commit 8de80a61d3bfb03420df92aec7f8b87f27f975d7 Author: James Antill Date: Mon Aug 8 12:29:10 2022 -0400 Import rpm: a249616514dc5d61acb879b22759acf8a0fb5963 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d9c893f --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/freeipa-4.9.8.tar.gz diff --git a/0001-Only-calculate-LDAP-password-grace-when-the-password.patch b/0001-Only-calculate-LDAP-password-grace-when-the-password.patch new file mode 100644 index 0000000..528c6c1 --- /dev/null +++ b/0001-Only-calculate-LDAP-password-grace-when-the-password.patch @@ -0,0 +1,56 @@ +From 22d1392a8a0d2887c389dcd78be06104cff88d30 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 29 Jun 2022 13:25:55 +0000 +Subject: [PATCH] Only calculate LDAP password grace when the password is + expired + +The user's pwd expiration was retrieved but inadvertently was never +compared to current time. So any LDAP bind, including from the +IPA API, counted against the grace period. There is no need to go +through the graceperiod code for non-expired passwords. + +https://pagure.io/freeipa/issue/1539 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + .../ipa-graceperiod/ipa_graceperiod.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c +index 0860b5c20fc86687f80ee6f2426e23c87123130f..a3f57cb4bd7a2a66d70fae98cca0f62a8f0c017f 100644 +--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c ++++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c +@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) + Slapi_ValueSet *values = NULL; + long grace_limit = 0; + int grace_user_time; +- char *pwd_expiration = NULL; ++ char *tmpstr = NULL; ++ time_t pwd_expiration; + int pwresponse_requested = 0; + Slapi_PBlock *pbtm = NULL; + Slapi_Mods *smods = NULL; +@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) + } + slapi_value_free(&objectclass); + +- pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration"); +- if (pwd_expiration == NULL) { ++ tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration"); ++ if (tmpstr == NULL) { + /* No expiration means nothing to do */ + LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn); + goto done; + } ++ pwd_expiration = ipapwd_gentime_to_time_t(tmpstr); ++ if (pwd_expiration > time(NULL)) { ++ /* Not expired, nothing to see here */ ++ goto done; ++ } + + ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry, + &values, &actual_type_name, +-- +2.36.1 + diff --git a/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch b/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch new file mode 100644 index 0000000..943e986 --- /dev/null +++ b/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch @@ -0,0 +1,70 @@ +From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Fri, 10 Dec 2021 12:15:36 -0300 +Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils" + +This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda. +--- + freeipa.spec.in | 4 +--- + ipaplatform/base/paths.py | 2 +- + ipaplatform/fedora/paths.py | 1 + + ipaserver/dnssec/bindmgr.py | 1 - + 4 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 8f5c370e5..e20edb7bc 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release} + Requires: bind-dyndb-ldap >= 11.2-2 + Requires: bind >= %{bind_version} + Requires: bind-utils >= %{bind_version} +-# bind-dnssec-utils is required by the OpenDNSSec integration +-# https://pagure.io/freeipa/issue/9026 +-Requires: bind-dnssec-utils >= %{bind_version} + %if %{with bind_pkcs11} + Requires: bind-pkcs11 >= %{bind_version} ++Requires: bind-pkcs11-utils >= %{bind_version} + %else + Requires: softhsm >= %{softhsm_version} + Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} +diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py +index 7d21367ec..42a47f1df 100644 +--- a/ipaplatform/base/paths.py ++++ b/ipaplatform/base/paths.py +@@ -259,7 +259,7 @@ class BasePathNamespace: + IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key" + IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader" + IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running" +- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" ++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" + GETSEBOOL = "/usr/sbin/getsebool" + GROUPADD = "/usr/sbin/groupadd" + USERMOD = "/usr/sbin/usermod" +diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py +index 4e993c063..92a948966 100644 +--- a/ipaplatform/fedora/paths.py ++++ b/ipaplatform/fedora/paths.py +@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace): + NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config" + if HAS_NFS_CONF: + SYSCONFIG_NFS = '/etc/nfs.conf' ++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" + + + paths = FedoraPathNamespace() +diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py +index 0c79cc03d..a15c0e601 100644 +--- a/ipaserver/dnssec/bindmgr.py ++++ b/ipaserver/dnssec/bindmgr.py +@@ -127,7 +127,6 @@ class BINDMgr: + ) + cmd = [ + paths.DNSSEC_KEYFROMLABEL, +- '-E', 'pkcs11', + '-K', workdir, + '-a', attrs['idnsSecAlgorithm'][0], + '-l', uri +-- +2.31.1 + diff --git a/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch b/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch new file mode 100644 index 0000000..f5f3cf3 --- /dev/null +++ b/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch @@ -0,0 +1,75 @@ +From b9c42fed9b6f60801f908c368d0d97a2a69f7bb2 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 15 Dec 2021 10:47:02 +0100 +Subject: [PATCH] Config plugin: return EmptyModlist when no change is applied + +When ipa config-mod is called with the option --enable-sid, +the code needs to trap EmptyModlist exception (it is expected +that no LDAP attribute is modified by this operation). +The code had a flaw and was checking: + 'enable_sid' in options +instead of + options['enable_sid'] + +"'enable_sid' in options" always returns true as this option +is a Flag with a default value, hence always present even if +not specified on the command line. + +Fixes: https://pagure.io/freeipa/issue/9063 +Reviewed-By: Rob Crittenden +--- + ipaserver/plugins/config.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py +index eae401fc3..24446beb0 100644 +--- a/ipaserver/plugins/config.py ++++ b/ipaserver/plugins/config.py +@@ -707,7 +707,7 @@ class config_mod(LDAPUpdate): + if (isinstance(exc, errors.EmptyModlist) and + call_func.__name__ == 'update_entry' and + ('ca_renewal_master_server' in options or +- 'enable_sid' in options)): ++ options['enable_sid'])): + return + + super(config_mod, self).exc_callback( +-- +2.34.1 + +From cd735099e86304294217147ed578ac902fcf3dd3 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 15 Dec 2021 10:51:05 +0100 +Subject: [PATCH] config plugin: add a test ensuring EmptyModlist is returned + +Add a test to test_config_plugin, that calls ipa config-mod +with the same value as already present in LDAP. +The call must return EmptyModlist. + +Related: https://pagure.io/freeipa/issue/9063 +Reviewed-By: Rob Crittenden +--- + ipatests/test_xmlrpc/test_config_plugin.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py +index e981bb4a0..a8ec9f0e5 100644 +--- a/ipatests/test_xmlrpc/test_config_plugin.py ++++ b/ipatests/test_xmlrpc/test_config_plugin.py +@@ -312,4 +312,13 @@ class test_config(Declarative): + 'value': None, + }, + ), ++ dict( ++ desc='Set the value to the already set value, no modifications', ++ command=( ++ 'config_mod', [], { ++ 'ipasearchrecordslimit': u'100', ++ }, ++ ), ++ expected=errors.EmptyModlist(), ++ ), + ] +-- +2.34.1 + diff --git a/0002-webui-Do-not-allow-empty-pagination-size.patch b/0002-webui-Do-not-allow-empty-pagination-size.patch new file mode 100644 index 0000000..15f0b8b --- /dev/null +++ b/0002-webui-Do-not-allow-empty-pagination-size.patch @@ -0,0 +1,67 @@ +From 02d3fb8266d8199fd1ed983de6c57b269546df82 Mon Sep 17 00:00:00 2001 +From: Armando Neto +Date: Fri, 8 Jul 2022 15:56:31 -0300 +Subject: [PATCH] webui: Do not allow empty pagination size + +Pagination size must be required, the current validators are triggered after +form is submitted, thus the only way for check if data is not empty is by making +the field required. + +Fixes: https://pagure.io/freeipa/issue/9192 + +Signed-off-by: Armando Neto +Reviewed-By: Florence Blanc-Renaud +--- + .../ui/src/freeipa/Application_controller.js | 1 + + ipatests/test_webui/test_misc_cases.py | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js +index 46aabc9c4dd47aa3874cb3ddf27da048607b7516..140ee8fe0d7adc274396248aae0be2f4559db27a 100644 +--- a/install/ui/src/freeipa/Application_controller.js ++++ b/install/ui/src/freeipa/Application_controller.js +@@ -318,6 +318,7 @@ define([ + $type: 'text', + name: 'pagination_size', + label: '@i18n:customization.table_pagination', ++ required: true, + validators: ['positive_integer'] + } + ] +diff --git a/ipatests/test_webui/test_misc_cases.py b/ipatests/test_webui/test_misc_cases.py +index 5f7ffb54ee33e9b453d6b987b7bf84d6f4311ebd..aca9e1a99e1e2cf60790fe8c33a65430e0d535e2 100644 +--- a/ipatests/test_webui/test_misc_cases.py ++++ b/ipatests/test_webui/test_misc_cases.py +@@ -11,6 +11,11 @@ from ipatests.test_webui.ui_driver import screenshot + import pytest + import re + ++try: ++ from selenium.webdriver.common.by import By ++except ImportError: ++ pass ++ + + @pytest.mark.tier1 + class TestMiscCases(UI_driver): +@@ -26,3 +31,17 @@ class TestMiscCases(UI_driver): + ver_re = re.compile('version: .*') + assert re.search(ver_re, about_text), 'Version not found' + self.dialog_button_click('ok') ++ ++ @screenshot ++ def test_customization_pagination_input_required(self): ++ """Test if 'pagination size' is required when submitting the form.""" ++ self.init_app() ++ ++ self.profile_menu_action('configuration') ++ self.fill_input('pagination_size', '') ++ self.dialog_button_click('save') ++ ++ pagination_size_elem = self.find( ++ ".widget[name='pagination_size']", By.CSS_SELECTOR) ++ ++ self.assert_field_validation_required(parent=pagination_size_elem) +-- +2.36.1 + diff --git a/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch b/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch new file mode 100644 index 0000000..f6cf756 --- /dev/null +++ b/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch @@ -0,0 +1,47 @@ +From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001 +From: Francisco Trivino +Date: Wed, 26 Jan 2022 15:43:39 +0100 +Subject: [PATCH] Custodia: use a stronger encryption algo when exporting keys + +The Custodia key export handler is using the default's OpenSSL encryption +scheme for PKCS#12. + +This represents an issue when performing a migration from CentOS Stream 8 (C8S) +to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S +replica talks to the Custodia server on C8S source server. The later creates an +encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's +default encryption scheme, which is no longer supported on C9S. + +This commit enforces a stronger encryption algorigthm by adding following +arguments to the Custodia server handler: + +-keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384 + +The new arguments enforce stronger PBEv2 instead of the insecure PBEv1. + +Fixes: https://pagure.io/freeipa/issue/9101 + +Signed-off-by: Francisco Trivino +Reviewed-By: Christian Heimes +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/secrets/handlers/pemfile.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py +index 4e8eff0e3..ad36bd020 100644 +--- a/ipaserver/secrets/handlers/pemfile.py ++++ b/ipaserver/secrets/handlers/pemfile.py +@@ -31,6 +31,9 @@ def export_key(args, tmpdir): + '-out', pk12file, + '-inkey', args.keyfile, + '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile), ++ '-keypbe', 'AES-256-CBC', ++ '-certpbe', 'AES-256-CBC', ++ '-macalg', 'sha384', + ]) + + with open(pk12file, 'rb') as f: +-- +2.34.1 + diff --git a/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch b/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch new file mode 100644 index 0000000..1e342e5 --- /dev/null +++ b/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch @@ -0,0 +1,122 @@ +From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 1 Feb 2022 16:43:09 +0100 +Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users + +Since 5d51ae5, principal keys were dropped in case user auth indicator +was not including password. Thereafter, the key removal behavior was +removed by 15ff9c8 in the context of the kdcpolicy plugin introduction. +Support for hardened pre-auth methods (FAST and SPAKE) was added in +d057040, and the removal of principal keys was restored afterwards by +f0d12b7, but not taking the new hardened auth indicator into account. + +Fixes: https://pagure.io/freeipa/issue/9065 +Related to: https://pagure.io/freeipa/issue/8001 + +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy +Reviewed-By: Francisco Trivino +--- + daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c +index 15f3df4fe..0d0d3748c 100644 +--- a/daemons/ipa-kdb/ipa_kdb_principals.c ++++ b/daemons/ipa-kdb/ipa_kdb_principals.c +@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, + &res_key_data, &result, &mkvno); + switch (ret) { + case 0: +- /* Only set a principal's key if password auth can be used. Otherwise +- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH +- * reply for AS-REQs which indicate the password authentication is +- * available. This might confuse applications like e.g. SSSD which try +- * to determine suitable authentication methods and corresponding +- * prompts with the help of MIT Kerberos' responder interface which +- * acts on the returned pre-authentication methods. A typical example +- * is enforced OTP authentication where of course keys are available +- * for the first factor but password authentication should not be +- * advertised by the KDC. */ +- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) { ++ /* Only set a principal's key if password or hardened auth can be used. ++ * Otherwise the KDC would add pre-authentication methods to the ++ * NEEDED_PREAUTH reply for AS-REQs which indicate the password ++ * authentication is available. This might confuse applications like ++ * e.g. SSSD which try to determine suitable authentication methods and ++ * corresponding prompts with the help of MIT Kerberos' responder ++ * interface which acts on the returned pre-authentication methods. A ++ * typical example is enforced OTP authentication where of course keys ++ * are available for the first factor but password authentication ++ * should not be advertised by the KDC. */ ++ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) && ++ (ua != IPADB_USER_AUTH_NONE)) { + /* This is the same behavior as ENOENT below. */ + ipa_krb5_free_key_data(res_key_data, result); + break; +-- +2.34.1 + +From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 1 Feb 2022 19:38:29 +0100 +Subject: [PATCH] ipatests: add case for hardened-only ticket policy + +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy +Reviewed-By: Francisco Trivino +--- + ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py +index 63e75ae67..9489fbc97 100644 +--- a/ipatests/test_integration/test_krbtpolicy.py ++++ b/ipatests/test_integration/test_krbtpolicy.py +@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest): + result = master.run_command('klist | grep krbtgt') + assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True + +- def test_krbtpolicy_hardended(self): +- """Test a hardened kerberos ticket policy with 10 min tickets""" ++ def test_krbtpolicy_password_and_hardended(self): ++ """Test a pwd