 [RFE] Extend Smart Card support
- Resolves: #1315146 Multiple clients cannot join domain simultaneously:
   /var/run/httpd/ipa/clientcaches race condition?
- Resolves: #1318903 ipa server install failing when SUBCA signs the cert
- Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with 
   console output
- Resolves: #1324055 IPA always qualify requests for admin
- Resolves: #1328552 [RFE] Allow users to authenticate with alternative 
- Resolves: #1334582 Inconsistent UI and CLI options for removing 
- Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl)
- Resolves: #1349281 Fix `Conflicts` with ipa-python
- Resolves: #1350695 execution of copy-schema script fails
- Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z
- Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test
   execution to 7.3
- Resolves: #1351276 ipa-server-install with dns cannot resolve itself to
   create ipa-ca entry
- Related: #1343422 [RFE] Add GssapiImpersonate option

- Resolves: #1348948 IPA server install fails with build
   - Revert "Increased mod_wsgi socket-timeout"

- Resolves: #712109 "krbExtraData not allowed" is logged in DS error log 
   setting password for default sudo binddn.
- Resolves: #747612 [RFE] IPA should support and manage DNS sites
- Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa 
server name
- Resolves: #825391 [RFE] Replica installation should provide a means for
   inheriting nssldap security access settings
- Resolves: #921497 Incorrect *.py[co] files placement
- Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote 
- Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas
- Resolves: #1196958 IPA replica installation failing with high number 
of users
- Resolves: #1219402 IPA suggests to uninstall a client when the user 
needs to
   uninstall a replica
- Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on
   Authentication Indicator
- Resolves: #1234222 [WebUI] UI error message is not appropriate for 
   principal expiration"
- Resolves: #1234223 [WebUI] General invalid password error message 
   for "Locked user"
- Resolves: #1254267 ipa-server-install failure applying ldap updates with
   limits exceeded
- Resolves: #1258626 realmdomains-mod --add-domain command throwing 
error when
   doamin already is in forwardzone.
- Resolves: #1259020 ipa-server-adtrust-install doesn't allow
   NetBIOS-name=EXAMPLE-TEST.COM (dash character)
- Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error
   message when DNSSEC master not installed
- Resolves: #1262747 dnssec options missing in ipa-dns-install man page
- Resolves: #1265900 Fail installation immediately after dirsrv fails to
   install using ipa-server-install
- Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not
   resolvable anymore
- Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace -
   LimitsExceeded: limits exceeded for this query
- Resolves: #1269089 Certificate of managed-by host/service fails to 
- Resolves: #1269200 ipa-server crashing while trying to preserve admin user
- Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults
- Resolves: #1271579 Automember rule expressions disappear from tables on
   single expression delete
- Resolves: #1275816 Incomplete ports for IPA ad-trust
- Resolves: #1276351 [RFE] Remove
   /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases
- Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo 
All in
   the IPA UI
- Resolves: #1278426 Better error message needed for invalid ca-signing-algo
- Resolves: #1279932 ipa-client-install --request-cert needs workaround in
   anaconda chroot
- Resolves: #1282521 Creating a user w/o private group fails when doing 
so in
- Resolves: #1283879 ipa-winsync-migrate: Traceback message should be 
   by "IPA is not configured on this system"
- Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert
- Resolves: #1287194 [RFE] Support of UPN for trusted domains
- Resolves: #1288967 Normalize Manager entry in ipa user-add
- Resolves: #1289487 Priority field missing in Password Policy detail tab
- Resolves: #1291140 ipa client should configure kpasswd_server directive in
- Resolves: #1292141 Rebase to FreeIPA 4.4+
   - Rebase to 4.4.0.alpha1
- Resolves: #1298848 [RFE] Centralized topology management
- Resolves: #1300576 Browser setup page includes instructions for Internet
- Resolves: #1301586 ipa host-del --updatedns should remove related dns
- Resolves: #1304618 Residual Files After IPA Server Uninstall
- Resolves: #1305144 ipa-python does not require its dependencies
- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6
- Resolves: #1313798 Console output post ipa-winsync-migrate command 
should be
- Resolves: #1314786 [RFE] External Trust with Active Directory domain
- Resolves: #1319023 Include description for 'status' option in man page for
   ipactl command.
- Resolves: #1319912 ipa-server-install does not completely change 
hostname and
   named-pkcs11 fails
- Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord':
   Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 
- Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on
   revocation reasons
- Resolves: #1328549 "ipa-kra-install" command reports incorrect message 
   it is executed on server already installed with KRA.
- Resolves: #1329209 ipa-nis-manage enable: change service name from 
   to 'rpcbind'
- Resolves: #1329275 ipa-nis-manage command should include status option
- Resolves: #1330843 'man ipa' should be updated with latest commands
- Resolves: #1333755 ipa cert-request causes internal server error while
   requesting certificate
- Resolves: #1337484 EOF is not handled for ipa-client-install command
- Resolves: #1338031 Insufficient 'write' privilege on some attributes 
for the
   members of the role which has "User Administrators" privilege.
- Resolves: #1343142 IPA DNS should do better verification of DNS zones
- Resolves: #1347928 Frontpage exposes runtime error with no cookies 
enabled in

- Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files
   - Fix incorrect rebase of patch 1001

- Resolves: #1339233 CA installed on replica is always marked as renewal 
- Related: #1292141 Rebase to FreeIPA 4.4+
   - Rebase to

- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install
   because of missing dependencies
   - Rebuild with krb5-1.14.1

- Resolves: #837369 [RFE] Switch to client promotion to replica model
- Resolves: #1199516 [RFE] Move replication topology to the shared tree
- Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology
- Resolves: #1211602 Hide ipa-server-install KDC master password option (-P)
- Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also
   list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend
- Resolves: #1267206 ipa-server-install uninstall should warn if no
   installation found
- Resolves: #1295865 The Domain option is not correctly set in 
idmapd.conf when
   ipa-client-automount is executed.
- Resolves: #1327092 URI details missing and OCSP-URI details are 
   displayed when certificate generated using IPA on RHEL 7.2up2.
- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install
   because of missing dependencies
- Related: #1292141 Rebase to FreeIPA 4.4+
   - Rebase to