and hardened kerberos ticket policy with 10min tickets""" + master = self.master + master.run_command(['ipa', 'user-mod', USER1, + '--user-auth-type', 'password', +@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest): + result = master.run_command('klist | grep krbtgt') + assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True + ++ def test_krbtpolicy_hardended(self): ++ """Test a hardened kerberos ticket policy with 30min tickets""" ++ master = self.master ++ master.run_command(['ipa', 'user-mod', USER1, ++ '--user-auth-type', 'hardened']) ++ master.run_command(['ipa', 'config-mod', ++ '--user-auth-type', 'hardened']) ++ master.run_command(['ipa', 'krbtpolicy-mod', USER1, ++ '--hardened-maxlife', '1800']) ++ ++ tasks.kdestroy_all(master) ++ ++ master.run_command(['kinit', USER1], ++ stdin_text=PASSWORD + '\n') ++ result = master.run_command('klist | grep krbtgt') ++ assert maxlife_within_policy(result.stdout_text, 1800, ++ slush=1800) is True ++ ++ tasks.kdestroy_all(master) ++ ++ # Verify that the short policy only applies to USER1 ++ master.run_command(['kinit', USER2], ++ stdin_text=PASSWORD + '\n') ++ result = master.run_command('klist | grep krbtgt') ++ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True ++ + def test_krbtpolicy_password(self): + """Test the kerberos ticket policy which issues 20 min tickets""" + master = self.master +-- +2.34.1 + diff --git a/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch b/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch new file mode 100644 index 0000000..3ac05fa --- /dev/null +++ b/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch @@ -0,0 +1,44 @@ +From 9bae5492270d8b695999cd82831cbee62b04626b Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 28 Jan 2022 16:58:42 +0100 +Subject: [PATCH] ipa-pki-proxy.conf: provide access to + /kra/admin/kra/getStatus + +The access to /kra/admin/kra/getStatus will be needed +in order to fix pki-healthcheck. +Note that this commit is a pre-requisite for the fix +to be done on PKI side. No test added since the full +integration test already exists in test_replica_promotion.py, +in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica + +Fixes: https://pagure.io/freeipa/issue/9099 +Related: https://pagure.io/freeipa/issue/8582 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + install/share/ipa-pki-proxy.conf.template | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template +index 96708482c..7a46f20b9 100644 +--- a/install/share/ipa-pki-proxy.conf.template ++++ b/install/share/ipa-pki-proxy.conf.template +@@ -1,4 +1,4 @@ +-# VERSION 16 - DO NOT REMOVE THIS LINE ++# VERSION 17 - DO NOT REMOVE THIS LINE + + ProxyRequests Off + +@@ -11,7 +11,7 @@ ProxyRequests Off + + + # matches for admin port and installer +- ++ + SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + SSLVerifyClient none + ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET +-- +2.34.1 + diff --git a/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch b/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch new file mode 100644 index 0000000..14d1f0c --- /dev/null +++ b/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch @@ -0,0 +1,755 @@ +From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001 +From: Sumedh Sidhaye +Date: Fri, 14 Jan 2022 19:55:13 +0530 +Subject: [PATCH] Added test automation for SHA384withRSA CSR support + +Scenario 1: +Setup master with --ca-signing-algorithm=SHA384withRSA +Run certutil and check Signing Algorithm + +Scenario 2: +Setup a master +Stop services +Modify default.params.signingAlg in CS.cfg +Restart services +Resubmit cert (Resubmitted cert should have new Algorithm) + +Pagure Link: https://pagure.io/freeipa/issue/8906 + +Signed-off-by: Sumedh Sidhaye +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +Reviewed-By: Antonio Torres +--- + .../test_integration/test_installation.py | 63 +++++++++++++++++++ + 1 file changed, 63 insertions(+) + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index 0947241ae..f2d372c0c 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks + from ipatests.pytest_ipa.integration.env_config import get_global_config + from ipatests.test_integration.base import IntegrationTest + from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup ++from ipatests.test_integration.test_cert import get_certmonger_fs_id + from ipaplatform import services + + +@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest): + tasks.install_replica( + self.master, self.replicas[0], setup_ca=False, setup_dns=False + ) ++ ++ ++class TestInstallwithSHA384withRSA(IntegrationTest): ++ num_replicas = 0 ++ ++ def test_install_master_withalgo_sha384withrsa(self, server_cleanup): ++ tasks.install_master( ++ self.master, ++ extra_args=['--ca-signing-algorithm=SHA384withRSA'], ++ ) ++ ++ # check Signing Algorithm post installation ++ dashed_domain = self.master.domain.realm.replace(".", '-') ++ cmd_args = ['certutil', '-L', '-d', ++ '/etc/dirsrv/slapd-{}/'.format(dashed_domain), ++ '-n', 'Server-Cert'] ++ result = self.master.run_command(cmd_args) ++ assert 'SHA-384 With RSA Encryption' in result.stdout_text ++ ++ def test_install_master_modify_existing(self, server_cleanup): ++ """ ++ Setup a master ++ Stop services ++ Modify default.params.signingAlg in CS.cfg ++ Restart services ++ Resubmit cert (Resubmitted cert should have new Algorithm) ++ """ ++ tasks.install_master(self.master) ++ self.master.run_command(['ipactl', 'stop']) ++ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH, ++ encoding='utf-8') ++ new_lines = [] ++ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA" ++ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA" ++ for line in cs_cfg_content.split('\n'): ++ if line.startswith('ca.signing.defaultSigningAlgorithm'): ++ new_lines.append(replace_str) ++ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'): ++ new_lines.append(ocsp_rep_str) ++ else: ++ new_lines.append(line) ++ self.master.put_file_contents(paths.CA_CS_CFG_PATH, ++ '\n'.join(new_lines)) ++ self.master.run_command(['ipactl', 'start']) ++ ++ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM] ++ result = self.master.run_command(cmd) ++ request_id = get_certmonger_fs_id(result.stdout_text) ++ ++ # resubmit RA Agent cert ++ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM] ++ self.master.run_command(cmd) ++ ++ tasks.wait_for_certmonger_status(self.master, ++ ('CA_WORKING', 'MONITORING'), ++ request_id) ++ ++ cmd_args = ['openssl', 'x509', '-in', ++ paths.RA_AGENT_PEM, '-noout', '-text'] ++ result = self.master.run_command(cmd_args) ++ assert_str = 'Signature Algorithm: sha384WithRSAEncryption' ++ assert assert_str in result.stdout_text +-- +2.34.1 + +From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001 +From: Sumedh Sidhaye +Date: Thu, 25 Nov 2021 17:48:20 +0530 +Subject: [PATCH] Extend test to see if replica is not shown when running + `ipa-replica-manage list -v ` + +Related: https://pagure.io/freeipa/issue/8605 + +Signed-off-by: Sumedh Sidhaye +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_simple_replication.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py +index 8de385144..17092a499 100644 +--- a/ipatests/test_integration/test_simple_replication.py ++++ b/ipatests/test_integration/test_simple_replication.py +@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest): + # has to be run with --force, there is no --unattended + self.master.run_command(['ipa-replica-manage', 'del', + self.replicas[0].hostname, '--force']) +- result = self.master.run_command(['ipa-replica-manage', 'list']) ++ result = self.master.run_command( ++ ['ipa-replica-manage', 'list', '-v', self.master.hostname]) + assert self.replicas[0].hostname not in result.stdout_text +-- +2.34.1 + +From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Fri, 26 Nov 2021 12:11:21 +0530 +Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica + teardown + +Fixture `expire_certs` moves date back after renewing the certs. +This is causing the ipa-replica to fail. This fix first uninstalls +the server then moves back the date. + +Fixes: https://pagure.io/freeipa/issue/9052 + +Signed-off-by: Mohammad Rizwan +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py +index 39904d5de..5b56054b4 100644 +--- a/ipatests/test_integration/test_ipa_cert_fix.py ++++ b/ipatests/test_integration/test_ipa_cert_fix.py +@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest): + setup_dns=False, extra_args=['--no-ntp'] + ) + ++ @classmethod ++ def uninstall(cls, mh): ++ # Uninstall method is empty as the uninstallation is done in ++ # the fixture ++ pass ++ + @pytest.fixture + def expire_certs(self): + # move system date to expire certs +@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest): + yield + + # move date back on replica and master +- for host in self.master, self.replicas[0]: ++ for host in self.replicas[0], self.master: ++ tasks.uninstall_master(host) + tasks.move_date(host, 'start', '-3years-1days') + + def test_renew_expired_cert_replica(self, expire_certs): +-- +2.34.1 + +From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Mon, 13 Dec 2021 17:37:05 +0530 +Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit. + +related : https://pagure.io/freeipa/issue/8962 + +Signed-off-by: Anuja More +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_installation.py | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index 95cfaad54..0947241ae 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest): + ) + assert "nsslapd-db-locks" not in result.stdout_text + ++ def test_nsslapd_sizelimit(self): ++ """ Test for default value of nsslapd-sizelimit. ++ ++ Related : https://pagure.io/freeipa/issue/8962 ++ """ ++ result = tasks.ldapsearch_dm( ++ self.master, ++ "cn=config", ++ ["nsslapd-sizelimit"], ++ scope="base" ++ ) ++ assert "nsslapd-sizelimit: 100000" in result.stdout_text ++ + def test_admin_root_alias_CVE_2020_10747(self): + # Test for CVE-2020-10747 fix + # https://bugzilla.redhat.com/show_bug.cgi?id=1810160 +-- +2.34.1 + +From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Thu, 25 Nov 2021 13:10:05 +0530 +Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to + segfault + +When empty cert request is submitted to certmonger, it goes to +segfault. This fix test that if something like this happens, +certmonger should gracefuly handle it + +and some PEP8 fixes + +related: https://pagure.io/certmonger/issue/191 + +Signed-off-by: Mohammad Rizwan +--- + ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++- + 1 file changed, 78 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py +index 5ffb8c608..0518d7954 100644 +--- a/ipatests/test_integration/test_cert.py ++++ b/ipatests/test_integration/test_cert.py +@@ -14,6 +14,7 @@ import random + import re + import string + import time ++import textwrap + + from ipaplatform.paths import paths + from ipapython.dn import DN +@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest): + tasks.kinit_admin(self.master) + tasks.user_add(self.master, user) + +- for id in (0,1): ++ for id in (0, 1): + csr_file = f'{id}.csr' + key_file = f'{id}.key' + cert_file = f'{id}.crt' +@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest): + error_msg = 'ipa: ERROR: The certificate for ' \ + '{} is not available on this server.'.format(lwca) + assert error_msg in result.stderr_text ++ ++ def test_certmonger_empty_cert_not_segfault(self): ++ """Test empty cert request doesn't force certmonger to segfault ++ ++ Test scenario: ++ create a cert request file in /var/lib/certmonger/requests which is ++ missing most of the required information, and ask request a new ++ certificate to certmonger. The wrong request file should not make ++ certmonger crash. ++ ++ related: https://pagure.io/certmonger/issue/191 ++ """ ++ empty_cert_req_content = textwrap.dedent(""" ++ id=dogtag-ipa-renew-agent ++ key_type=UNSPECIFIED ++ key_gen_type=UNSPECIFIED ++ key_size=0 ++ key_gen_size=0 ++ key_next_type=UNSPECIFIED ++ key_next_gen_type=UNSPECIFIED ++ key_next_size=0 ++ key_next_gen_size=0 ++ key_preserve=0 ++ key_storage_type=NONE ++ key_perms=0 ++ key_requested_count=0 ++ key_issued_count=0 ++ cert_storage_type=FILE ++ cert_perms=0 ++ cert_is_ca=0 ++ cert_ca_path_length=0 ++ cert_no_ocsp_check=0 ++ last_need_notify_check=19700101000000 ++ last_need_enroll_check=19700101000000 ++ template_is_ca=0 ++ template_ca_path_length=-1 ++ template_no_ocsp_check=0 ++ state=NEED_KEY_PAIR ++ autorenew=0 ++ monitor=0 ++ submitted=19700101000000 ++ """) ++ # stop certmonger service ++ self.master.run_command(['systemctl', 'stop', 'certmonger']) ++ ++ # place an empty cert request file to certmonger request dir ++ self.master.put_file_contents( ++ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'), ++ empty_cert_req_content ++ ) ++ ++ # start certmonger, it should not fail ++ self.master.run_command(['systemctl', 'start', 'certmonger']) ++ ++ # request a new cert, should succeed and certmonger doesn't goes ++ # to segfault ++ result = self.master.run_command([ ++ "ipa-getcert", "request", ++ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"), ++ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"), ++ ]) ++ request_id = re.findall(r'\d+', result.stdout_text) ++ ++ # check if certificate is in MONITORING state ++ status = tasks.wait_for_request(self.master, request_id[0], 50) ++ assert status == "MONITORING" ++ ++ self.master.run_command( ++ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]] ++ ) ++ self.master.run_command([ ++ 'rm', '-rf', ++ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'), ++ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'), ++ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key') ++ ]) +-- +2.34.1 + +From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Mon, 6 Dec 2021 20:50:01 +0530 +Subject: [PATCH] ipatests: webui: Tests for subordinate ids. + +Added web-ui tests to verify where operations +using subordinate ids are working as expected. + +Related : https://pagure.io/freeipa/issue/8361 + +Signed-off-by: Anuja More +Reviewed-By: Michal Polovka +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++ + ipatests/test_webui/ui_driver.py | 28 ++++++ + 2 files changed, 169 insertions(+) + create mode 100644 ipatests/test_webui/test_subid.py + +diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py +new file mode 100644 +index 000000000..26decdba0 +--- /dev/null ++++ b/ipatests/test_webui/test_subid.py +@@ -0,0 +1,141 @@ ++ ++""" ++Tests for subordinateid. ++""" ++ ++from ipatests.test_webui.ui_driver import UI_driver ++import ipatests.test_webui.data_config as config_data ++import ipatests.test_webui.data_user as user_data ++from ipatests.test_webui.ui_driver import screenshot ++import re ++ ++ ++class test_subid(UI_driver): ++ ++ def add_user(self, pkey, name, surname): ++ self.add_record('user', { ++ 'pkey': pkey, ++ 'add': [ ++ ('textbox', 'uid', pkey), ++ ('textbox', 'givenname', name), ++ ('textbox', 'sn', surname), ++ ] ++ }) ++ ++ def set_default_subid(self): ++ self.navigate_to_entity(config_data.ENTITY) ++ self.check_option('ipauserdefaultsubordinateid', 'checked') ++ self.facet_button_click('save') ++ ++ def get_user_count(self, user_pkey): ++ self.navigate_to_entity('subid', facet='search') ++ self.apply_search_filter(user_pkey) ++ self.wait_for_request() ++ return self.get_rows() ++ ++ @screenshot ++ def test_set_defaultsubid(self): ++ """ ++ Test to verify that enable/disable is working for ++ adding subids to new users. ++ """ ++ self.init_app() ++ self.add_record(user_data.ENTITY, user_data.DATA2) ++ self.navigate_to_entity(config_data.ENTITY) ++ # test subid can be enabled/disabled. ++ self.set_default_subid() ++ assert self.get_field_checked('ipauserdefaultsubordinateid') ++ self.set_default_subid() ++ assert not self.get_field_checked('ipauserdefaultsubordinateid') ++ ++ @screenshot ++ def test_user_defaultsubid(self): ++ """ ++ Test to verify that subid is generated for new user. ++ """ ++ self.init_app() ++ user_pkey = "some-user" ++ ++ self.set_default_subid() ++ assert self.get_field_checked('ipauserdefaultsubordinateid') ++ ++ before_count = self.get_user_count(user_pkey) ++ assert len(before_count) == 0 ++ ++ self.add_user(user_pkey, 'Some', 'User') ++ after_count = self.get_user_count(user_pkey) ++ assert len(after_count) == 1 ++ ++ @screenshot ++ def test_user_subid_mod_desc(self): ++ """ ++ Test to verify that auto-assigned subid description is modified. ++ """ ++ self.init_app() ++ self.navigate_to_record("some-user") ++ self.switch_to_facet('memberof_subid') ++ rows = self.get_rows() ++ self.navigate_to_row_record(rows[-1]) ++ self.fill_textbox("description", "some-user-subid-desc") ++ self.facet_button_click('save') ++ ++ @screenshot ++ def test_admin_subid(self): ++ """ ++ Test to verify that subid range is created with owner admin. ++ """ ++ self.init_app() ++ self.navigate_to_entity('subid', facet='search') ++ self.facet_button_click('add') ++ self.select_combobox('ipaowner', 'admin') ++ self.dialog_button_click('add') ++ self.wait(0.3) ++ self.assert_no_error_dialog() ++ ++ @screenshot ++ def test_admin_subid_negative(self): ++ """ ++ Test to verify that readding the subid fails with error. ++ """ ++ self.init_app() ++ self.navigate_to_entity('subid', facet='search') ++ self.facet_button_click('add') ++ self.select_combobox('ipaowner', 'admin') ++ self.dialog_button_click('add') ++ self.wait(0.3) ++ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog') ++ text = self.get_text('.modal-body div p', err_dialog) ++ text = text.strip() ++ pattern = r'Subordinate id with with name .