- Resolves: #1277696 IPA certificate auto renewal fail with "Invalid
   - cert renewal: make renewal of ipaCert atomic
- Resolves: #1278330 installer options are not validated at the beginning of
   - install: fix command line option validation
- Resolves: #1282845 sshd_config change on ipa-client-install can 
prevent sshd
   from starting up
   - client install: do not corrupt OpenSSH config with Match sections
- Resolves: #1282935 ipa upgrade causes vault internal error
   - install: export KRA agent PEM file in ipa-kra-install
- Resolves: #1283429 Default CA ACL rule is not created during
   - TLS and Dogtag HTTPS request logging improvements
   - Avoid race condition caused by profile delete and recreate
   - Do not erroneously reinit NSS in Dogtag interface
   - Add profiles and default CA ACL on migration
   - disconnect ldap2 backend after adding default CA ACL profiles
   - do not disconnect when using existing connection to check default 
- Resolves: #1283430 ipa-kra-install: fails to apply updates
   - suppress errors arising from adding existing LDAP entries during KRA
- Resolves: #1283748 Caching of ipaconfig does not work in framework
   - fix caching in get_ipa_config
- Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after
   upgrade from RHEL 7.0 to RHEL 7.2
   - upgrade: fix migration of old dns forward zones
   - Fix upgrade of forwardzones when zone is in realmdomains
- Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap
   - ipa-cacert-renew: Fix connection to ldap.
- Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap 
   - ipa-otptoken-import: Fix connection to ldap.
- Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 
   "yum update ipa* sssd"
   - Set minimal required version for openssl
- Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps
   - Upgrade: Fix upgrade of NIS Server configuration
- Resolves: #1289311 umask setting causes named-pkcs11 issue with directory
   permissions on /var/lib/ipa/dnssec
   - DNS: fix file permissions
   - Explicitly call chmod on newly created directories
   - Fix: replace mkdir with chmod
- Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version 
   - Fix version comparison
   - use FFI call to rpmvercmp function for version comparison
- Resolves: #1292595 In IPA-AD trust environment some secondary IPA 
based Posix
   groups are missing
   - ipa-kdb: map_groups() consider all results
- Resolves: #1293870 User should be notified for wrong password in password
   reset page
   - Fixed login error message box in LoginScreen page
- Resolves: #1296196 Sysrestore did not restore state if a key is 
specified in
   mixed case
   - Allow to used mixed case for sysrestore
- Resolves: #1296214 DNSSEC key purging is not handled properly
   - DNSSEC: Improve error reporting from ipa-ods-exporter
   - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in
   - DNSSEC: Make sure that current key state in LDAP matches key state 
   - DNSSEC: remove obsolete TODO note
   - DNSSEC: add debug mode to ldapkeydb.py
   - DNSSEC: logging improvements in ipa-ods-exporter
   - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
   - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
   - DNSSEC: ipa-ods-exporter: add ldap-cleanup command
   - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
   - DNSSEC: Log debug messages at log level DEBUG
- Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running
   - prevent crash of CA-less server upgrade due to absent certmonger
   - always start certmonger during IPA server configuration upgrade
- Resolves: #1297811 The ipa -e skip_version_check=1 still issues
   incompatibility error when called against RHEL 6 server
   - ipalib: assume version 2.0 when skip_version_check is enabled
- Resolves: #1298289 install fails when locale is "fr_FR.UTF-8"
   - Do not decode HTTP reason phrase from Dogtag
- Resolves: #1300252 shared certificateProfiles container is missing on a
   freshly installed RHEL7.2 system
   - upgrade: unconditional import of certificate profiles into LDAP
- Resolves: #1301674 --setup-dns and other options is forgotten for using an
   external PKI
   - installer: Propagate option values from components instead of 
copying them.
   - installer: Fix logic of reading option values from cache.
- Resolves: #1301687 issues with migration from RHEL 6 self-signed to 
   IPA setup
   - ipa-ca-install: print more specific errors when CA is already installed
   - cert renewal: import all external CA certs on IPA CA cert renewal
   - CA install: explicitly set dogtag_version to 10
   - fix standalone installation of externally signed CA on IPA master
   - replica install: validate DS and HTTP server certificates
   - replica install: improvements in the handling of CA-related IPA config
- Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups
   - slapi-nis: update configuration to allow external members of IPA groups
- Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find
   returns "0 trusts matched"
   - upgrade: fix config of sidgen and extdom plugins
   - trusts: use ipaNTTrustPartner attribute to detect trust entries
   - Warn user if trust is broken
   - fix upgrade: wait for proper DS socket after DS restart
   - Insure the admin_conn is disconnected on stop
   - Fix connections to DS during installation
   - Fix broken trust warnings
- Resolves: #1321092 Installers fail when there are multiple versions of the
   same certificate
   - certdb: never use the -r option of certutil
- Related: #1317381 Crash during IPA upgrade due to slapd
   - spec file: update minimum required version of slapi-nis
- Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112
   CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: 
various flaws
   - Rebuild against newer Samba version

- Resolves: #1252556 Missing CLI param and ACL for vault service operations
   - vault: fix private service vault creation

- Resolves: #1262996 ipa vault internal error on replica without KRA
   - upgrade: make sure ldap2 is connected in export_kra_agent_pem
- Resolves: #1270608 IPA upgrade fails for server with CA cert signed by
   external CA
   - schema: do not derive ipaVaultPublicKey from ipaPublicKey

- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens
   - Fix an integer underflow bug in libotp
- Resolves: #1262996 ipa vault internal error on replica without KRA
   - install: always export KRA agent PEM file
   - vault: select a server with KRA for vault operations
- Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files
   - do not overwrite files with local users/groups when restoring 
- Renamed patch 1011 to 0138, as it was merged upstream

- Resolves: #1204205 [RFE] ID Views: Automated migration tool from 
Winsync to
   - winsync-migrate: Convert entity names to posix friendly strings
   - winsync-migrate: Properly handle collisions in the names of 
external groups
- Resolves: #1261074 Adjust Firefox configuration to new extension signing
   - webui: use manual Firefox configuration for Firefox >= 40
- Resolves: #1263337 IPA Restore failed with installed KRA
   - ipa-backup: Add mechanism to store empty directory structure
- Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate
   and private key in world readable file [rhel-7.2]
   - install: fix KRA agent PEM file permissions
- Resolves: #1265086 Mark IdM API Browser as experimental
   - WebUI: add API browser is experimental warning
- Resolves: #1265277 Fix kdcproxy user creation
   - install: create kdcproxy user during server install
   - platform: add option to create home directory when adding user
   - install: fix kdcproxy user home directory
- Resolves: #1265559 GSS failure after ipa-restore
   - destroy httpd ccache after stopping the service

- Resolves: #1258965 ipa vault: set owner of vault container
   - baseldap: make subtree deletion optional in LDAPDelete
   - vault: add vault container commands
   - vault: set owner to current user on container creation
   - vault: update access control
   - vault: add permissions and administrator privilege
   - install: support KRA update
- Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses
   - config: allow user/host attributes with tagging options
- Resolves: #1262315 Unable to establish winsync replication
   - winsync: Add inetUser objectclass to the passsync sysaccount

- Resolves: #1260663 crash of ipa-dnskeysync-replica component during
   - IPA Restore: allows to specify files that should be removed
- Resolves: #1261806 Installing ipa-server package breaks httpd
   - Handle timeout error in ipa-httpd-kdcproxy
- Resolves: #1262322 Failed to backup CS.cfg message in upgrade.
   - Server Upgrade: backup CS.cfg when dogtag is turned off

- Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not
   - cert renewal: Include KRA users in Dogtag LDAP update
   - cert renewal: Automatically update KRA agent PEM file
- Resolves: #1257163 renaming certificatte profile with --rename option 
   to integrity issues
   - certprofile: remove 'rename' option
- Resolves: #1257968 kinit stop working after ipa-restore
   - Backup: back up the hosts file
- Resolves: #1258926 Remove 'DNSSEC is experimental' warnings
   - DNSSEC: remove "DNSSEC is experimental" warnings
- Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts
   - Installer: do not modify /etc/hosts before user agreement
- Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1
   - DNSSEC: backup and restore opendnssec zone list file
   - DNSSEC: remove ccache and keytab of ipa-ods-exporter
   - DNSSEC: prevent ipa-ods-exporter from looping after service 
   - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction
   - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on 
     key master
   - DNSSEC: Fix key metadata export
   - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.
- Resolves: #1258964 revert to use ldapi to add kra agent in KRA install
   - Using LDAPI to setup CA and KRA agents.
- Resolves: #1259848 server closes connection and refuses commands after
   deleting user that is still logged in
   - ldap: Make ldap2 connection management thread-safe again
- Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute
   'ra_certprofile' while ipa-ca-install
   - load RA backend plugins during standalone CA install on CA-less IPA 

- Resolves: #1254689 Storing big file as a secret in vault raises traceback
   - vault: Limit size of data stored in vault
- Resolves: #1255880 ipactl status should distinguish between different
   pki-tomcat services
   - ipactl: Do not start/stop/restart single service multiple times

- Resolves: #1256840 [webui] majority of required fields is no longer 
marked as
   - fix missing information in object metadata
- Resolves: #1256842 [webui] no option to choose trust type when creating a
   - webui: add option to establish bidirectional trust
- Resolves: #1256853 Clear text passwords in KRA install log
   - Removed clear text passwords from KRA install log.
- Resolves: #1257072 The "Standard Vault" MUST not be the default and 
must be
   - vault: change default vault type to symmetric
- Resolves: #1257163 renaming certificatte profile with --rename option 
   to integrity issues
   - certprofile: prevent rename (modrdn)

- Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone
   - DNSSEC: fix forward zone forwarders checks
- Resolves: #1250190 idrange is not added for sub domain
   - trusts: format Kerberos principal properly when fetching trust topology
- Resolves: #1252334 User life cycle: missing ability to provision a 
stage user
   from a preserved user
   - Add user-stage command
- Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service 
fails to
   - spec file: Add Requires(post) on selinux-policy
- Resolves: #1254304 Changing vault encryption attributes
   - Change internal rsa_(public|private)_key variable names
   - Added support for changing vault encryption.
- Resolves: #1256715 Executing user-del --preserve twice removes the user
   - improve the usability of `ipa user-del --preserve` command

- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities
   - user-undel: Fix error messages.
- Resolves: #1200694 [RFE] Support for multiple cert profiles
   - Prohibit deletion of predefined profiles
- Resolves: #1232819 testing ipa-restore on fresh system install fails
   - Backup/resore authentication control configuration
- Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0
   - Require Dogtag PKI >= 10.2.6
- Resolves: #1245225 Asymmetric vault drops traceback when the key is not
   - Asymmetric vault: validate public key in client
- Resolves: #1248399 Missing DNSSEC related files in backup
   - fix typo in BasePathNamespace member pointing to ods exporter config
   - ipa-backup: archive DNSSEC zone file and kasp.db
- Resolves: #1248405 PassSync should be disabled after 
ipa-winsync-migrate is
   - winsync-migrate: Add warning about passsync
   - winsync-migrate: Expand the man page
- Resolves: #1248524 User can't find any hosts using "ipa host-find 
   - adjust search so that it works for non-admin users
- Resolves: #1250093 ipa certprofile-import accepts invalid config
   - Require Dogtag PKI >= 10.2.6
- Resolves: #1250107 IPA framework should not allow modifying trust on 
AD trust
   - trusts: Detect missing Samba instance
- Resolves: #1250111 User lifecycle - preserved users can be assigned
   - ULC: Prevent preserved users from being assigned membership
- Resolves: #1250145 Add permission for user to bypass caacl enforcement
   - Add permission for bypassing CA ACL enforcement
- Resolves: #1250190 idrange is not added for sub domain
   - idranges: raise an error when local IPA ID range is being modified
   - trusts: harden trust-fetch-domains oddjobd-based script
- Resolves: #1250928 Man page for ipa-server-install is out of sync
   - install: Fix server and replica install options
- Resolves: #1251225 IPA default CAACL does not allow cert-request for 
   after upgrade
   - Fix default CA ACL added during upgrade
- Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey
   - validate mutually exclusive options in vault-add
- Resolves: #1251579 ipa vault-add --user should set container owner 
equal to
   user on first run
   - Fixed vault container ownership.
- Resolves: #1252517 cert-request rejects request with correct
   krb5PrincipalName SAN
   - Fix KRB5PrincipalName / UPN SAN comparison
- Resolves: #1252555 ipa vault-find doesn't work for services
   - vault: Add container information to vault command results
   - Add flag to list all service and user vaults
- Resolves: #1252556 Missing CLI param and ACL for vault service operations
   - Added CLI param and ACL for vault service operations.
- Resolves: #1252557 certprofile: improve profile format documentation
   - certprofile-import: improve profile format documentation
   - certprofile: add profile format explanation
- Resolves: #1253443 ipa vault-add creates vault with invalid type
   - vault: validate vault type
- Resolves: #1253480 ipa vault-add-owner does not fail when adding an 
   - baseldap: Allow overriding member param label in LDAPModMember
   - vault: Fix param labels in output of vault owner commands
- Resolves: #1253511 ipa vault-find does not use criteria
   - vault: Fix vault-find with criteria
- Resolves: #1254038 ipa-replica-install pk12util error returns exit 
status 10
   - install: Fix replica install with custom certificates
- Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc
   - improve the handling of krb5-related errors in dnssec daemons
- Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with
   starting CA and named-pkcs11.service
   - Server Upgrade: Start DS before CA is started.
- Resolves: #1254637 Add ACI and permission for managing user 
   - add permission: System: Manage User Certificates
- Resolves: #1254641 Remove CSR allowed-extensions restriction
   - cert-request: remove allowed extensions check
- Resolves: #1254693 vault --service does not normalize service principal
   - vault: normalize service principal in service vault operations
- Resolves: #1254785 ipa-client-install does not properly handle dual 
   - client: Add support for multiple IP addresses during installation.
   - Add dependency to SSSD 1.13.1
   - client: Add description of --ip-address and --all-ip-addresses to 
man page