* already exists.' ++ assert re.search(pattern, text) is not None ++ self.close_all_dialogs() ++ ++ @screenshot ++ def test_user_subid_add(self): ++ """ ++ Test to verify that subid range is created for given user. ++ """ ++ self.init_app() ++ self.navigate_to_entity('subid', facet='search') ++ before_count = self.get_rows() ++ self.facet_button_click('add') ++ self.select_combobox('ipaowner', user_data.PKEY2) ++ self.dialog_button_click('add') ++ self.wait(0.3) ++ self.assert_no_error_dialog() ++ after_count = self.get_rows() ++ assert len(before_count) < len(after_count) ++ ++ @screenshot ++ def test_subid_del(self): ++ """ ++ Test to remove subordinate id for given user. ++ """ ++ self.init_app() ++ self.navigate_to_entity('subid', facet='search') ++ user_uid = self.get_record_pkey("some-user", "ipaowner", ++ table_name="ipauniqueid") ++ before_count = self.get_rows() ++ self.delete_record(user_uid, table_name="ipauniqueid") ++ after_count = self.get_rows() ++ assert len(before_count) > len(after_count) +diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py +index 46fd512ae..77fd74e49 100644 +--- a/ipatests/test_webui/ui_driver.py ++++ b/ipatests/test_webui/ui_driver.py +@@ -1151,6 +1151,34 @@ class UI_driver: + return row + return None + ++ def get_row_by_column_value(self, key, column_name, parent=None, ++ table_name=None): ++ """ ++ Get the first matched row element of a search table with given key ++ matched against selected column. None if not found ++ """ ++ rows = self.get_rows(parent, table_name) ++ s = "td div[name='%s']" % column_name ++ for row in rows: ++ has = self.find(s, By.CSS_SELECTOR, row) ++ if has.text == key: ++ return row ++ return None ++ ++ def get_record_pkey(self, key, column, parent=None, table_name=None): ++ """ ++ Get record pkey if value of column is known ++ """ ++ row = self.get_row_by_column_value(key, ++ column_name=column, ++ parent=parent, ++ table_name=table_name) ++ val = None ++ if row: ++ el = self.find("td input", By.CSS_SELECTOR, row) ++ val = el.get_attribute("value") ++ return val ++ + def navigate_to_row_record(self, row, pkey_column=None): + """ + Navigate to record by clicking on a link. +-- +2.34.1 + +From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001 +From: Michal Polovka +Date: Fri, 7 Jan 2022 12:12:26 +0100 +Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML + configuration file + +FullLoader class for YAML loader was introduced in version 5.1 which +also deprecated default loader. SafeLoader, however, stays consistent +across the versions and brings added security. + +This fix is necessary as PyYAML > 5.1 is not available in downstream. + +Related: https://pagure.io/freeipa/issue/9009 + +Signed-off-by: Michal Polovka +Reviewed-By: Rob Crittenden +--- + ipatests/test_webui/ui_driver.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py +index 77fd74e49..519efee9b 100644 +--- a/ipatests/test_webui/ui_driver.py ++++ b/ipatests/test_webui/ui_driver.py +@@ -192,7 +192,7 @@ class UI_driver: + if not NO_YAML and os.path.isfile(path): + try: + with open(path, 'r') as conf: +- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader) ++ cls.config = yaml.safe_load(stream=conf) + except yaml.YAMLError as e: + pytest.skip("Invalid Web UI config.\n%s" % e) + except IOError as e: +-- +2.34.1 + +From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Thu, 18 Nov 2021 18:43:22 +0530 +Subject: [PATCH] PEP8 Fixes + +Signed-off-by: Mohammad Rizwan +--- + .../test_integration/test_replica_promotion.py | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py +index 1a4e9bc12..c328b1a08 100644 +--- a/ipatests/test_integration/test_replica_promotion.py ++++ b/ipatests/test_integration/test_replica_promotion.py +@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): + assert res.returncode == 1 + assert expected_err in res.stderr_text + +- + @replicas_cleanup + def test_one_command_installation(self): + """ +@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): + Firewall(self.replicas[0]).enable_services(["freeipa-ldap", + "freeipa-ldaps"]) + self.replicas[0].run_command(['ipa-replica-install', '-w', +- self.master.config.admin_password, +- '-n', self.master.domain.name, +- '-r', self.master.domain.realm, +- '--server', self.master.hostname, +- '-U']) ++ self.master.config.admin_password, ++ '-n', self.master.domain.name, ++ '-r', self.master.domain.realm, ++ '--server', self.master.hostname, ++ '-U']) + # Ensure that pkinit is properly configured, test for 7566 + result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status']) + assert "PKINIT is enabled" in result.stdout_text +@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest): + result1 = client.run_command(['ipa-replica-install', '-U', '-w', + self.master.config.dirman_password], + raiseonerr=False) +- assert(result1.returncode == 0), ( ++ assert (result1.returncode == 0), ( + 'Failed to promote the client installed with the upcase domain name') + + def test_client_rollback(self): +@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest): + assert("An error occurred while removing SSSD" not in + result.stdout_text) + ++ + class TestRenewalMaster(IntegrationTest): + + topology = 'star' +-- +2.34.1 + +From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Thu, 18 Nov 2021 18:36:58 +0530 +Subject: [PATCH] Test cases for ipa-replica-conncheck command + +Following test cases would be checked: +- when called with --principal (it should then prompt for a password) +- when called with --principal / --password +- when called without principal and password but with a kerberos TGT, + kinit admin done before calling ipa-replica-conncheck +- when called without principal and password, and without any kerberos + TGT (it should default to principal=admin and prompt for a password) + +related: https://pagure.io/freeipa/issue/9047 + +Signed-off-by: Mohammad Rizwan +--- + .../test_replica_promotion.py | 70 +++++++++++++++++++ + 1 file changed, 70 insertions(+) + +diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py +index b9c56f775..1a4e9bc12 100644 +--- a/ipatests/test_integration/test_replica_promotion.py ++++ b/ipatests/test_integration/test_replica_promotion.py +@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest): + self.assertCARenewalMaster(master, replica.hostname) + self.assertCARenewalMaster(replica, replica.hostname) + ++ def test_replica_concheck(self): ++ """Test cases for ipa-replica-conncheck command ++ ++ Following test cases would be checked: ++ - when called with --principal (it should then prompt for a password) ++ - when called with --principal / --password ++ - when called without principal and password but with a kerberos TGT, ++ kinit admin done before calling ipa-replica-conncheck ++ - when called without principal and password, and without any kerberos ++ TGT (it should default to principal=admin and prompt for a password) ++ ++ related: https://pagure.io/freeipa/issue/9047 ++ """ ++ exp_str1 = "Connection from replica to master is OK." ++ exp_str2 = "Connection from master to replica is OK" ++ tasks.kdestroy_all(self.replicas[0]) ++ # when called with --principal (it should then prompt for a password) ++ result = self.replicas[0].run_command( ++ ['ipa-replica-conncheck', '--auto-master-check', ++ '--master', self.master.hostname, ++ '-r', self.replicas[0].domain.realm, ++ '-p', self.replicas[0].config.admin_name], ++ stdin_text=self.master.config.admin_password ++ ) ++ assert result.returncode == 0 ++ assert ( ++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text ++ ) ++ ++ # when called with --principal / --password ++ result = self.replicas[0].run_command([ ++ 'ipa-replica-conncheck', '--auto-master-check', ++ '--master', self.master.hostname, ++ '-r', self.replicas[0].domain.realm, ++ '-p', self.replicas[0].config.admin_name, ++ '-w', self.master.config.admin_password ++ ]) ++ assert result.returncode == 0 ++ assert ( ++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text ++ ) ++ ++ # when called without principal and password, and without ++ # any kerberos TGT, it should default to principal=admin ++ # and prompt for a password ++ result = self.replicas[0].run_command( ++ ['ipa-replica-conncheck', '--auto-master-check', ++ '--master', self.master.hostname, ++ '-r', self.replicas[0].domain.realm], ++ stdin_text=self.master.config.admin_password ++ ) ++ assert result.returncode == 0 ++ assert ( ++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text ++ ) ++ ++ # when called without principal and password but with a kerberos TGT, ++ # kinit admin done before calling ipa-replica-conncheck ++ tasks.kinit_admin(self.replicas[0]) ++ result = self.replicas[0].run_command( ++ ['ipa-replica-conncheck', '--auto-master-check', ++ '--master', self.master.hostname, ++ '-r', self.replicas[0].domain.realm] ++ ) ++ assert result.returncode == 0 ++ assert ( ++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text ++ ) ++ tasks.kdestroy_all(self.replicas[0]) ++ + def test_automatic_renewal_master_transfer_ondelete(self): + # Test that after replica uninstallation, master overtakes the cert + # renewal master role from replica (which was previously set there) +-- +2.34.1 + diff --git a/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch b/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch new file mode 100644 index 0000000..f8b3b9f --- /dev/null +++ b/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch @@ -0,0 +1,104 @@ +From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 28 Jan 2022 16:46:35 -0500 +Subject: [PATCH] Don't always override the port in import_included_profiles + +I can only guess to the original purpose of this override. I +believe it was because this is called in the installer prior +to Apache being set up. The expectation was that this would +only be called locally. It predates the RestClient class. + +RestClient will attempt to find an available service. In this +case, during a CA installation, the local server is not +considered available because it lacks an entry in +cn=masters. So it will never be returned as an option. + +So by overriding the port to 8443 the remote connection will +likely fail because we don't require that the port be open. + +So instead, instantiate a RestClient and see what happens. + +There are several use-cases: + +1. Installing an initial server. The RestClient connection + should fail, so we will fall back to the override port and + use the local server. If Apache happens to be running with + a globally-issued certificate then the RestClient will + succeed. In this case if the connected host and the local + hostname are the same, override in that case as well. + +2. Installing as a replica. In this case the local server should + be ignored in all cases and a remote CA will be picked with + no override done. + +3. Switching from CA-less to CA-ful. The web server will be + trusted but the RestClient login will fail with a 404. Fall + back to the override port in this case. + +The motivation for this is trying to install an EL 8.x replica +against an EL 7.9 server. 8.5+ includes the ACME service and +a new profile is needed which doesn't exist in 7. This was +failing because the RestClient determined that the local server +wasn't running a CA so tried the remote one (7.9) on the override +port 8443. Since this port isn't open: failure. + +Chances are that adding the profile is still going to fail +because again, 7.9 lacks ACME capabilities, but it will fail in +a way that allows the installation to continue. + +I suspect that all of the overrides can similarly handled, or +handled directly within the RestClient class, but for the sake +of "do no harm" I'm only changing this instance for now. + +https://pagure.io/freeipa/issue/9100 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 8c8bf1b3a..ad206aad4 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1953,7 +1953,35 @@ def import_included_profiles(): + cn=['certprofiles'], + ) + +- api.Backend.ra_certprofile.override_port = 8443 ++ # At this point Apache may or may not be running with a valid ++ # certificate. The local server is not yet recognized as a full ++ # CA yet so it isn't discoverable. So try to do some detection ++ # on what port to use, 443 (remote) or 8443 (local) for importing ++ # the profiles. ++ # ++ # api.Backend.ra_certprofile invokes the RestClient class ++ # which will discover and login to the CA REST API. We can ++ # use this information to detect where to import the profiles. ++ # ++ # If the login is successful (e.g. doesn't raise an exception) ++ # and it returns our hostname (it prefers the local host) then ++ # we override and talk locally. ++ # ++ # Otherwise a NetworkError means we can't connect on 443 (perhaps ++ # a firewall) or we get an HTTP error (valid TLS certificate on ++ # Apache but no CA, login fails with 404) so we override to the ++ # local server. ++ # ++ # When override port was always set to 8443 the RestClient could ++ # pick a remote server and since 8443 isn't in our firewall profile ++ # setting up a new server would fail. ++ try: ++ with api.Backend.ra_certprofile as profile_api: ++ if profile_api.ca_host == api.env.host: ++ api.Backend.ra_certprofile.override_port = 8443 ++ except (errors.NetworkError, errors.RemoteRetrieveError) as e: ++ logger.debug('Overriding CA port: %s', e) ++ api.Backend.ra_certprofile.override_port = 8443 + + for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES: + dn = DN(('cn', profile_id), +-- +2.34.1 + diff --git a/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch b/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch new file mode 100644 index 0000000..e083b06 --- /dev/null +++ b/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch @@ -0,0 +1,115 @@ +From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 31 Jan 2022 17:31:50 -0500 +Subject: [PATCH] Remove ipa-join errors from behind the debug option + +This brings it inline with the previous XML-RPC output which +only hid the request and response from the output and not +any errors returned. + +https://pagure.io/freeipa/issue/9103 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Peter Keresztes Schmidt +--- + client/ipa-join.c | 27 +++++++++------------------ + 1 file changed, 9 insertions(+), 18 deletions(-) + +diff --git a/client/ipa-join.c b/client/ipa-join.c +index d98739a9a..5888a33bf 100644 +--- a/client/ipa-join.c ++++ b/client/ipa-join.c +@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response + + json_str = json_dumps(json, 0); + if (!json_str) { +- if (debug) +- fprintf(stderr, _("json_dumps() failed\n")); ++ fprintf(stderr, _("json_dumps() failed\n")); + + rval = 17; + goto cleanup; +@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response + CURLcode res = curl_easy_perform(curl); + if (res != CURLE_OK) + { +- if (debug) +- fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res)); ++ fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res)); + + rval = 17; + goto cleanup; +@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response + curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code); + + if (resp_code != 200) { +- if (debug) +- fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code); ++ fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code); + + if (!quiet && resp_code == 401) + fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n")); +@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) { + + j_root = json_loads(payload, 0, &j_error); + if (!j_root) { +- if (debug) +- fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text); ++ fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text); + + rval = 17; + goto cleanup; +@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) { + + *j_result_obj = json_object_get(j_root, "result"); + if (!