- Resolves: #1072383 [RFE] Provide ability to map CAC identity 
certificates to
   users in IdM
   - store certificates issued for user entries as
   - user-show: add --out option to save certificates to file
- Resolves: #1145748 [RFE] IPA running with One Way Trust
   - Fix upgrade of sidgen and extdom plugins
- Resolves: #1195339 ipa-client-install changes the label on various files
   which causes SELinux denials
   - Use 'mv -Z' in specfile to restore SELinux context
- Resolves: #1198796 Text in UI should describe differing LDAP vs Krb 
   for combinations of "User authentication types"
   - webui: add LDAP vs Kerberos behavior description to user auth
- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities
   - ULC: Fix stageused-add --from-delete command
- Resolves: #1200694 [RFE] Support for multiple cert profiles
   - certprofile-import: do not require profileId in profile data
   - Give more info on virtual command access denial
   - Allow SAN extension for cert-request self-service
   - Add profile for DNP3 / IEC 62351-8 certificates
   - Work around python-nss bug on unrecognised OIDs
- Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality
   - Validate vault's file parameters
   - Fixed missing KRA agent cert on replica.
- Resolves: #1225866 display browser config options that apply to the 
   - webui: add Kerberos configuration instructions for Chrome
   - Remove ico files from Makefile
- Resolves: #1246342 Unapply idview raises internal error
   - idviews: Check for the Default Trust View only if applying the view
- Resolves: #1248102 [webui] regression - incorrect/no failed auth messages
   - webui: fix regressions failed auth messages
- Resolves: #1248396 Internal error in DomainValidator.__search_in_dc
   - dcerpc: Fix UnboundLocalError for ccache_name
- Resolves: #1249455 ipa trust-add failed CIFS server configuration does not
   allow access to \\pipe\lsarpc
   - Fix selector of protocol for LSA RPC binding string
   - dcerpc: Simplify generation of LSA-RPC binding strings
- Resolves: #1250192 Error in ipa trust-fecth-domains
   - Fix incorrect type comparison in trust-fetch-domains
- Resolves: #1251553 Winsync setup fails with unexpected error
   - replication: Fix incorrect exception invocation
- Resolves: #1251854 ipa aci plugin is not parsing aci's correctly.
   - ACI plugin: correctly parse bind rules enclosed in
- Resolves: #1252414 Trust agent install does not detect available 
replicas to
   add to master
   - adtrust-install: Correctly determine 4.2 FreeIPA servers

- Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains
   that conflicts with AD DC
   - trusts: Check for AD root domain among our trusted domains
- Resolves: #1195339 ipa-client-install changes the label on various files
   which causes SELinux denials
   - sysrestore: copy files instead of moving them to avoind SELinux issues
- Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned
   commands / ntpd -qgc $tmpfile hangs
   - enable debugging of ntpd during client installation
- Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is 
   - migration: Use api.env variables.
- Resolves: #1212719 abort-clean-ruv subcommand should allow
   replica-certifyall: no
   - Allow value 'no' for replica-certify-all attr in abort-clean-ruv 
- Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has
   - dcerpc: Expand explanation for WERR_ACCESS_DENIED
   - dcerpc: Fix UnboundLocalError for ccache_name
- Resolves: #1222778 idoverride group-del can delete user and user-del can
   delete group
   - dcerpc: Add get_trusted_domain_object_type method
   - idviews: Restrict anchor to name and name to anchor conversions
   - idviews: Enforce objectclass check in idoverride*-del
- Resolves: #1234919 Be able to request certificates without certmonger 
   - cermonger: Use private unix socket when DBus SystemBus is not 
   - ipa-client-install: Do not (re)start certmonger and DBus daemons.
- Resolves: #1240939 Please add dependency on bind-pkcs11
   - Create server-dns sub-package.
   - ipaplatform: Add constants submodule
   - DNS: check if DNS package is installed
- Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow
   calling out oddjobd-activated services
   - selinux: enable httpd_run_ipa to allow communicating with oddjobd 
- Resolves: #1243261 non-admin users cannot search hbac rules
   - fix hbac rule search for non-admin users
   - fix selinuxusermap search for non-admin users
- Resolves: #1243652 Client has missing dependency on memcache
   - do not import memcache on client
- Resolves: #1243835 [webui] user change password dialog does not work
   - webui: fix user reset password dialog
- Resolves: #1244802 spec: selinux denial during kdcproxy user creation
   - Fix selinux denial during kdcproxy user creation
- Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the 
sssd user
   - oddjob: avoid chown keytab to sssd if sssd user does not exist
- Resolves: #1246136 Adding a privilege to a permission avoids validation
   - Validate adding privilege to a permission
- Resolves: #1246141 DNS Administrators cannot search in zones
   - DNS: Consolidate DNS RR types in API and schema
- Resolves: #1246143 User plugin - user-find doesn't work properly with 
   - fix broken search for users by their manager

- Resolves: #1131907 [ipa-client-install] cannot write certificate file
   '/etc/ipa/ca.crt.new': must be string or buffer, not None
- Resolves: #1195775 unsaved changes dialog internally inconsistent
- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities
   - Stageusedr-activate: show username instead of DN
- Resolves: #1200694 [RFE] Support for multiple cert profiles
   - Prevent to rename certprofile profile id
- Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error
- Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files
   - copy-schema-to-ca: allow to overwrite schema files
- Resolves: #1241941 kdc component installation of IPA failed
   - spec file: Update minimum required version of krb5
- Resolves: #1242036 Replica install fails to update DNS records
   - Fix DNS records installation for replicas
- Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy
   - Start dirsrv for kdcproxy upgrade

- Resolves: #846033  [RFE] Documentation for JSONRPC IPA API
- Resolves: #989091  Ability to manage IdM/IPA directly from a standard LDAP
- Resolves: #1072383 [RFE] Provide ability to map CAC identity 
certificates to
   users in IdM
- Resolves: #1115294 [RFE] Add support for DNSSEC
- Resolves: #1145748 [RFE] IPA running with One Way Trust
- Resolves: #1199520 [RFE] Introduce single upgrade tool - 
- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities
- Resolves: #1200694 [RFE] Support for multiple cert profiles
- Resolves: #1200728 [RFE] Replicate PKI Profile information
- Resolves: #1200735 [RFE] Allow issuing certificates for user accounts
- Resolves: #1204054 SSSD database is not cleared between installs and
   uninstalls of ipa
- Resolves: #1204205 [RFE] ID Views: Automated migration tool from 
Winsync to
- Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality
- Resolves: #1204504 [RFE] Add access control so hosts can create their own
- Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default
- Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default
- Resolves: #1209476 package ipa-client does not require package dbus-python
- Resolves: #1211589 [RFE] Add option to skip the verify_client_version
- Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 
- Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone
- Resolves: #1217010 OTP Manager field is not exposed in the UI
- Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp
   00007fffd68b2340 error 6 in libc-2.17.so
- Related:  #1204809 Rebase ipa to 4.2
   - Update to upstream 4.2.0
   - Move /etc/ipa/kdcproxy to the server subpackage

- Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install
- Related:  #1204809 Rebase ipa to 4.2
   - Fix minimum version of slapi-nis
   - Require python-sss and python-sss-murmur (provided by sssd-1.13.0)

- Resolves: #805188  [RFE] "ipa migrate-ds" ldapsearches with scope=1
- Resolves: #1019272 With 20000+ users, adding a user to a group 
   throws Internal server error
- Resolves: #1035494 Unable to add Kerberos principal via kadmin.local
- Resolves: #1045153 ipa-managed-entries --list -p <badpassword> still 
   DM password
- Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389
   from ldap_port_t
- Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI
- Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not
   matching uidgid
- Resolves: #1176036 IDM client registration failure in a high load 
- Resolves: #1183116 Remove Requires: subscription-manager
- Resolves: #1186054 permission-add does not prompt to enter --right 
option in
   interactive mode
- Resolves: #1187524 Replication agreement with replica not disabled when
   ipa-restore done without IPA installed
- Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as
   normal user.
- Resolves: #1189034 "an internal error has occurred" during ipa host-del
- Resolves: #1193554 ipa-client-automount: failing with error LDAP server
   returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled.
- Resolves: #1193759 IPA extdom plugin fails when encountering large groups
- Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode
   certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid 
- Resolves: #1194633 Default trust view can be deleted in lower case
- Resolves: #1196455 ipa-server-install step [8/27]: starting certificate
   server instance - confusing CA staus message on TLS error
- Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis
- Resolves: #1199527 [RFE] Use datepicker component for datetime fields
- Resolves: #1200867 [RFE] Make OTP validation window configurable
- Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi
- Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using
   get_user_grouplist() [rhel-7.2]
- Resolves: #1204637 slow group operations
- Resolves: #1204642 migrate-ds: slow add o users to default group
- Resolves: #1208461 IPA CA master server update stuck on checking getStatus
   via https
- Resolves: #1211602 Hide ipa-server-install KDC master password option (-P)
- Resolves: #1211708 ipa-client-install gets stuck during NTP sync
- Resolves: #1215197 ipa-client-install ignores --ntp-server option 
during time
- Resolves: #1215200 ipa-client-install configures IPA server as NTP source
   even if IPA server has not ntpd configured
- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens
- Related:  #1204809 Rebase ipa to 4.2
   - Update to upstream 4.2.0.alpha1

- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate:
   (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312)

- IPA extdom plugin fails when encountering large groups (#1193759)
- CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and 

- "an internal error has occurred" during ipa host-del --updatedns 
- Renamed patch 1013 to 0114, as it was merged upstream
- Fax number not displayed for user-show when kinit'ed as normal user.
- Replication agreement with replica not disabled when ipa-restore done 
   IPA installed (#1199060)
- Limit deadlocks between DS plugin DNA and slapi-nis (#1199128)

- Fix ipa-pwd-extop global configuration caching (#1187342)
- group-detach does not add correct objectclasses (#1187540)

- Wrong directories created on full restore (#1186398)
- ipa-restore crashes if replica is unreachable (#1186396)
- idoverrideuser-add option --sshpubkey does not work (#1185410)

- PassSync does not sync passwords due to missing ACIs (#1181093)
- ipa-replica-manage list does not list synced domain (#1181010)
- Do not assume certmonger is running in httpinstance (#1181767)
- ipa-replica-manage disconnect fails without password (#1183279)
- Put LDIF files to their original location in ipa-restore (#1175277)
- DUA profile not available anonymously (#1184149)
- IPA replica missing data after master upgraded (#1176995)

- Re-add accidentally removed patches for #1170695 and #1164896

- IPA Replicate creation fails with error "Update failed! Status: [10 Total
   update abortedLDAP error: Referral]" (#1166265)
- running ipa-server-install --setup-dns results in a crash (#1072502)
- DNS zones are not migrated into forward zones if 4.0+ replica is added
- gid is overridden by uid in default trust view (#1168904)
- When migrating warn user if compat is enabled (#1177133)
- Clean up debug log for trust-add (#1168376)
- No error message thrown on restore(full kind) on replica from full backup
   taken on master (#1175287)
- ipa-restore proceed even IPA not configured (#1175326)
- Data replication not working as expected after data restore from full 
- IPA externally signed CA cert expiration warning missing from log 
- ipa-upgradeconfig fails in CA-less installs (#1181767)
- IPA certs fail to autorenew simultaneouly (#1173207)
- More validation required on ipa-restore's options (#1176034)

- Expand the token auth/sync windows (#919228)
- Access is not rejected for disabled domain (#1172598)
- krb5kdc crash in ldap_pvt_search (#1170695)
- RHEL7.1 IPA server httpd avc denials after upgrade (#1164896)

- RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible
- CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression)

- Throw zonemgr error message before installation proceeds (#1163849)
- Winsync: Setup is broken due to incorrect import of certificate (#1169867)
- Enable last token deletion when password auth type is configured (#919228)
- ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641)
- add --hosts and --hostgroup options to allow/retrieve keytab methods
- Extend host-show to add the view attribute in set of default attributes
- Prefer TCP connections to UDP in krb5 clients (#919228)
- [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214)
- webui: increase notification duration (#1171089)
- RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931)
- RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert
- Improve validation of --instance and --backend options in ipa-restore
- RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964)
- Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466)

- Use NSS protocol range API to set available TLS protocols (#1156466)

- schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1
   build fails (#1167196)
- Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756)
- "ipa trust-add ... " cmd says : (Trust status: Established and verified)
   while in the logs we see "WERR_ACCESS_DENIED" during verification step.
- POODLE: force using safe ciphers (non-SSLv3) in IPA client and server
- Add support/hooks for a one-time password system like SecureID in IPA
- Tracebacks with latest build for --zonemgr cli option (#1167270)
- ID Views: Support migration from the sync solution to the trust solution

- Improve otptoken help messages (#919228)
- Ensure users exist when assigning tokens to them (#919228)
- Enable QR code display by default in otptoken-add (#919228)
- Show warning instead of error if CA did not start (#1158410)
- CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges 
- Traceback when adding zone with long name (#1164859)
- Backup & Restore mechanism (#951581)
- ignoring user attributes in migrate-ds does not work if uppercase 
   are returned by ldap (#1159816)
- Allow ipa-getkeytab to optionally fetch existing keys (#1007367)
- Failure when installing on dual stacked system with external ca (#1128380)
- ipa-server should keep backup of CS.cfg (#1059135)
- Tracebacks with latest build for --zonemgr cli option (#1167270)
- webui: use domain name instead of domain SID in idrange adder dialog
- webui: normalize idview tab labels (#891984)

- ipa-csreplica-manage connect fails (#1157735)
- error message which is not understandable when IDNA2003 characters are
   present in --zonemgr (#1163849)
- Fix warning message should not contain CLI commands (#1114013)
- Renewing the CA signing certificate does not extend its validity 
period end
- RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for
   httpd (#1159330)

- Fix: DNS installer adds invalid zonemgr email (#1056202)
- ipaplatform: Use the dirsrv service, not target (#951581)
- Fix: DNS policy upgrade raises asertion error (#1161128)
- Fix upgrade referint plugin (#1161128)
- Upgrade: fix trusts objectclass violationi (#1161128)
- group-add doesn't accept gid parameter (#1149124)

- Update slapi-nis dependency to pull 0.54-2 (#891984)
- ipa-restore: Don't crash if AD trust is not installed (#951581)
- Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type 
- Trust setting not restored for CA cert with ipa-restore command (#1159011)
- ipa-server-install fails when restarting named (#1162340)

- Update Requires on pki-ca to 10.1.2-4 (#1129558)
- build: increase java stack size for all arches
- Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides 
- Fix dns zonemgr validation regression (#1056202)
- Handle profile changes in dogtag-ipa-ca-renew-agent (#886645)
- Do not wait for new CA certificate to appear in LDAP in ipa-certupdate
- Add bind-dyndb-ldap working dir to IPA specfile
- Fail if certmonger can't see new CA certificate in LDAP in 
- Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756)
- Deadlock in schema compat plugin (#1161131)
- ipactl stop should stop dirsrv last (#1161129)
- Upgrade 3.3.5 to 4.1 failed (#1161128)
- CVE-2014-7828 freeipa: password not required when OTP in use (#1160877)

- Do not check if port 8443 is available in step 2 of external CA install

- Update Requires on selinux-policy to 3.13.1-4

- Update to upstream 4.1.0 (#1109726)