*j_result_obj) { +- if (debug) +- fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n")); ++ fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n")); + + rval = 17; + goto cleanup; +@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet) + &tmp_hostdn, + "krbprincipalname", &tmp_princ, + "krblastpwdchange", &tmp_pwdch) != 0) { +- if (debug) +- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); ++ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); + + rval = 17; + goto cleanup; +@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co + "nshardwareplatform", uinfo.machine); + + if (!json_req) { +- if (debug) +- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); ++ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); + + rval = 17; + goto cleanup; +@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) { + + if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}", + "result", result) != 0) { +- if (debug) +- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); ++ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); + + rval = 20; + goto cleanup; +@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) { + host); + + if (!json_req) { +- if (debug) +- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); ++ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); + + rval = 17; + goto cleanup; +-- +2.34.1 + diff --git a/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch b/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch new file mode 100644 index 0000000..ef581d8 --- /dev/null +++ b/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch @@ -0,0 +1,118 @@ +From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 7 Feb 2022 10:39:55 -0500 +Subject: [PATCH] Enable the ccache sweep timer during installation + +The timer was only being enabled during package installation +if IPA was configured. So effectively only on upgrade. + +Add as a separate installation step after the ccache directory +is configured. + +Fixes: https://pagure.io/freeipa/issue/9107 + +Signed-off-by: Rob Crittenden +Reviewed-By: Alexander Bokovoy +--- + ipaserver/install/httpinstance.py | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py +index 732bb58d4..50ccf5e50 100644 +--- a/ipaserver/install/httpinstance.py ++++ b/ipaserver/install/httpinstance.py +@@ -140,6 +140,8 @@ class HTTPInstance(service.Service): + self.step("publish CA cert", self.__publish_ca_cert) + self.step("clean up any existing httpd ccaches", + self.remove_httpd_ccaches) ++ self.step("enable ccache sweep", ++ self.enable_ccache_sweep) + self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) + if not self.is_kdcproxy_configured(): + self.step("create KDC proxy config", self.create_kdcproxy_conf) +@@ -177,6 +179,11 @@ class HTTPInstance(service.Service): + [paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES] + ) + ++ def enable_ccache_sweep(self): ++ ipautil.run( ++ [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer'] ++ ) ++ + def __configure_http(self): + self.update_httpd_service_ipa_conf() + self.update_httpd_wsgi_conf() +-- +2.34.1 + +From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Wed, 9 Feb 2022 18:56:21 +0530 +Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during + installation + +This test checks that ipa-ccache-sweep.timer is enabled by default +during the ipa installation. + +related: https://pagure.io/freeipa/issue/9107 + +Signed-off-by: Mohammad Rizwan +Reviewed-By: Alexander Bokovoy +--- + .../test_integration/test_installation.py | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index f2d372c0c..63edbaa2b 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest): + + # Tweak sysrestore.state to drop installation section + self.master.run_command( +- ['sed','-i', r's/\[installation\]/\[badinstallation\]/', ++ ['sed', '-i', r's/\[installation\]/\[badinstallation\]/', + os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)]) + + # Re-run installation check and it should fall back to old method +@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest): + + # Restore installation section. + self.master.run_command( +- ['sed','-i', r's/\[badinstallation\]/\[installation\]/', ++ ['sed', '-i', r's/\[badinstallation\]/\[installation\]/', + os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)]) + + # Uninstall and confirm that the old method reports correctly +@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host): + break + return(pid) + ++ + def get_ipa_services_pids(host): + ipa_services_name = [ + "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia", +@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest): + def test_install_master(self): + tasks.install_master(self.master, setup_dns=False, setup_kra=True) + ++ def test_ipa_ccache_sweep_timer_enabled(self): ++ """Test ipa-ccache-sweep.timer enabled by default during installation ++ ++ This test checks that ipa-ccache-sweep.timer is enabled by default ++ during the ipa installation. ++ ++ related: https://pagure.io/freeipa/issue/9107 ++ """ ++ result = self.master.run_command( ++ ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'], ++ raiseonerr=False ++ ) ++ assert 'enabled' in result.stdout_text ++ + def test_install_dns(self): + tasks.install_dns(self.master) + +-- +2.34.1 + diff --git a/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch b/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch new file mode 100644 index 0000000..c384f15 --- /dev/null +++ b/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch @@ -0,0 +1,31 @@ +From b36bcf4ea5ed93baa4dc63f8e2be542d678211fb Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Thu, 10 Feb 2022 18:49:06 +0530 +Subject: [PATCH] ipatests: remove additional check for failed units. + +On RHEL tests are randomly failing because of this check +and the test doesn't need to check this. + +Related : https://pagure.io/freeipa/issue/9108 + +Signed-off-by: Anuja More +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_otp.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py +index d8ce527ca..6e70ddcb3 100644 +--- a/ipatests/test_integration/test_otp.py ++++ b/ipatests/test_integration/test_otp.py +@@ -316,7 +316,6 @@ class TestOTPToken(IntegrationTest): + check_services = self.master.run_command( + ['systemctl', 'list-units', '--state=failed'] + ) +- assert "0 loaded units listed" in check_services.stdout_text + assert "ipa-otpd" not in check_services.stdout_text + # Be sure no services are running and failed units + self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False) +-- +2.34.1 + diff --git a/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch b/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch new file mode 100644 index 0000000..3c8109e --- /dev/null +++ b/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch @@ -0,0 +1,38 @@ +From 186ebe311bc9545d7a9860cd5e8c748131bbe41e Mon Sep 17 00:00:00 2001 +From: Francisco Trivino +Date: Thu, 10 Feb 2022 14:23:12 +0100 +Subject: [PATCH] ipa_cldap: fix memory leak + +ipa_cldap_encode_netlogon() allocates memory to store binary data as part of +berval (bv_val) when processing a CLDAP packet request from a worker. The +data is used by ipa_cldap_respond() but bv_val is not freed later on. + +This commit is adding the corresponding free() after ipa_cldap_respond() +is completed. + +Discovered by LeakSanitizer + +Fixes: https://pagure.io/freeipa/issue/9110 +Signed-off-by: Francisco Trivino +Reviewed-By: Alexander Bokovoy +Reviewed-By: Rob Crittenden +Reviewed-By: Thierry Bordaz +--- + daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c +index db4a3d061..252bcf647 100644 +--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c ++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c +@@ -287,6 +287,7 @@ done: + ipa_cldap_respond(ctx, req, &reply); + + ipa_cldap_free_kvps(&req->kvps); ++ free(reply.bv_val); + free(req); + return; + } +-- +2.34.1 + diff --git a/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch b/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch new file mode 100644 index 0000000..e7081cd --- /dev/null +++ b/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch @@ -0,0 +1,40 @@ +From 4c54e9d6ddb72eab6f654bf3dc2d29f27498ac96 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Sun, 5 Dec 2021 17:38:58 +0100 +Subject: [PATCH] ipatests: fix + TestOTPToken::test_check_otpd_after_idle_timeout + +The test sets 389-ds nsslapd-idletimeout to 60s, then does a +kinit with an otp token (which makes ipa-otpd create a LDAP +connection), then sleeps for 60s. The expectation is that +ns-slapd will detect that the LDAP conn from ipa-otpd is idle +and close the connection. +According to 389ds doc, the idle timeout is enforced when the +connection table is walked. By doing a ldapsearch, the test +"wakes up" ns-slapd and forces the detection of ipa-otpd +idle connection. + +Fixes: https://pagure.io/freeipa/issue/9044 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Anuja More +--- + ipatests/test_integration/test_otp.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py +index 353470897..d8ce527ca 100644 +--- a/ipatests/test_integration/test_otp.py ++++ b/ipatests/test_integration/test_otp.py +@@ -354,6 +354,9 @@ class TestOTPToken(IntegrationTest): + otpvalue = totp.generate(int(time.time())).decode("ascii") + kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue) + time.sleep(60) ++ # ldapsearch will wake up slapd and force walking through ++ # the connection list, in order to spot the idle connections ++ tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base") + + def test_cb(cmd_jornalctl): + # check if LDAP connection is timed out +-- +2.34.1 + diff --git a/0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch b/0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch new file mode 100644 index 0000000..fc37fb1 --- /dev/null +++ b/0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch @@ -0,0 +1,407 @@ +From 6b70e3c49acc55b5553101cf850fc40978861979 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Mon, 17 Jan 2022 16:57:52 +0530 +Subject: [PATCH] ipatests: Tests for Autoprivate group. + +Added tests using posix AD trust and non posix AD trust. +For option --auto-private-groups=[hybrid/true/false] + +Related : https://pagure.io/freeipa/issue/8807 + +Signed-off-by: Anuja More +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Anuja More +--- + .../nightly_ipa-4-9_latest.yaml | 2 +- + .../nightly_ipa-4-9_latest_selinux.yaml | 2 +- + .../nightly_ipa-4-9_previous.yaml | 2 +- + ipatests/test_integration/test_trust.py | 242 +++++++++++++++++- + 4 files changed, 240 insertions(+), 8 deletions(-) + +diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml +index 6817421b2..8b1f58c4d 100644 +--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml ++++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml +@@ -1627,7 +1627,7 @@ jobs: + build_url: '{fedora-latest-ipa-4-9/build_url}' + test_suite: test_integration/test_trust.py + template: *ci-ipa-4-9-latest +- timeout: 9000 ++ timeout: 10000 + topology: *adroot_adchild_adtree_master_1client + + fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust: +diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml +index 817329756..a11376ab8 100644 +--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml ++++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml +@@ -1743,7 +1743,7 @@ jobs: + selinux_enforcing: True + test_suite: test_integration/test_trust.py + template: *ci-ipa-4-9-latest +- timeout: 9000 ++ timeout: 10000 + topology: *adroot_adchild_adtree_master_1client + + fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust: +diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml +index 4196265c7..3f8ce8b76 100644 +--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml ++++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml +@@ -1627,7 +1627,7 @@ jobs: + build_url: '{fedora-previous-ipa-4-9/build_url}' + test_suite: test_integration/test_trust.py + template: *ci-ipa-4-9-previous +- timeout: 9000 ++ timeout: 10000 + topology: *adroot_adchild_adtree_master_1client + + fedora-previous-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust: +diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py +index 0634badbb..ff2dd9cc8 100644 +--- a/ipatests/test_integration/test_trust.py ++++ b/ipatests/test_integration/test_trust.py +@@ -62,11 +62,12 @@ class BaseTestTrust(IntegrationTest): + cls.check_sid_generation() + tasks.sync_time(cls.master, cls.ad) + +- cls.child_ad = cls.ad_subdomains[0] +- cls.ad_subdomain = cls.child_ad.domain.name +- cls.tree_ad = cls.ad_treedomains[0] +- cls.ad_treedomain = cls.tree_ad.domain.name +- ++ if cls.num_ad_subdomains > 0: ++ cls.child_ad = cls.ad_subdomains[0] ++ cls.ad_subdomain = cls.child_ad.domain.name ++ if cls.num_ad_treedomains > 0: ++ cls.tree_ad = cls.ad_treedomains[0] ++ cls.ad_treedomain = cls.tree_ad.domain.name + # values used in workaround for + # https://bugzilla.redhat.com/show_bug.cgi?id=1711958 + cls.srv_gc_record_name = \ +@@ -106,6 +107,63 @@ class BaseTestTrust(IntegrationTest): + expected_text = 'iparangetype: %s\n' % expected_type + assert expected_text in result.stdout_text + ++ def mod_idrange_auto_private_group( ++ self, option='false' ++ ): ++ """ ++ Set the auto-private-group option of the default trusted ++ AD domain range. ++ """ ++ tasks.kinit_admin(self.master) ++ rangename = self.ad_domain.upper() + '_id_range' ++ error_msg = "ipa: ERROR: no modifications to be performed" ++ cmd = ["ipa", "idrange-mod", rangename, ++ "--auto-private-groups", option] ++ result = self.master.run_command(cmd, raiseonerr=False) ++ if result.returncode != 0: ++ tasks.assert_error(result, error_msg) ++ tasks.clear_sssd_cache(self.master) ++ tasks.clear_sssd_cache(self.clients[0]) ++ test = self.master.run_command(["ipa", "idrange-show", rangename]) ++ assert "Auto private groups: {0}".format(option) in test.stdout_text ++ ++ def get_user_id(self, host, username): ++ """ ++ User uid gid is parsed from the output of id user command. ++ """ ++ tasks.clear_sssd_cache(self.master) ++ tasks.clear_sssd_cache(self.clients[0]) ++ self.master.run_command(["id", username]) ++ test_id = host.run_command(["id", username]) ++ regex = r"^uid=(?P\d+).