- Update to upstream 4.1.0 Alpha 1 (#1109726)

- Add redhat-access-plugin-ipa dependency

- Re-enable otptoken_yubikey plugin

- Update to upstream 4.0.3 (#1109726)

- Server installation fails using external signed certificates with
   "IndexError: list index out of range" (#1111320)
- Add rhino to BuildRequires to fix Web UI build error

- ipa-client-automount fails with incompatibility error when installed 
   older IPA server (#1083108)

- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future
   PKI versions (#1080865)

- When IdM server trusts multiple AD forests, IPA client returns invalid 
   membership info (#1079498)

- Deletion of active subdomain range should not be allowed (#1075615)

- PKI database is ugraded during replica installation (#1075118)

- Unable to add trust successfully with --trust-secret (#1075704)

- ipa-replica-install never checks for 7389 port (#1075165)
- Non-terminated string may be passed to LDAP search (#1075091)
- ipa-sam may fail to translate group SID into GID (#1073829)
- Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132)

- Do not fetch a principal two times, remove potential memory leak 

- trustdomain-find with pkey-only fails (#1068611)
- Invalid credential cache in trust-add (#1069182)
- ipa-replica-install prints unexpected error (#1069722)
- Too big font in input fields in details facet in Firefox (#1069720)
- trust-add for POSIX AD does not fetch trustdomains (#1070925)
- Misleading trust-add error message in some cases (#1070926)
- Access is not rejected for disabled domain (#1070924)

- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)

- Display server name in ipa command's verbose mode (#1061703)
- Remove sourcehostcategory from default HBAC rule (#1061187)
- dnszone-add cannot add classless PTR zones (#1058688)
- Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850)

- Lockout plugin crashed during ipa-server-install (#912725)

- Fallback to global policy in ipa lockout plugin (#912725)
- Migration does not add users to default group (#903232)

- Mass rebuild 2014-01-24

- Fix NetBIOS name generation in CLDAP plugin (#1030517)

- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218)
- Increase default timeout for IPA services (#1033273)
- Error while running trustdomain-find (#1054376)
- group-show lists SID instead of name for external groups (#1054391)
- Fix IPA server NetBIOS name in samba configuration (#1030517)
- dnsrecord-mod produces missing API version warning (#1054869)
- Hide trust-resolve command as internal (#1052860)
- Add Trust domain Web UI (#1054870)
- ipasam cannot delete multiple child trusted domains (#1056120)

- Missing objectclasses when empty password passed to host-add (#1052979)
- sudoOrder missing in sudoers (#1052983)
- Missing examples in sudorule help (#1049464)
- Client automount does not uninstall when fstore is empty (#910899)
- Error not clear for invalid realm given to trust-fetch-domains (#1052981)
- trust-fetch-domains does not add idrange for subdomains found (#1049926)
- Add option to show if an AD subdomain is enabled/disabled (#1052973)
- ipa-adtrust-install still failed with long NetBIOS names (#1030517)
- Error not clear for invalid relam given to trustdomain-find (#1049455)
- renewed client cert not recognized during IPA CA renewal (#1033273)

- hbactest does not work for external users (#848531)

- PKI service restart after CA renewal failed (#1040018)

- Move ipa-tests package to separate srpm (#1032668)

- Fix status trust-add command status message (#910453)
- NetBIOS was not trimmed at 15 characters (#1030517)
- Harden CA subsystem certificate renewal on CA clones (#1040018)

- Mass rebuild 2013-12-27

- Remove "Listen 443 http" hack from deployed nss.conf (#1029046)
- Re-adding existing trust fails (#1033216)
- IPA uninstall exits with a samba error (#1033075)
- Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260)
- Fixed ownership of /usr/share/ipa/ui/js (#1026260)
- ipa-tests: support external names for hosts (#1032668)
- ipa-client-install fail due fail to obtain host TGT (#1029354)

- Trust add tries to add same value of --base-id for sub domain,
   causing an error (#1033068)
- Improved error reporting for adding trust case (#1029856)

- Winsync agreement cannot be created (#1023085)

- Installer did not detect different server and IPA domain (#1026845)
- Allow kernel keyring CCACHE when supported (#1026861)

- ipa-server-install crashes when AD subpackage is not installed (#1026434)

- Update to upstream 3.3.3 (#991064)

- Temporarily move ipa-backup and ipa-restore functionality
   back to make them available in public Beta (#1003933)

- Server install failure during client enrollment shouldn't
   roll back (#1023086)
- nsds5ReplicaStripAttrs are not set on agreements (#1023085)
- ipa-server conflicts with mod_ssl (#1018172)

- Reinstalling ipa server hangs when configuring certificate
   server (#1018804)

- Deprecate --serial-autoincrement option (#1016645)
- CA installation always failed on replica (#1005446)
- Re-initializing a winsync connection exited with error (#994980)

- Update to upstream 3.3.2 (#991064)
- Add delegation info to MS-PAC (#915799)
- Warn about incompatibility with AD when IPA realm and domain
   differs (#1009044)
- Allow PKCS#12 files with empty password in install tools (#1002639)
- Privilege "SELinux User Map Administrators" did not list
   permissions (#997085)
- SSH key upload broken when client joins an older server (#1009024)

- Remove dependency on python-paramiko (#1002884)
- Broken redirection when deleting last entry of DNS resource
   record (#1006360)

- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)

- Replica installation fails for RHEL 6.4 master (#1004680)
- Server uninstallation crashes if DS is not available (#998069)

- Unable to remove replica by ipa-replica-manage (#1001662)
- Before uninstalling a server, warn about active replicas (#998069)

- Update to upstream 3.3.1 (#991064)
- Update minimum version of bind-dyndb-ldap to 3.5

- Fix replica installation failing on certificate subject (#983075)

- Allow ipa-tests to work with older version (1.7.7) of python-paramiko

- Prevent multilib failures in *.pyo and *.pyc files

- ipa-server-install fails if --subject parameter is other than default
   realm (#983075)
- do not allow configuring bind-dyndb-ldap without persistent search 

- diffstat was missing as a build dependency causing multilib problems

- Remove ipa-server-selinux obsoletes as upgrades from version prior to
   3.3.0 are not allowed
- Wrap server-trust-ad subpackage description better
- Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf
- Change permissions on default_encoding_utf8.so to fix ipa-python Provides

- Update to upstream 3.3.0 (#991064)

- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release

- Update to upstream 3.3.0 Beta 2 (#991064)

- Update to upstream 3.2.2
- Drop ipa-server-selinux subpackage
- Drop redundant directory /var/cache/ipa/sessions
- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost
- Run ipa-upgradeconfig and server restart in posttrans to avoid 
   issues when there are still old parts of software (like entitlements 

- Update to upstream 3.2.1
- Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0

- Add OTP patches
- Add patch to set KRB5CCNAME for 389-ds-base

- Update to upstream 3.2.0 GA
- ipa-client-install fails if /etc/ipa does not exist (#961483)
- Certificate status is not visible in Service and Host page (#956718)
- ipa-client-install removes needed options from ldap.conf (#953991)
- Handle socket.gethostbyaddr() exceptions when verifying hostnames 
- Add triggerin scriptlet to support OpenSSH 6.2 (#953617)
- Require nss 3.14.3-12.0 to address certutil certificate import
   errors (#953485)
- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6
   environments. (#953464)
- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453)
- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432)
- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON 
behavior for
   socket based connections (#960222)
- Require libsss_nss_idmap-python
- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to
   member is now done automatically and having it in the config file raises
   an error.
- Add backup and restore tools, directory.
- require at least systemd 38 which provides the journal (we no longer
   need to require syslog.target)
- Update Requires on policycoreutils to 2.1.14-37
- Update Requires on selinux-policy to 3.12.1-42
- Update Requires on 389-ds-base to
- Remove a Requires for java-atk-wrapper

- Remove release from krb5-server in strict sub-package to allow for 

- Add a Requires for java-atk-wrapper until we can determine which package
   should be pulling it in, dogtag or tomcat.