*gid=(?P\d+).*groups=(?P\d+)" ++ match = re.match(regex, test_id.stdout_text) ++ uid = match.group('uid') ++ gid = match.group('gid') ++ return uid, gid ++ ++ @contextmanager ++ def set_idoverrideuser(self, user, uid, gid): ++ """ ++ Fixture to add/remove idoverrideuser for default idview, ++ also creates idm group with the provided gid because ++ gid overrides requires an existing group. ++ """ ++ tasks.clear_sssd_cache(self.master) ++ tasks.clear_sssd_cache(self.clients[0]) ++ tasks.kinit_admin(self.master) ++ try: ++ args = ["ipa", "idoverrideuser-add", "Default Trust View", ++ "--gid", gid, "--uid", uid, user] ++ self.master.run_command(args) ++ tasks.group_add(self.master, "idgroup", ++ extra_args=["--gid", gid]) ++ yield ++ finally: ++ self.master.run_command([ ++ "ipa", "idoverrideuser-del", "Default Trust View", user] ++ ) ++ self.master.run_command(["ipa", "group-del", "idgroup"]) ++ + def remove_trust(self, ad): + tasks.remove_trust_with_ad(self.master, + ad.domain.name, ad.hostname) +@@ -993,3 +1051,177 @@ class TestTrust(BaseTestTrust): + self.master.run_command(['rm', '-f', ad_zone_file]) + tasks.configure_dns_for_trust(self.master, self.ad) + self.remove_trust(self.ad) ++ ++ ++class TestNonPosixAutoPrivateGroup(BaseTestTrust): ++ """ ++ Tests for auto-private-groups option with non posix AD trust ++ Related : https://pagure.io/freeipa/issue/8807 ++ """ ++ topology = 'line' ++ num_ad_domains = 1 ++ num_clients = 1 ++ num_ad_subdomains = 0 ++ num_ad_treedomains = 0 ++ uid_override = "99999999" ++ gid_override = "78878787" ++ ++ def test_add_nonposix_trust(self): ++ tasks.configure_dns_for_trust(self.master, self.ad) ++ tasks.establish_trust_with_ad( ++ self.master, self.ad_domain, ++ extra_args=['--range-type', 'ipa-ad-trust']) ++ ++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) ++ def test_auto_private_groups_default_trusted_range(self, type): ++ """ ++ Modify existing range for default trusted AD domain range ++ with auto-private-groups set as true/hybrid/false and test ++ user with no posix attributes. ++ """ ++ self.mod_idrange_auto_private_group(type) ++ nonposixuser = "nonposixuser@%s" % self.ad_domain ++ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser) ++ if type == "true": ++ assert uid == gid ++ else: ++ test_group = self.clients[0].run_command(["id", nonposixuser]) ++ gid_str = "gid={0}(domain users@{1})".format(gid, self.ad_domain) ++ grp_str = "groups={0}(domain users@{1})".format(gid, ++ self.ad_domain) ++ assert gid_str in test_group.stdout_text ++ assert grp_str in test_group.stdout_text ++ assert uid != gid ++ ++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) ++ def test_idoverride_with_auto_private_group(self, type): ++ """ ++ Override ad trusted user in default trust view ++ and set auto-private-groups=[hybrid,true,false] ++ and ensure that overridden values takes effect. ++ """ ++ nonposixuser = "nonposixuser@%s" % self.ad_domain ++ with self.set_idoverrideuser(nonposixuser, ++ self.uid_override, ++ self.gid_override ++ ): ++ self.mod_idrange_auto_private_group(type) ++ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser) ++ assert (uid == self.uid_override and gid == self.gid_override) ++ test_group = self.clients[0].run_command( ++ ["id", nonposixuser]).stdout_text ++ assert "domain users@{0}".format(self.ad_domain) in test_group ++ ++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) ++ def test_nonposixuser_nondefault_primary_group(self, type): ++ """ ++ Test for non default primary group. ++ For hybrid/false gid corresponds to the group testgroup1. ++ """ ++ nonposixuser1 = "nonposixuser1@%s" % self.ad_domain ++ self.mod_idrange_auto_private_group(type) ++ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser1) ++ if type == "true": ++ assert uid == gid ++ else: ++ test_group = self.clients[0].run_command(["id", nonposixuser1]) ++ gid_str = "gid={0}(testgroup1@{1})".format(gid, self.ad_domain) ++ group = "groups={0}(testgroup1@{1})".format(gid, self.ad_domain) ++ assert (gid_str in test_group.stdout_text ++ and group in test_group.stdout_text) ++ ++ ++class TestPosixAutoPrivateGroup(BaseTestTrust): ++ """ ++ Tests for auto-private-groups option with posix AD trust ++ Related : https://pagure.io/freeipa/issue/8807 ++ """ ++ topology = 'line' ++ num_ad_domains = 1 ++ num_clients = 1 ++ num_ad_subdomains = 0 ++ num_ad_treedomains = 0 ++ uid_override = "99999999" ++ gid_override = "78878787" ++ ++ def test_add_posix_trust(self): ++ tasks.configure_dns_for_trust(self.master, self.ad) ++ tasks.establish_trust_with_ad( ++ self.master, self.ad_domain, ++ extra_args=['--range-type', 'ipa-ad-trust-posix']) ++ ++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) ++ def test_gidnumber_not_corresponding_existing_group(self, type): ++ """ ++ Test checks that sssd can resolve AD users which ++ contain posix attributes (uidNumber and gidNumber) ++ but there is no group with the corresponding gidNumber. ++ """ ++ posixuser = "testuser2@%s" % self.ad_domain ++ self.mod_idrange_auto_private_group(type) ++ if type != "true": ++ result = self.clients[0].run_command(['id', posixuser], ++ raiseonerr=False) ++ tasks.assert_error(result, "no such user") ++ else: ++ (uid, gid) = self.get_user_id(self.clients[0], posixuser) ++ assert uid == gid ++ assert uid == '10060' ++ ++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) ++ def test_only_uid_number_auto_private_group_default(self, type): ++ """ ++ Test checks that posix user with only uidNumber defined ++ and gidNumber not set, auto-private-group ++ is set to false/true/hybrid ++ """ ++ posixuser = "testuser1@%s" % self.ad_domain ++ self.mod_idrange_auto_private_group(type) ++ if type == "true": ++ (uid, gid) = self.get_user_id(self.clients[0], posixuser) ++ assert uid == gid ++ else: ++ for host in [self.master, self.clients[0]]: ++ result = host.run_command(['id', posixuser], raiseonerr=False) ++ tasks.assert_error(result, "no such user") ++ ++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) ++ def test_auto_private_group_primary_group(self, type): ++ """ ++ Test checks that AD users which contain posix attributes ++ (uidNumber and gidNumber) and there is primary group ++ with gid number defined. ++ """ ++ posixuser = "testuser@%s" % self.ad_domain ++ self.mod_idrange_auto_private_group(type) ++ (uid, gid) = self.get_user_id(self.clients[0], posixuser) ++ test_grp = self.clients[0].run_command(["id", posixuser]) ++ assert uid == '10042' ++ if type == "true": ++ assert uid == gid ++ groups = "groups=10042(testuser@{0}),10047(testgroup@{1})".format( ++ self.ad_domain, self.ad_domain) ++ assert groups in test_grp.stdout_text ++ else: ++ assert gid == '10047' ++ groups = "10047(testgroup@{0})".format(self.ad_domain) ++ assert groups in test_grp.stdout_text ++ ++ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) ++ def test_idoverride_with_auto_private_group(self, type): ++ """ ++ Override ad trusted user in default trust view ++ and set auto-private-groups=[hybrid,true,false] ++ and ensure that overridden values takes effect. ++ """ ++ posixuser = "testuser@%s" % self.ad_domain ++ with self.set_idoverrideuser(posixuser, ++ self.uid_override, ++ self.gid_override): ++ self.mod_idrange_auto_private_group(type) ++ (uid, gid) = self.get_user_id(self.clients[0], posixuser) ++ assert(uid == self.uid_override ++ and gid == self.gid_override) ++ result = self.clients[0].run_command(['id', posixuser]) ++ assert "10047(testgroup@{0})".format( ++ self.ad_domain) in result.stdout_text +-- +2.35.1 + +From 84381001d2e114b1f29fe89e16155c040b56b80f Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Thu, 10 Feb 2022 17:07:45 +0530 +Subject: [PATCH] mark xfail for + test_idoverride_with_auto_private_group[hybrid] + +Related : https://github.com/SSSD/sssd/issues/5989 + +Signed-off-by: Anuja More +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Anuja More +--- + ipatests/test_integration/test_trust.py | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py +index ff2dd9cc8..54bd15462 100644 +--- a/ipatests/test_integration/test_trust.py ++++ b/ipatests/test_integration/test_trust.py +@@ -15,6 +15,7 @@ from ipaplatform.paths import paths + from ipatests.test_integration.base import IntegrationTest + from ipatests.pytest_ipa.integration import tasks + from ipatests.pytest_ipa.integration import fips ++from ipatests.util import xfail_context + from ipapython.dn import DN + from collections import namedtuple + from contextlib import contextmanager +@@ -1110,7 +1111,11 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust): + assert (uid == self.uid_override and gid == self.gid_override) + test_group = self.clients[0].run_command( + ["id", nonposixuser]).stdout_text +- assert "domain users@{0}".format(self.ad_domain) in test_group ++ version = tasks.get_sssd_version(self.clients[0]) ++ with xfail_context(version <= tasks.parse_version('2.6.3') ++ and type == "hybrid", ++ 'https://github.com/SSSD/sssd/issues/5989'): ++ assert "domain users@{0}".format(self.ad_domain) in test_group + + @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) + def test_nonposixuser_nondefault_primary_group(self, type): +-- +2.35.1 + +From 7ad500e5d3f7d9af81e8a3137158672c6fafb0b4 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Thu, 10 Feb 2022 17:29:45 +0530 +Subject: [PATCH] Mark xfail + test_gidnumber_not_corresponding_existing_group[true,hybrid] + +Related : https://github.com/SSSD/sssd/issues/5988 + +Signed-off-by: Anuja More +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Anuja More +--- + ipatests/test_integration/test_trust.py | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py +index 54bd15462..c12837815 100644 +--- a/ipatests/test_integration/test_trust.py ++++ b/ipatests/test_integration/test_trust.py +@@ -1169,9 +1169,12 @@ class TestPosixAutoPrivateGroup(BaseTestTrust): + raiseonerr=False) + tasks.assert_error(result, "no such user") + else: +- (uid, gid) = self.get_user_id(self.clients[0], posixuser) +- assert uid == gid +- assert uid == '10060' ++ sssd_version = tasks.get_sssd_version(self.clients[0]) ++ with xfail_context(sssd_version <= tasks.parse_version('2.6.3'), ++ 'https://github.com/SSSD/sssd/issues/5988'): ++ (uid, gid) = self.get_user_id(self.clients[0], posixuser) ++ assert uid == gid ++ assert uid == '10060' + + @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) + def test_only_uid_number_auto_private_group_default(self, type): +-- +2.35.1 + diff --git a/1001-Change-branding-to-IPA-and-Identity-Management.patch b/1001-Change-branding-to-IPA-and-Identity-Management.patch new file mode 100644 index 0000000..0e9a6de --- /dev/null +++ b/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -0,0 +1,223 @@ +From ac3ba2b4ff4cd3ca85c1ff07c2b050f8b5eb7c2b Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 7 Oct 2018 12:25:40 +0300 +Subject: [PATCH 1/3] install/ui/css/patternfly.css: Change branding to IPA and + Identity Management + +--- + install/ui/css/patternfly.css | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/install/ui/css/patternfly.css b/install/ui/css/patternfly.css +index ee92053..de574a8 100644 +--- a/install/ui/css/patternfly.css ++++ b/install/ui/css/patternfly.css +@@ -4,4 +4,4 @@ + * + * Copyright 2013 bootstrap-select + * Licensed under the MIT license +- */.bootstrap-select.btn-group,.bootstrap-select.btn-group[class*=span]{float:none;display:inline-block;margin-bottom:10px;margin-left:0}.form-horizontal .bootstrap-select.btn-group,.form-inline .bootstrap-select.btn-group,.form-search .bootstrap-select.btn-group{margin-bottom:0}.bootstrap-select.form-control{margin-bottom:0;padding:0;border:none}.bootstrap-select.btn-group.pull-right,.bootstrap-select.btn-group[class*=span].pull-right,.row-fluid .bootstrap-select.btn-group[class*=span].pull-right{float:right}.input-append .bootstrap-select.btn-group{margin-left:-1px}.input-prepend .bootstrap-select.btn-group{margin-right:-1px}.bootstrap-select:not([class*=span]):not([class*=col-]):not([class*=form-control]){width:220px}.bootstrap-select{width:220px\9}.bootstrap-select.form-control:not([class*=span]){width:100%}.bootstrap-select>.btn{width:100%}.error .bootstrap-select .btn{border:1px solid #b94a48}.dropdown-menu{z-index:2000}.bootstrap-select.show-menu-arrow.open>.btn{z-index:2051}.bootstrap-select .btn:focus{outline:thin dotted #333!important;outline:5px auto -webkit-focus-ring-color!important;outline-offset:-2px}.bootstrap-select.btn-group .btn .filter-option{overflow:hidden;position:absolute;left:12px;right:25px;text-align:left}.bootstrap-select.btn-group .btn .caret{position:absolute;top:50%;right:12px;margin-top:-2px;vertical-align:middle}.bootstrap-select.btn-group .dropdown-menu li.disabled>a,.bootstrap-select.btn-group>.disabled{cursor:not-allowed}.bootstrap-select.btn-group>.disabled:focus{outline:0!important}.bootstrap-select.btn-group[class*=span] .btn{width:100%}.bootstrap-select.btn-group .dropdown-menu{min-width:100%;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}.bootstrap-select.btn-group .dropdown-menu.inner{position:static;border:0;padding:0;margin:0;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0;-webkit-box-shadow:none;-moz-box-shadow:none;box-shadow:none}.bootstrap-select.btn-group .dropdown-menu dt{display:block;padding:3px 20px;cursor:default}.bootstrap-select.btn-group .div-contain{overflow:hidden}.bootstrap-select.btn-group .dropdown-menu li{position:relative}.bootstrap-select.btn-group .dropdown-menu li>a.opt{position:relative;padding-left:35px}.bootstrap-select.btn-group .dropdown-menu li>a{cursor:pointer}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.btn-group.show-tick .dropdown-menu li.selected a i.check-mark{display:inline-block;position:absolute;right:15px;margin-top:2.5px}.bootstrap-select.btn-group .dropdown-menu li a i.check-mark{display:none}.bootstrap-select.btn-group.show-tick .dropdown-menu li a span.text{margin-right:34px}.bootstrap-select.btn-group .dropdown-menu li small{padding-left:.5em}.bootstrap-select.btn-group .dropdown-menu li.active:not(.disabled)>a small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:hover small{color:#64b1d8;color:rgba(255,255,255,.4)}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.show-menu-arrow .dropdown-toggle:before{content:'';display:inline-block;border-left:7px solid transparent;border-right:7px solid transparent;border-bottom:7px solid #CCC;border-bottom-color:rgba(0,0,0,.2);position:absolute;bottom:-4px;left:9px;display:none}.bootstrap-select.show-menu-arrow .dropdown-toggle:after{content:'';display:inline-block;border-left:6px solid transparent;border-right:6px solid transparent;border-bottom:6px solid #fff;position:absolute;bottom:-4px;left:10px;display:none}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:before{bottom:auto;top:-3px;border-top:7px solid #ccc;border-bottom:0;border-top-color:rgba(0,0,0,.2)}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:after{bottom:auto;top:-3px;border-top:6px solid #fff;border-bottom:0}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:before{right:12px;left:auto}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:after{right:13px;left:auto}.