- Update to upstream 3.2.0 Beta 1

- Update to upstream 3.2.0 Prerelease 1
- Use upstream reference spec file as a base for Fedora spec file

- Rebuild for broken deps
- Fix 389-ds-base strict dep to be and krb5-server 1.11.1

- Rebuild for broken deps in rawhide
- Fix 389-ds-base strict dep to be

- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

- Update to upstream 3.1.2
- CVE-2012-4546: Incorrect CRLs publishing
- CVE-2012-5484: MITM Attack during Join process
- CVE-2013-0199: Cross-Realm Trust key leak
- Updated strict dependencies to 389-ds-base = and
   pki-ca = 10.0.1

- Remove redundat Requires versions that are already in Fedora 17
- Replace python-crypto Requires with m2crypto
- Add missing Requires(post) for client and server-trust-ad subpackages
- Restart httpd service when server-trust-ad subpackage is installed
- Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes

- Updated to upstream 3.1.0 GA
- Set minimum for sssd to 1.9.2
- Set minimum for pki-ca to 10.0.0-1
- Set minimum for 389-ds-base to 1.3.0
- Set minimum for selinux-policy to 3.11.1-60
- Remove unneeded dogtag package requires

- Update Requires on krb5-server to 1.11

- Configure CA replication to use TLS instead of SSL

- Updated to upstream 3.0.0 GA
- Set minimum for samba to 4.0.0-153.
- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so
   plugin to /dev/null since they cannot be used when trusts are configured
- Restrict krb5-server to 1.10.
- Update BR for 389-ds-base to 1.3.0
- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca
- Add Requires on zip for generating FF browser extension

- Updated to upstream 3.0.0 rc 2
- Include new FF configuration extension
- Set minimum Requires of selinux-policy to 3.11.1-33
- Set minimum Requires dogtag to 10.0.0-0.43.b1
- Add new optional strict sub-package to allow users to limit other
   package upgrades.

- Require samba packages instead of obsoleted samba4 packages

- Updated to upstream 3.0.0 rc 1
- Update BR for 389-ds-base to
- Update BR for krb5 to 1.10
- Update BR for samba4-devel to 4.0.0-139 (rc1)
- Add BR for python-polib
- Update BR and Requires on sssd to 1.9.0
- Update Requires on policycoreutils to 2.1.12-5
- Update Requires on 389-ds-base to
- Update Requires on selinux-policy to 3.11.1-21
- Update Requires on dogtag to 10.0.0-0.33.a1
- Update Requires on certmonger to 0.60
- Update Requires on tomcat to 7.0.29
- Update minimum version of bind to 9.9.1-10.P3
- Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1
- Remove Requires on authconfig from python sub-package

- Rebuild against samba4 beta8

- Rebuild against samba4 beta7

- Adopt to samba4 beta6 (libsecurity -> libsamba-security)
- Add dependency to samba4-winbind

- Updated to upstream 3.0.0 beta 2

- Updated to current upstream state of 3.0.0 beta 2 development

- Rebuild against samba4 beta4

- Updated to upstream 3.0.0 beta 1

- Updated to upstream 2.2.0 GA
- Update minimum n-v-r of certmonger to 0.53
- Update minimum n-v-r of slapi-nis to 0.40
- Add Requires in client to oddjob-mkhomedir and python-krbV
- Update minimum selinux-policy to 3.10.0-110

- Update to upstream 2.2.0 beta 1 (2.1.90.rc1)
- Set minimum n-v-r for pki-ca and pki-silent to 9.0.18.
- Add Conflicts on mod_ssl
- Update minimum n-v-r of 389-ds-base to
- Update minimum n-v-r of sssd to 1.8.0
- Update minimum n-v-r of slapi-nis to 0.38
- Update minimum n-v-r of pki-* to 9.0.18
- Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1
- Update conflicts on bind to < 9.9.0-1
- Drop requires on krb5-server-ldap
- Add patch to remove escaping arguments to pkisilent

- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)

- Force to use 389-ds 1.2.10-0.8.a7 or above
- Improve upgrade script to handle systemd 389-ds change
- Fix freeipa to work with python-ldap 2.4.6

- Fix ipa-replica-install crashes
- Fix ipa-server-install and ipa-dns-install logging
- Set minimum version of pki-ca to 9.0.17 to fix sslget problem
   caused by FEDORA-2011-17400 update (#771357)

- Allow Web-based migration to work with tightened SE Linux policy (#769440)
- Rebuild slapi plugins against re-enterant version of libldap

- Allow longer dirsrv startup with systemd:
   - IPAdmin class will wait until dirsrv instance is available up to 10 
   - Helps with restarts during upgrade for ipa-ldap-updater
- Fix pylint warnings from F16 and Rawhide

- Update to upstream 2.1.4 (CVE-2011-3636)

- Update SELinux policy to allow ipa_kpasswd to connect ldap and
   read /dev/urandom. (#759679)

- Fix wrong path in packaging freeipa-systemd-upgrade

- Introduce upgrade script to recover existing configuration after 
systemd migration
   as user has no means to recover FreeIPA from systemd migration
- Upgrade script:
   - recovers symlinks in Dogtag instance install
   - recovers systemd configuration for FreeIPA's directory server instances
   - recovers freeipa.service
   - migrates directory server and KDC configs to use proper keytabs for 
systemd services

- Rebuilt for glibc bug#747377

- clean up spec
- Depend on sssd >= 1.6.2 for better user experience

- Fix Fedora package changelog after merging systemd changes

- Fix postin scriplet for F-15/F-16

- 2.1.3

- Default to systemd for Fedora 16 and onwards

- Update to upstream 2.1.0

- Fix bug #702633

- Update minimum selinux-policy to 3.9.16-18
- Update minimum pki-ca and pki-selinux to 9.0.7
- Update minimum 389-ds-base to
- Update to upstream 2.0.1

- Update to upstream GA release
- Automatically apply updates when the package is upgraded

- Update to upstream freeipa-2.0.0.rc2
- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in
- Set minimum version of sssd to 1.5.1
- Patch to include SuiteSpotGroup when setting up 389-ds instances
- Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled

- Set the N-V-R so rc1 is an update to beta2.

- Set minimum version of sssd to 1.5.1
- Update to upstream freeipa-2.0.0.rc1
- Move server-only binaries from admintools subpackage to server

- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

- Set min version of 389-ds-base to 1.2.8
- Set min version of mod_nss 1.0.8-10
- Set min version of selinux-policy to 3.9.7-27
- Add dogtag themes to Requires
- Update to upstream freeipa-2.0.0.pre2

- Remove unnecessary moving of v1 CA serial number file in post script
- Add Obsoletes for server-selinxu subpackage
- Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da

- Prepare spec file for release
- Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503

- Re-arrange doc and defattr to clean up rpmlint warnings
- Remove conditionals on older releases
- Move some man pages into admintools subpackage
- Remove some explicit Requires in client that aren't needed
- Consistent use of buildroot vs RPM_BUILD_ROOT

- Moved directory install/static to install/ui

- Remove dependency on nss_ldap/nss-pam-ldapd
- The official client is sssd and that's what we use by default.

- Remove radius subpackages

- Set minimum pki-ca and pki-silent versions to 9.0.0

- Drop BuildRequires on mozldap-devel

- Add Requires on krb5-pkinit-openssl

- Add ipa-host-net-manage script

- Add ipa init script

- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin

- remove ipa-fix-CVE-2008-3274

- Remove duplicate %files entries on share/ipa/static
- Add python default encoding shared library

- Drop requires on python-configobj (not used any more)
- Drop ipa-ldap-updater message, upgrades are done differently now

- Drop conflicts on mod_nss
- Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847)
- Drop a slew of conditionals on older Fedora releases (< 12)
- Add a few conditionals against RHEL 6
- Add Requires of nss-tools on ipa-client

- Set minimum version of certmonger to 0.26 (to pck up #621670)
- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm)
- Set minimum version of pki-ca to 1.3.6
- Set minimum version of sssd to 1.2.1

- Add BuildRequires for authconfig

- Bump up minimum version of python-nss to pick up nss_is_initialize() API

- Removed python-asset based webui

- Change Requires from fedora-ds-base to 389-ds-base
- Set minimum level of 389-ds-base to 1.2.6 for the replication
   version plugin.

- Drop Requires of python-krbV on ipa-client

- Load ipa_dogtag.pp in post install

- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes.

- No need to create /var/log/ipa_error.log since we aren't using
   TurboGears any more.

- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included

- Added Require mod_wsgi, added share/ipa/wsgi.py

- Require python-wehjit >= 0.2.2

- Add sssd and certmonger as a Requires on ipa-client

- Require python-wehjit >= 0.2.0

- Add ipa-rmkeytab tool

- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1
   Any type

- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf

- Add bash completion script and own /etc/bash_completion.d in case it
   doesn't already exist

- Remove ipa_webgui, its functions rolled into ipa_httpd

- Removed python-cherrypy from BuildRequires and Requires
- Added Requires python-assets, python-wehjit

- Added httpd SELinux policy so CRLs can be read

- Move ipalib to ipa-python subpackage
- Bump minimum version of slapi-nis to 0.15

- Set 0.14 as minimum version for slapi-nis

- Add Requires: python-nss to ipa-python sub-package

- Remove the IPA DNA plugin, use the DS one

- Build radius separately
- Fix a few minor issues

- Replace TurboGears requirement with python-cherrypy

- rebuild with new openssl

- Fix SELinux code

- Fix breakage caused by python-kerberos update to 1.1

- New upstream release 1.2.1

- Rebuild for Python 2.6

- Respin after the tarball has been re-released upstream
   New hash is 506c9c92dcaf9f227cba5030e999f177

- Conditionally restart also dirsrv and httpd when upgrading

- Update to upstream version 1.2.0
- Set fedora-ds-base minimum version to 1.1.3 for winsync header
- Set the minimum version for SELinux policy
- Remove references to Fedora 7

- Fix for CVE-2008-3274
- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface
- Add fix for bug #453185
- Rebuild against openldap libraries, mozldap ones do not work properly
- TurboGears is currently broken in rawhide. Added patch to not build
   the UI locales and removed them from the ipa-server files section.

- Add call to /usr/sbin/upgradeconfig to post install

- Update to upstream version 1.1.0
- Patch for indexing memberof attribute
- Patch for indexing uidnumber and gidnumber
- Patch to change DNA default values for replicas
- Patch to fix uninitialized variable in ipa-getkeytab

- Set fedora-ds-base minimum version to and mod_nss minimum
   version to 1.0.7-4 so we pick up the NSS fixes.
- Add selinux-policy-base(post) to Requires (446496)

- Add missing entry for /var/cache/ipa/kpasswd (444624)
- Added patch to fix permissions problems with the Apache NSS database.
- Added patch to fix problem with DNS querying where the query could be
   returned as the answer.
- Fix spec error where patch1 was in the wrong section

- Added patch to fix problem reported by ldapmodify

- Fix Requires for krb5-server that was missing for Fedora versions > 9
- Remove quotes around test for fedora version to package egg-info

- Update to upstream version 1.0.0

- Pull upstream changelog 722
- Add Conflicts mod_ssl (435360)

- Pull upstream changelog 698
- Fix ownership of /var/log/ipa_error.log during install (435119)
- Add pwpolicy command and man page

- Pull upstream changelog 678
- Add new subpackage, ipa-server-selinux
- Add Requires: authconfig to ipa-python (bz #433747)
- Package i18n files

- Pull upstream changelog 641
- Require minimum version of krb5-server on F-7 and F-8
- Package some new files

- Marked with wrong license. IPA is GPLv2.

- Ensure that /etc/ipa exists before moving user-modifiable html files there
- Put html files into /etc/ipa/html instead of /etc/ipa

- Pull upstream changelog 608 which renamed several files

- package the sessions dir /var/cache/ipa/sessions
- Pull upstream changelog 597

- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the
   UI to not start.

- Included LICENSE and README in all packages for documentation
- Move user-modifiable content to /etc/ipa and linked back to
- Changed some references to /usr to the {_usr} macro and /etc
   to {_sysconfdir}
- Added popt-devel to BuildRequires for Fedora 8 and higher and
   popt for Fedora 7
- Package the egg-info for Fedora 9 and higher for ipa-python

- Added auto* BuildRequires

- Unified spec file

- Fixed License in specfile
- Include files from /usr/lib/python*/site-packages/ipaserver

- Version bump for release

- Preverse mode on ipa-keytab-util
- Version bump for relase and rpm name change

- Broke invididual Requires and BuildRequires onto separate lines and
   reordered them
- Added python-tgexpandingformwidget as a dependency
- Require at least fedora-ds-base 1.1

- Version bump for release

- Add dep for freeipa-admintools and acl

- Add dependency for python-krbV

- Require mod_nss-1.0.7-2 for mod_proxy fixes

- Convert to autotools-based build

- Added support for libipa-dna-plugin

- Added support for ipa_kpasswd and ipa_pwd_extop

- Abstracted client class to work directly or over RPC

- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires
- Remove references to admin server in ipa-server-setupssl
- Generate a client certificate for the XML-RPC server to connect to 
LDAP with
- Create a keytab for Apache
- Create an ldif with a test user
- Provide a certmap.conf for doing SSL client authentication

- Initial rpm version

More information about the El-errata mailing list