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:after,.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:before{display:block}.bootstrap-select.btn-group .no-results{padding:3px;background:#f5f5f5;margin:0 5px}.mobile-device{position:absolute;top:0;left:0;display:block!important;width:100%;height:100%!important;opacity:0}.bootstrap-select.fit-width{width:auto!important}.bootstrap-select.btn-group.fit-width .btn .filter-option{position:static}.bootstrap-select.btn-group.fit-width .btn .caret{position:static;top:auto;margin-top:-1px}.control-group.error .bootstrap-select .dropdown-toggle{border-color:#b94a48}.bootstrap-select-searchbox{padding:4px 8px}.bootstrap-select-searchbox input{margin-bottom:0}.alert{border-width:1px;padding-left:47px;padding-right:14px;position:relative}.alert .alert-link{color:#0088ce}.alert .alert-link:hover{color:#00659c}.alert>.btn.pull-right{margin-top:-3px}.alert>.pficon{font-size:22px;position:absolute;left:13px;top:10px}.alert .close{opacity:.85;filter:alpha(opacity=85)}.alert .close:focus,.alert .close:hover{opacity:1;filter:alpha(opacity=100)}.alert .pficon-info{color:#4d5258}.alert-dismissable{padding-right:28px}.alert-dismissable .close{right:-13px;top:1px}.badge{margin-left:6px}.nav-pills>li>a>.badge{margin-left:6px}.bootstrap-select.btn-group.form-control{margin-bottom:0}.bootstrap-select.btn-group .btn{-webkit-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.bootstrap-select.btn-group .btn:hover{border-color:#7dc3e8}.bootstrap-select.btn-group .btn .caret{margin-top:-4px}.bootstrap-select.btn-group .btn:focus{border-color:#0088ce;outline:0!important;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6);box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6)}.has-error .bootstrap-select.btn-group .btn{border-color:#c00}.has-error .bootstrap-select.btn-group .btn:focus{border-color:#900;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33}.has-success .bootstrap-select.btn-group .btn{border-color:#3c763d}.has-success .bootstrap-select.btn-group .btn:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168}.has-warning .bootstrap-select.btn-group .btn{border-color:#ec7a08}.has-warning .bootstrap-select.btn-group .btn:focus{border-color:#bb6106;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60}.bootstrap-select.btn-group .dropdown-menu>.active>a,.bootstrap-select.btn-group .dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.bootstrap-select.btn-group .dropdown-menu>.active>a small,.bootstrap-select.btn-group .dropdown-menu>.active>a:active small{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.disabled>a{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu .divider{background:#ededed!important;margin:4px 1px!important}.bootstrap-select.btn-group .dropdown-menu dt{color:#8b8d8f;font-weight:400;padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li>a.opt{padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu li a:focus small,.bootstrap-select.btn-group .dropdown-menu li a:hover small{color:#9c9c9c}.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:hover small{color:#9c9c9c}.combobox-container.combobox-selected .glyphicon-remove{display:inline-block}.combobox-container .caret{margin-left:0}.combobox-container .combobox::-ms-clear{display:none}.combobox-container .dropdown-menu{margin-top:-1px;width:100%}.combobox-container .glyphicon-remove{display:none;top:auto;width:12px}.combobox-container .glyphicon-remove:before{content:"\e60b";font-family:PatternFlyIcons-webfont}.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;position:relative}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.combobox-container .input-group-addon:focus,.combobox-container .input-group-addon:hover,.open .dropdown-toggle.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.open .dropdown-toggle.combobox-container .input-group-addon{background-image:none}.combobox-container .input-group-addon.active.focus,.combobox-container .input-group-addon.active:focus,.combobox-container .input-group-addon.active:hover,.combobox-container .input-group-addon:active.focus,.combobox-container .input-group-addon:active:focus,.combobox-container .input-group-addon:active:hover,.open .dropdown-toggle.combobox-container .input-group-addon.focus,.open .dropdown-toggle.combobox-container .input-group-addon:focus,.open .dropdown-toggle.combobox-container .input-group-addon:hover{background-color:#e5e5e5;border-color:#a9a9a9}.combobox-container .input-group-addon.disabled,.combobox-container .input-group-addon.disabled.active,.combobox-container .input-group-addon.disabled:active,.combobox-container .input-group-addon.disabled:focus,.combobox-container .input-group-addon.disabled:hover,.combobox-container .input-group-addon[disabled],.combobox-container .input-group-addon[disabled].active,.combobox-container .input-group-addon[disabled]:active,.combobox-container .input-group-addon[disabled]:focus,.combobox-container .input-group-addon[disabled]:hover,fieldset[disabled] .combobox-container .input-group-addon,fieldset[disabled] .combobox-container .input-group-addon.active,fieldset[disabled] .combobox-container .input-group-addon:active,fieldset[disabled] .combobox-container .input-group-addon:focus,fieldset[disabled] .combobox-container .input-group-addon:hover{background-color:#f1f1f1;border-color:#bbb}.combobox-container .input-group-addon:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.treeview .list-group{border-top:0}.treeview .list-group-item{background:0 0;border-bottom:1px solid transparent!important;border-top:1px solid transparent!important;margin-bottom:0;padding:0 10px}.treeview .list-group-item:hover{background:#def3ff!important;border-color:#bee1f4!important}.treeview .list-group-item.node-selected{background:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.treeview span.icon{display:inline-block;font-size:13px;min-width:10px;text-align:center}.treeview span.icon>[class*=fa-angle]{font-size:15px}.treeview span.indent{margin-right:5px}.breadcrumb{padding-left:0}.breadcrumb>.active strong{font-weight:600}.breadcrumb>li{display:inline}.breadcrumb>li+li:before{color:#9c9c9c;content:"\f101";font-family:FontAwesome;font-size:11px;padding:0 9px 0 7px}.btn{-webkit-box-shadow:0 2px 3px rgba(3,3,3,.1);box-shadow:0 2px 3px rgba(3,3,3,.1)}.btn:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{background-color:#fafafa!important;background-image:none!important;border-color:#d1d1d1!important;color:#8b8d8f!important;opacity:1}.btn.disabled:active,.btn[disabled]:active,fieldset[disabled] .btn:active{-webkit-box-shadow:none;box-shadow:none}.btn.disabled.btn-link,.btn[disabled].btn-link,fieldset[disabled] .btn.btn-link{background-color:transparent!important;border:0}.btn-danger{background-color:#a30000;background-image:-webkit-linear-gradient(top,#c00 0,#a30000 100%);background-image:-o-linear-gradient(top,#c00 0,#a30000 100%);background-image:linear-gradient(to bottom,#c00 0,#a30000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffcc0000', endColorstr='#ffa30000', GradientType=0);border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.btn-danger:focus,.btn-danger:hover,.open .dropdown-toggle.btn-danger{background-color:#a30000;background-image:none;border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.open .dropdown-toggle.btn-danger{background-image:none}.btn-danger.active.focus,.btn-danger.active:focus,.btn-danger.active:hover,.btn-danger:active.focus,.btn-danger:active:focus,.btn-danger:active:hover,.open .dropdown-toggle.btn-danger.focus,.open .dropdown-toggle.btn-danger:focus,.open .dropdown-toggle.btn-danger:hover{background-color:#8a0000;border-color:#670000}.btn-danger.disabled,.btn-danger.disabled.active,.btn-danger.disabled:active,.btn-danger.disabled:focus,.btn-danger.disabled:hover,.btn-danger[disabled],.btn-danger[disabled].active,.btn-danger[disabled]:active,.btn-danger[disabled]:focus,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger,fieldset[disabled] .btn-danger.active,fieldset[disabled] .btn-danger:active,fieldset[disabled] .btn-danger:focus,fieldset[disabled] .btn-danger:hover{background-color:#a30000;border-color:#8b0000}.btn-default{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.btn-default:focus,.btn-default:hover,.open .dropdown-toggle.btn-default{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.open .dropdown-toggle.btn-default{background-image:none}.btn-default.active.focus,.btn-default.active:focus,.btn-default.active:hover,.btn-default:active.focus,.btn-default:active:focus,.btn-default:active:hover,.open .dropdown-toggle.btn-default.focus,.open .dropdown-toggle.btn-default:focus,.open .dropdown-toggle.btn-default:hover{background-color:#e5e5e5;border-color:#a9a9a9}.btn-default.disabled,.btn-default.disabled.active,.btn-default.disabled:active,.btn-default.disabled:focus,.btn-default.disabled:hover,.btn-default[disabled],.btn-default[disabled].active,.btn-default[disabled]:active,.btn-default[disabled]:focus,.btn-default[disabled]:hover,fieldset[disabled] .btn-default,fieldset[disabled] .btn-default.active,fieldset[disabled] .btn-default:active,fieldset[disabled] .btn-default:focus,fieldset[disabled] .btn-default:hover{background-color:#f1f1f1;border-color:#bbb}.btn-link,.btn-link:active{-webkit-box-shadow:none;box-shadow:none}.btn-primary{background-color:#0088ce;background-image:-webkit-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:-o-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:linear-gradient(to bottom,#39a5dc 0,#0088ce 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff39a5dc', endColorstr='#ff0088ce', GradientType=0);border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.btn-primary:focus,.btn-primary:hover,.open .dropdown-toggle.btn-primary{background-color:#0088ce;background-image:none;border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.open .dropdown-toggle.btn-primary{background-image:none}.btn-primary.active.focus,.btn-primary.active:focus,.btn-primary.active:hover,.btn-primary:active.focus,.btn-primary:active:focus,.btn-primary:active:hover,.open .dropdown-toggle.btn-primary.focus,.open .dropdown-toggle.btn-primary:focus,.open .dropdown-toggle.btn-primary:hover{background-color:#0077b5;border-color:#004e78}.btn-primary.disabled,.btn-primary.disabled.active,.btn-primary.disabled:active,.btn-primary.disabled:focus,.btn-primary.disabled:hover,.btn-primary[disabled],.btn-primary[disabled].active,.btn-primary[disabled]:active,.btn-primary[disabled]:focus,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary,fieldset[disabled] .btn-primary.active,fieldset[disabled] .btn-primary:active,fieldset[disabled] .btn-primary:focus,fieldset[disabled] .btn-primary:hover{background-color:#0088ce;border-color:#00659c}.btn-group-xs .btn,.btn-group-xs>.btn,.btn-xs{font-weight:400}.close{text-shadow:none;opacity:.6;filter:alpha(opacity=60)}.close:focus,.close:hover{opacity:.9;filter:alpha(opacity=90)}.ColVis_Button:active:focus{outline:0}.ColVis_catcher{position:absolute;z-index:999}.ColVis_collection{background-color:#fff;border:1px solid #bbb;border-radius:1px;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);background-clip:padding-box;list-style:none;margin:-1px 0 0 0;padding:5px 10px;width:150px;z-index:1000}.ColVis_collection label{font-weight:400;margin-bottom:5px;margin-top:5px;padding-left:20px}.ColVis_collectionBackground{background-color:#fff;height:100%;left:0;position:fixed;top:0;width:100%;z-index:998}.dataTables_header{background-color:#f5f5f5;border:1px solid #d1d1d1;border-bottom:none;padding:5px;position:relative;text-align:center}.dataTables_header .btn{-webkit-box-shadow:none;box-shadow:none}.dataTables_header .ColVis{position:absolute;right:5px;text-align:left;top:5px}.dataTables_header .ColVis+.dataTables_info{padding-right:30px}.dataTables_header .dataTables_filter{position:absolute}.dataTables_header .dataTables_filter input{border:1px solid #bbb;height:24px}@media (max-width:767px){.dataTables_header .dataTables_filter input{width:100px}}.dataTables_header .dataTables_info{padding:2px 0}@media (max-width:480px){.dataTables_header .dataTables_info{text-align:right}}.dataTables_header .dataTables_info b{font-weight:700}.dataTables_footer{background-color:#fff;border:1px solid #d1d1d1;border-top:none;overflow:hidden}.dataTables_paginate{background:#fafafa;float:right;margin:0}.dataTables_paginate .pagination{float:left;margin:0}.dataTables_paginate .pagination>li>span{border-color:#fff #d1d1d1 #f5f5f5;border-width:0 1px;font-size:16px;font-weight:400;padding:0;text-align:center;width:31px}.dataTables_paginate .pagination>li>span:focus,.dataTables_paginate .pagination>li>span:hover{filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination>li.last>span{border-right:none}.dataTables_paginate .pagination>li.disabled>span{background:#f5f5f5;border-left-color:#ededed;border-right-color:#ededed;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination-input{float:left;font-size:12px;line-height:1em;padding:4px 15px 0;text-align:right}.dataTables_paginate .pagination-input .paginate_input{border:1px solid #d1d1d1;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075);box-shadow:inset 0 1px 1px rgba(3,3,3,.075);font-size:12px;font-weight:600;height:19px;margin-right:8px;padding-right:3px;text-align:right;width:30px}.dataTables_paginate .pagination-input .paginate_of{position:relative}.dataTables_paginate .pagination-input .paginate_of b{margin-left:3px}.dataTables_wrapper{margin:20px 0}@media (max-width:767px){.dataTables_wrapper .table-responsive{margin-bottom:0}}.DTCR_clonedTable{background-color:rgba(255,255,255,.7);z-index:202}.DTCR_pointer{background-color:#0088ce;width:1px;z-index:201}table.datatable{margin-bottom:0;max-width:none!important}table.datatable thead .sorting,table.datatable thead .sorting_asc,table.datatable thead .sorting_asc_disabled,table.datatable thead .sorting_desc,table.datatable thead .sorting_desc_disabled{cursor:pointer}table.datatable thead .sorting_asc,table.datatable thead .sorting_desc{color:#0088ce!important;position:relative}table.datatable thead .sorting_asc:after,table.datatable thead .sorting_desc:after{content:"\f107";font-family:FontAwesome;font-size:10px;font-weight:400;height:9px;left:7px;line-height:12px;position:relative;top:2px;vertical-align:baseline;width:12px}table.datatable thead .sorting_asc:before,table.datatable thead .sorting_desc:before{background:#0088ce;content:'';height:2px;position:absolute;left:0;top:0;width:100%}table.datatable thead .sorting_asc:after{content:"\f106";top:-3px}table.datatable th:active{outline:0}.caret{font-family:FontAwesome;font-weight:400;height:9px;position:relative;vertical-align:baseline;width:12px}.caret:before{bottom:0;content:"\f107";left:0;line-height:12px;position:absolute;text-align:center;top:-1px;right:0}.dropup .caret:before{content:"\f106"}.dropdown-menu .divider{background-color:#ededed;height:1px;margin:4px 1px;overflow:hidden}.dropdown-menu>li>a{border-color:transparent;border-style:solid;border-width:1px 0;padding:1px 10px}.dropdown-menu>li>a:focus,.dropdown-menu>li>a:hover{border-color:#bee1f4;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>li>a:active{background-color:#0088ce;border-color:#0088ce;color:#fff!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.active>a,.dropdown-menu>.active>a:focus,.dropdown-menu>.active>a:hover{background-color:#0088ce!important;border-color:#0088ce!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-header{padding-left:10px;padding-right:10px;text-transform:uppercase}.btn-group>.dropdown-menu,.dropdown>.dropdown-menu,.input-group-btn>.dropdown-menu{margin-top:-1px}.dropup .dropdown-menu{margin-bottom:-1px}.dropdown-submenu{position:relative}.dropdown-submenu:hover>a{background-color:#def3ff;border-color:#bee1f4}.dropdown-submenu:hover>.dropdown-menu{display:block}.dropdown-submenu.pull-left{float:none!important}.dropdown-submenu.pull-left>.dropdown-menu{left:auto;margin-left:10px;right:100%}.dropdown-submenu>a{padding-right:20px!important}.dropdown-submenu>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:2px}.dropdown-submenu>.dropdown-menu{left:100%;margin-top:0;top:-6px}.dropup .dropdown-submenu>.dropdown-menu{bottom:-5px;top:auto}.open .dropdown-submenu.active>.dropdown-menu{display:block}.dropdown-kebab-pf .btn-link{color:#252525;font-size:16px;line-height:1;padding:4px 0}.dropdown-kebab-pf .btn-link:active,.dropdown-kebab-pf .btn-link:focus,.dropdown-kebab-pf .btn-link:hover{color:#0088ce}.dropdown-kebab-pf .dropdown-menu{left:-15px;margin-top:11px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right{left:auto;right:-15px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:after,.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:before{left:auto;right:6px}.dropdown-kebab-pf .dropdown-menu:after,.dropdown-kebab-pf .dropdown-menu:before{border-bottom-color:#bbb;border-bottom-style:solid;border-bottom-width:10px;border-left:10px solid transparent;border-right:10px solid transparent;content:"";display:inline-block;left:6px;position:absolute;top:-11px}.dropdown-kebab-pf .dropdown-menu:after{border-bottom-color:#fff;top:-10px}.dropdown-kebab-pf.dropup .dropdown-menu{margin-bottom:11px;margin-top:0}.dropdown-kebab-pf.dropup .dropdown-menu:after,.dropdown-kebab-pf.dropup .dropdown-menu:before{border-bottom:none;border-top-color:#bbb;border-top-style:solid;border-top-width:10px;bottom:-11px;top:auto}.dropdown-kebab-pf.dropup .dropdown-menu:after{border-top-color:#fff;bottom:-10px}@font-face{font-family:'Open Sans';font-style:normal;font-weight:400;src:local('Open Sans'),local('OpenSans'),url(../fonts/open-sans/OpenSans-Regular.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:300;src:local('OpenSans-Light'),local('Open Sans Light'),url(../fonts/open-sans/OpenSans-Light.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:600;src:local('Open Sans Semibold'),local('OpenSans-Semibold'),url(../fonts/open-sans/OpenSans-Semibold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:700;src:local('Open Sans Bold'),local('OpenSans-Bold'),url(../fonts/open-sans/OpenSans-Bold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:800;src:local('Open Sans Extrabold'),local('OpenSans-Extrabold'),url(../fonts/open-sans/OpenSans-ExtraBold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:300;src:local('Open Sans Light Italic'),local('OpenSansLight-Italic'),url(../fonts/open-sans/OpenSans-LightItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:400;src:local('Open Sans Italic'),local('OpenSans-Italic'),url(../fonts/open-sans/OpenSans-Italic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:600;src:local('Open Sans Semibold Italic'),local('OpenSans-SemiboldItalic'),url(../fonts/open-sans/OpenSans-SemiboldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:700;src:local('Open Sans Bold Italic'),local('OpenSans-BoldItalic'),url(../fonts/open-sans/OpenSans-BoldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:800;src:local('Open Sans Extrabold Italic'),local('OpenSans-ExtraboldItalic'),url(../fonts/open-sans/OpenSans-ExtraBoldItalic.ttf) format('truetype')}.chars-remaining-pf span{font-weight:600;padding-right:5px}.chars-warn-remaining-pf{color:#c00}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f}.form-control[disabled]:hover,.form-control[readonly]:hover,fieldset[disabled] .form-control:hover{border-color:#bbb}.form-control:hover{border-color:#7dc3e8}.has-error .form-control:hover{border-color:#900}.has-success .form-control:hover{border-color:#2b542c}.has-warning .form-control:hover{border-color:#bb6106}.has-error .checkbox,.has-error .checkbox-inline,.has-error .control-label,.has-error .radio,.has-error .radio-inline,.has-error.checkbox label,.has-error.checkbox-inline label,.has-error.radio label,.has-error.radio-inline label,.has-success .checkbox,.has-success .checkbox-inline,.has-success .control-label,.has-success .radio,.has-success .radio-inline,.has-success.checkbox label,.has-success.checkbox-inline label,.has-success.radio label,.has-success.radio-inline label,.has-warning .checkbox,.has-warning .checkbox-inline,.has-warning .control-label,.has-warning .radio,.has-warning .radio-inline,.has-warning.checkbox label,.has-warning.checkbox-inline label,.has-warning.radio label,.has-warning.radio-inline label{color:#363636}.help-block{margin-bottom:0}.input-group .input-group-btn .btn{-webkit-box-shadow:none;box-shadow:none}label{font-weight:600}.navbar-nav>li>.dropdown-menu.infotip{border-top-width:1px!important;margin-top:10px}@media (max-width:767px){.navbar-pf .navbar-nav .open .dropdown-menu.infotip{background-color:#fff!important;margin-top:0}}.infotip{min-width:235px;padding:0}.infotip .list-group{border-top:0;margin:0;padding:8px 0}.infotip .list-group .list-group-item{border:none;margin:0 15px 0 34px;padding:5px 0}.infotip .list-group .list-group-item>.i{color:#4d5258;font-size:13px;left:-20px;position:absolute;top:8px}.infotip .list-group .list-group-item>a{color:#4d5258;line-height:13px}.infotip .list-group .list-group-item>.close{float:right}.infotip .footer{background-color:#f5f5f5;padding:6px 15px}.infotip .footer a:hover{color:#0088ce}.infotip .arrow,.infotip .arrow:after{border-color:transparent;border-style:solid;display:block;height:0;position:absolute;width:0}.infotip .arrow{border-width:11px}.infotip .arrow:after{border-width:10px;content:""}.infotip.bottom .arrow,.infotip.bottom-left .arrow,.infotip.bottom-right .arrow{border-bottom-color:#999;border-bottom-color:#bbb;border-top-width:0;left:50%;margin-left:-11px;top:-11px}.infotip.bottom .arrow:after,.infotip.bottom-left .arrow:after,.infotip.bottom-right .arrow:after{border-top-width:0;border-bottom-color:#fff;content:" ";margin-left:-10px;top:1px}.infotip.bottom-left .arrow{left:20%}.infotip.bottom-right .arrow{left:80%}.infotip.top .arrow{border-bottom-width:0;border-top-color:#999;border-top-color:#bbb;bottom:-11px;left:50%;margin-left:-11px}.infotip.top .arrow:after{border-bottom-width:0;border-top-color:#f5f5f5;bottom:1px;content:" ";margin-left:-10px}.infotip.right .arrow{border-left-width:0;border-right-color:#999;border-right-color:#bbb;left:-11px;margin-top:-11px;top:50%}.infotip.right .arrow:after{bottom:-10px;border-left-width:0;border-right-color:#fff;content:" ";left:1px}.infotip.left .arrow{border-left-color:#999;border-left-color:#bbb;border-right-width:0;margin-top:-11px;right:-11px;top:50%}.infotip.left .arrow:after{border-left-color:#fff;border-right-width:0;bottom:-10px;content:" ";right:1px}.label{border-radius:0;font-size:100%;font-weight:600}h1 .label,h2 .label,h3 .label,h4 .label,h5 .label,h6 .label{font-size:75%}.list-group{border-top:1px solid #ededed}.list-group .list-group-item:first-child{border-top:0}.list-group-item{border-top:0;border-left:0;border-right:0;margin-bottom:0}.list-group-item-heading{font-weight:600}.list-group-item.active,.list-group-item.active:focus,.list-group-item.active:hover{border-top:solid 1px #39a5dc;margin-top:-1px;z-index:auto}.list-group-item.active:first-child{border-top:1px solid #39a5dc!important;margin-top:-1px}.login-pf{height:100%}.login-pf #brand{position:relative;top:-70px}.login-pf #brand img{display:block;height:18px;margin:0 auto;max-width:100%}@media (min-width:768px){.login-pf #brand img{margin:0;text-align:left}}.login-pf #badge{display:block;margin:20px auto 70px;position:relative;text-align:center}@media (min-width:768px){.login-pf #badge{float:right;margin-right:64px;margin-top:50px}}.login-pf body{background:#030303 url(../img/bg-login.jpg) repeat-x 50% 0;background-size:auto}@media (min-width:768px){.login-pf body{background-size:100% auto}}.login-pf .container{background-color:rgba(255,255,255,.055);clear:right;color:#fff;padding-bottom:40px;padding-top:20px;width:auto}@media (min-width:768px){.login-pf .container{bottom:13%;padding-left:80px;position:absolute;width:100%}}.login-pf .container [class^=alert]{background:0 0;color:#fff}.login-pf .container .details p:first-child{border-top:1px solid rgba(255,255,255,.3);padding-top:25px;margin-top:25px}@media (min-width:768px){.login-pf .container .details{border-left:1px solid rgba(255,255,255,.3);padding-left:40px}.login-pf .container .details p:first-child{border-top:0;padding-top:0;margin-top:0}}.login-pf .container .details p{margin-bottom:2px}.login-pf .container .form-horizontal .control-label{font-size:13px;font-weight:400;text-align:left}.login-pf .container .form-horizontal .form-group:last-child,.login-pf .container .form-horizontal .form-group:last-child .help-block:last-child{margin-bottom:0}.login-pf .container .help-block{color:#fff}@media (min-width:768px){.login-pf .container .login{padding-right:40px}}.login-pf .container .submit{text-align:right}.modal-header{background-color:#f5f5f5;border-bottom:none;padding:10px 18px}.modal-header .close{margin-top:2px}.modal-title{font-size:13px;font-weight:700}.modal-footer{border-top:none;margin-top:15px;padding:14px 15px 15px}.modal-footer>.btn{padding-left:10px;padding-right:10px}.modal-footer>.btn>.fa-angle-left{margin-right:5px}.modal-footer>.btn>.fa-angle-right{margin-left:5px}.navbar-pf{background:#030303;border:0;border-radius:0;border-top:3px solid #39a5dc;margin-bottom:0;min-height:0}.navbar-pf .navbar-brand{color:#f5f5f5;height:auto;padding:12px 0;margin:0 0 0 20px}.navbar-pf .navbar-brand img{display:block}.navbar-pf .navbar-collapse{border-top:0;-webkit-box-shadow:none;box-shadow:none;padding:0}.navbar-pf .navbar-header{border-bottom:1px solid #292929;float:none}.navbar-pf .navbar-nav{margin:0}.navbar-pf .navbar-nav>.active>a,.navbar-pf .navbar-nav>.active>a:focus,.navbar-pf .navbar-nav>.active>a:hover{background-color:#232323;color:#f5f5f5}.navbar-pf .navbar-nav>li>a{color:#d1d1d1;line-height:1;padding:10px 20px;text-shadow:none}.navbar-pf .navbar-nav>li>a:focus,.navbar-pf .navbar-nav>li>a:hover{color:#f5f5f5}.navbar-pf .navbar-nav>.open>a,.navbar-pf .navbar-nav>.open>a:focus,.navbar-pf .navbar-nav>.open>a:hover{background-color:#232323;color:#f5f5f5}@media (max-width:767px){.navbar-pf .navbar-nav .active .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent,.navbar-pf .navbar-nav .open .dropdown-menu{background-color:#171717!important;margin-left:0;padding-bottom:0;padding-top:0}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:hover{background-color:#1f1f1f!important;color:#f5f5f5}.navbar-pf .navbar-nav .active .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent>li>a,.navbar-pf .navbar-nav .open .dropdown-menu>li>a{background-color:transparent;border:0;color:#d1d1d1;outline:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu>li>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>li>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>li>a:hover{color:#f5f5f5}.navbar-pf .navbar-nav .active .dropdown-menu .divider,.navbar-pf .navbar-nav .active .navbar-persistent .divider,.navbar-pf .navbar-nav .open .dropdown-menu .divider{background-color:#292929;margin:0 1px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-header{padding-bottom:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open .dropdown-toggle{color:#f5f5f5}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.pull-left{float:none!important}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu>a:after,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu>a:after{display:none}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-header{padding-left:45px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu{border:0;bottom:auto;-webkit-box-shadow:none;box-shadow:none;display:block;float:none;margin:0;min-width:0;padding:0;position:relative;left:auto;right:auto;top:auto}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu>li>a{padding:5px 15px 5px 45px;line-height:20px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a{padding-left:60px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-menu{display:block}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after{display:inline-block!important;position:relative;right:auto;top:1px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu{display:none}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-submenu>a:after{display:none!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu{background-color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active small{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.disabled>a{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li>a.opt{border-bottom:1px solid transparent;border-top:1px solid transparent;color:#363636;padding-left:10px;padding-right:10px}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:focus small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:hover small{color:#9c9c9c}.navbar-pf .navbar-nav .context-bootstrap-select>.open>.dropdown-menu{padding-bottom:5px;padding-top:5px}}.navbar-pf .navbar-persistent{display:none}.navbar-pf .active>.navbar-persistent{display:block}.navbar-pf .navbar-primary{float:none}.navbar-pf .navbar-primary .context{border-bottom:1px solid #292929}.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group,.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group[class*=span]{margin:8px 20px 9px;width:auto}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a{position:relative}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{content:"\f107";display:inline-block;font-family:FontAwesome;font-weight:400}@media (max-width:767px){.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{height:10px;margin-left:4px;vertical-align:baseline}}.navbar-pf .navbar-toggle{border:0;margin:0;padding:10px 20px}.navbar-pf .navbar-toggle:focus,.navbar-pf .navbar-toggle:hover{background-color:transparent;outline:0}.navbar-pf .navbar-toggle:focus .icon-bar,.navbar-pf .navbar-toggle:hover .icon-bar{-webkit-box-shadow:0 0 3px #fff;box-shadow:0 0 3px #fff}.navbar-pf .navbar-toggle .icon-bar{background-color:#fff}.navbar-pf .navbar-utility{border-bottom:1px solid #292929}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:36px;position:relative}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:20px;position:absolute;top:10px}@media (max-width:767px){.navbar-pf .navbar-utility>li+li{border-top:1px solid #292929}}@media (min-width:768px){.navbar-pf .navbar-brand{padding:8px 0 7px}.navbar-pf .navbar-nav>li>a{padding-bottom:14px;padding-top:14px}.navbar-pf .navbar-persistent{font-size:14px}.navbar-pf .navbar-primary{font-size:14px;background-image:-webkit-linear-gradient(top,#1d1d1d 0,#030303 100%);background-image:-o-linear-gradient(top,#1d1d1d 0,#030303 100%);background-image:linear-gradient(to bottom,#1d1d1d 0,#030303 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff1d1d1d', endColorstr='#ff030303', GradientType=0)}.navbar-pf .navbar-primary.persistent-secondary .context .dropdown-menu{top:auto}.navbar-pf .navbar-primary.persistent-secondary .dropup .dropdown-menu{bottom:-5px;top:auto}.navbar-pf .navbar-primary.persistent-secondary>li{position:static}.navbar-pf .navbar-primary.persistent-secondary>li.active{margin-bottom:32px}.navbar-pf .navbar-primary.persistent-secondary>li.active>.navbar-persistent{display:block;left:0;position:absolute}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent{background:#f5f5f5;border-bottom:1px solid #d1d1d1;padding:0;width:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent a{text-decoration:none!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a:hover{color:#0088ce!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active .active>a{color:#f5f5f5}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu:hover>.dropdown-menu{display:none}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-menu{display:block;left:20px;margin-top:1px;top:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle{padding-right:35px!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle:after{position:absolute;right:20px;top:10px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a:after,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a{background-color:transparent;display:block;line-height:1;padding:9px 20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle{padding-right:35px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle:after{font-size:15px;position:absolute;right:20px;top:9px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a:hover{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li a{color:#4d5258}.navbar-pf .navbar-primary>li>a{border-bottom:1px solid transparent;border-top:1px solid transparent;position:relative;margin:-1px 0 0}.navbar-pf .navbar-primary>li>a:hover{background-color:#1d1d1d;border-top-color:#5c5c5c;color:#d1d1d1;background-image:-webkit-linear-gradient(top,#363636 0,#1d1d1d 100%);background-image:-o-linear-gradient(top,#363636 0,#1d1d1d 100%);background-image:linear-gradient(to bottom,#363636 0,#1d1d1d 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff363636', endColorstr='#ff1d1d1d', GradientType=0)}.navbar-pf .navbar-primary>.active>a,.navbar-pf .navbar-primary>.active>a:focus,.navbar-pf .navbar-primary>.active>a:hover,.navbar-pf .navbar-primary>.open>a,.navbar-pf .navbar-primary>.open>a:focus,.navbar-pf .navbar-primary>.open>a:hover{background-color:#303030;border-bottom-color:#303030;border-top-color:#696969;-webkit-box-shadow:none;box-shadow:none;color:#f5f5f5;background-image:-webkit-linear-gradient(top,#434343 0,#303030 100%);background-image:-o-linear-gradient(top,#434343 0,#303030 100%);background-image:linear-gradient(to bottom,#434343 0,#303030 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff434343', endColorstr='#ff303030', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select .filter-option{max-width:160px;text-overflow:ellipsis}.navbar-pf .navbar-primary li.context.dropdown{border-bottom:0}.navbar-pf .navbar-primary li.context.context-bootstrap-select,.navbar-pf .navbar-primary li.context>a{background-color:#1f1f1f;border-bottom-color:#3e3e3e;border-right:1px solid #3e3e3e;border-top-color:#3b3b3b;font-weight:600;background-image:-webkit-linear-gradient(top,#323232 0,#1f1f1f 100%);background-image:-o-linear-gradient(top,#323232 0,#1f1f1f 100%);background-image:linear-gradient(to bottom,#323232 0,#1f1f1f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff323232', endColorstr='#ff1f1f1f', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select:hover,.navbar-pf .navbar-primary li.context>a:hover{background-color:#323232;border-bottom-color:#4a4a4a;border-right-color:#4a4a4a;border-top-color:#4a4a4a;background-image:-webkit-linear-gradient(top,#3f3f3f 0,#323232 100%);background-image:-o-linear-gradient(top,#3f3f3f 0,#323232 100%);background-image:linear-gradient(to bottom,#3f3f3f 0,#323232 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff3f3f3f', endColorstr='#ff323232', GradientType=0)}.navbar-pf .navbar-primary li.context.open>a{background-color:#454545;border-bottom-color:#575757;border-right-color:#575757;border-top-color:#5a5a5a;background-image:-webkit-linear-gradient(top,#4c4c4c 0,#454545 100%);background-image:-o-linear-gradient(top,#4c4c4c 0,#454545 100%);background-image:linear-gradient(to bottom,#4c4c4c 0,#454545 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff4c4c4c', endColorstr='#ff454545', GradientType=0)}.navbar-pf .navbar-utility{border-bottom:0;font-size:11px;position:absolute;right:0;top:0}.navbar-pf .navbar-utility>.active>a,.navbar-pf .navbar-utility>.active>a:focus,.navbar-pf .navbar-utility>.active>a:hover,.navbar-pf .navbar-utility>.open>a,.navbar-pf .navbar-utility>.open>a:focus,.navbar-pf .navbar-utility>.open>a:hover{background:#363636;color:#d1d1d1}.navbar-pf .navbar-utility>li>a{border-left:1px solid #2b2b2b;color:#d1d1d1!important;padding:7px 10px}.navbar-pf .navbar-utility>li>a:hover{background:#232323;border-left-color:#373737}.navbar-pf .navbar-utility>li.open>a{border-left-color:#444;color:#f5f5f5!important}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:26px}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:10px;top:7px}.navbar-pf .navbar-utility .open .dropdown-menu{left:auto;right:0}.navbar-pf .navbar-utility .open .dropdown-menu .dropdown-menu{left:auto;right:100%}.navbar-pf .navbar-utility .open .dropdown-menu{border-top-width:0}.navbar-pf .open .dropdown-submenu>.dropdown-menu,.navbar-pf .open.bootstrap-select .dropdown-menu{border-top-width:1px!important}}@media (max-width:360px){.navbar-pf .navbar-brand{margin-left:10px;width:75%}.navbar-pf .navbar-brand img{height:auto;max-width:100%}.navbar-pf .navbar-toggle{padding-left:0}}.drawer-pf{background-color:#fafafa;border:1px solid #d1d1d1;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);overflow-y:auto;position:absolute;right:0;width:320px;z-index:2}.drawer-pf .panel{border-bottom:none;border-left:none;border-right:none}.drawer-pf .panel-group .panel-heading+.panel-collapse .panel-body{border-top:none;border-bottom:1px solid #d1d1d1;padding:0}.drawer-pf .panel-counter{display:block;font-style:italic;line-height:1.2;padding-left:18px;padding-top:5px}.drawer-pf .panel-heading{border-bottom:1px solid #d1d1d1}.drawer-pf .panel-group{bottom:0;margin-bottom:0;position:absolute;top:25px;width:100%}.drawer-pf .panel-title a{cursor:pointer;display:block}.drawer-pf.drawer-pf-expanded{left:270px;width:inherit}.drawer-pf.drawer-pf-expanded .drawer-pf-toggle-expand:before{content:"\f101"}.drawer-pf-toggle-expand{color:inherit;cursor:pointer;left:0;padding:2px 5px;position:absolute}.drawer-pf-toggle-expand:before{content:"\f100";font-family:FontAwesome}.drawer-pf-toggle-expand:focus,.drawer-pf-toggle-expand:hover{color:inherit;text-decoration:none}.drawer-pf-action .btn-link{color:#0088ce;padding:10px 0}.drawer-pf-action .btn-link:hover{color:#00659c}.drawer-pf-loading{color:#4d5258;font-size:14px;padding:20px 15px}.drawer-pf-notification{border-bottom:1px solid #d1d1d1;padding:15px}.drawer-pf-notification .date{border-right:1px solid #aaa;display:inline-block;line-height:1;margin-right:5px;padding-right:9px}.drawer-pf-notification .pficon{font-size:14px;margin-top:3px}.drawer-pf-notification:last-of-type{border-bottom:none}.drawer-pf-notification:hover{background-color:#def3ff}.drawer-pf-notification.unread .drawer-pf-notification-message{font-weight:700}.drawer-pf-notification.expanded-notification .date{border-right:none;padding-right:0}.drawer-pf-notification-info,.drawer-pf-notification-message{display:block;padding-left:27px;padding-right:19px}.expanded-notification .drawer-pf-notification-info,.expanded-notification .drawer-pf-notification-message{display:inline-block}.drawer-pf-notifications-non-clickable .drawer-pf-notification:hover{background-color:#fff}.drawer-pf-title{background-color:#fafafa;border-bottom:1px solid #d1d1d1;position:absolute;width:318px}.drawer-pf-title h3{font-size:12px;margin:0;padding:6px 15px}.navbar-pf-vertical .drawer-pf{height:calc(100vh - 80px);top:58px}.navbar-pf-vertical .nav .drawer-pf-trigger .drawer-pf-trigger-icon{border-left:1px solid #2b2b2b;border-right:1px solid #2b2b2b;padding-left:15px;padding-right:15px}.navbar-pf-vertical .nav .drawer-pf-trigger.open .drawer-pf-trigger-icon{background-color:#232323}.navbar-pf .drawer-pf{height:calc(100vh - 46px);top:26px}.navbar-pf .drawer-pf-trigger-icon{cursor:pointer}.pager li>a,.pager li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;font-weight:600;line-height:22px;padding:2px 14px}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>a:focus,.pager li>a:hover,.pager li>span.active,.pager li>span:active,.pager li>span:focus,.pager li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>span.active,.pager li>span:active{background-image:none}.open .dropdown-toggle.pager li>a.focus,.open .dropdown-toggle.pager li>a:focus,.open .dropdown-toggle.pager li>a:hover,.open .dropdown-toggle.pager li>span.focus,.open .dropdown-toggle.pager li>span:focus,.open .dropdown-toggle.pager li>span:hover,.pager li>a.active.focus,.pager li>a.active:focus,.pager li>a.active:hover,.pager li>a:active.focus,.pager li>a:active:focus,.pager li>a:active:hover,.pager li>span.active.focus,.pager li>span.active:focus,.pager li>span.active:hover,.pager li>span:active.focus,.pager li>span:active:focus,.pager li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pager li>a.disabled,.pager li>a.disabled.active,.pager li>a.disabled:active,.pager li>a.disabled:focus,.pager li>a.disabled:hover,.pager li>a[disabled],.pager li>a[disabled].active,.pager li>a[disabled]:active,.pager li>a[disabled]:focus,.pager li>a[disabled]:hover,.pager li>span.disabled,.pager li>span.disabled.active,.pager li>span.disabled:active,.pager li>span.disabled:focus,.pager li>span.disabled:hover,.pager li>span[disabled],.pager li>span[disabled].active,.pager li>span[disabled]:active,.pager li>span[disabled]:focus,.pager li>span[disabled]:hover,fieldset[disabled] .pager li>a,fieldset[disabled] .pager li>a.active,fieldset[disabled] .pager li>a:active,fieldset[disabled] .pager li>a:focus,fieldset[disabled] .pager li>a:hover,fieldset[disabled] .pager li>span,fieldset[disabled] .pager li>span.active,fieldset[disabled] .pager li>span:active,fieldset[disabled] .pager li>span:focus,fieldset[disabled] .pager li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pager li>a>.i,.pager li>span>.i{font-size:18px;vertical-align:top;margin:2px 0}.pager li>a:hover>a:focus{color:#4d5258}.pager li a:active{background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(3,3,3,.125);box-shadow:inset 0 3px 5px rgba(3,3,3,.125);outline:0}.pager .disabled>a,.pager .disabled>a:active,.pager .disabled>a:focus,.pager .disabled>a:hover,.pager .disabled>span{background:#f5f5f5;-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f;cursor:default}.pager .next>a>.i,.pager .next>span>.i{margin-left:5px}.pager .previous>a>.i,.pager .previous>span>.i{margin-right:5px}.pager-sm li>a,.pager-sm li>span{font-weight:400;line-height:16px;padding:1px 10px}.pager-sm li>a>.i,.pager-sm li>span>.i{font-size:12px}.pagination>li>a,.pagination>li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;cursor:default;font-weight:600;padding:2px 10px}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>a:focus,.pagination>li>a:hover,.pagination>li>span.active,.pagination>li>span:active,.pagination>li>span:focus,.pagination>li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>span.active,.pagination>li>span:active{background-image:none}.open .dropdown-toggle.pagination>li>a.focus,.open .dropdown-toggle.pagination>li>a:focus,.open .dropdown-toggle.pagination>li>a:hover,.open .dropdown-toggle.pagination>li>span.focus,.open .dropdown-toggle.pagination>li>span:focus,.open .dropdown-toggle.pagination>li>span:hover,.pagination>li>a.active.focus,.pagination>li>a.active:focus,.pagination>li>a.active:hover,.pagination>li>a:active.focus,.pagination>li>a:active:focus,.pagination>li>a:active:hover,.pagination>li>span.active.focus,.pagination>li>span.active:focus,.pagination>li>span.active:hover,.pagination>li>span:active.focus,.pagination>li>span:active:focus,.pagination>li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pagination>li>a.disabled,.pagination>li>a.disabled.active,.pagination>li>a.disabled:active,.pagination>li>a.disabled:focus,.pagination>li>a.disabled:hover,.pagination>li>a[disabled],.pagination>li>a[disabled].active,.pagination>li>a[disabled]:active,.pagination>li>a[disabled]:focus,.pagination>li>a[disabled]:hover,.pagination>li>span.disabled,.pagination>li>span.disabled.active,.pagination>li>span.disabled:active,.pagination>li>span.disabled:focus,.pagination>li>span.disabled:hover,.pagination>li>span[disabled],.pagination>li>span[disabled].active,.pagination>li>span[disabled]:active,.pagination>li>span[disabled]:focus,.pagination>li>span[disabled]:hover,fieldset[disabled] .pagination>li>a,fieldset[disabled] .pagination>li>a.active,fieldset[disabled] .pagination>li>a:active,fieldset[disabled] .pagination>li>a:focus,fieldset[disabled] .pagination>li>a:hover,fieldset[disabled] .pagination>li>span,fieldset[disabled] .pagination>li>span.active,fieldset[disabled] .pagination>li>span:active,fieldset[disabled] .pagination>li>span:focus,fieldset[disabled] .pagination>li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pagination>li>a>.i,.pagination>li>span>.i{font-size:15px;vertical-align:top;margin:2px 0}.pagination>li>a:active,.pagination>li>span:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.pagination>.active>a,.pagination>.active>a:focus,.pagination>.active>a:hover,.pagination>.active>span,.pagination>.active>span:focus,.pagination>.active>span:hover{background-color:#f1f1f1;border-color:#bbb;-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2);color:#4d5258;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination>.disabled>a,.pagination>.disabled>a:focus,.pagination>.disabled>a:hover,.pagination>.disabled>span,.pagination>.disabled>span:focus,.pagination>.disabled>span:hover{-webkit-box-shadow:none;box-shadow:none;cursor:default;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination-sm>li>a,.pagination-sm>li>span{padding:2px 6px;font-size:11px;line-height:1.5}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:1px;border-top-left-radius:1px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-bottom-right-radius:1px;border-top-right-radius:1px}.pagination-sm>li>a,.pagination-sm>li>span{font-weight:400}.pagination-sm>li>a>.i,.pagination-sm>li>span>.i{font-size:12px;margin-top:2px}.panel-title{font-weight:700}.panel-group .panel{color:#4d5258}.panel-group .panel+.panel{margin-top:-1px}.panel-group .panel-default{border-color:#bbb;border-top-color:#bbb}.panel-group .panel-heading{background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.panel-group .panel-heading+.panel-collapse .panel-body{border-top:1px solid #d1d1d1}.panel-group .panel-title{font-weight:500;line-height:1}.panel-group .panel-title>a{color:#4d5258;font-weight:600}.panel-group .panel-title>a:before{content:"\f107";display:inline-block;font-family:FontAwesome;font-size:13px;margin-right:5px;text-align:center;vertical-align:0;width:8px}.panel-group .panel-title>a:focus{outline:0;text-decoration:none}.panel-group .panel-title>a:hover{text-decoration:none}.panel-group .panel-title>a.collapsed:before{content:"\f105"}.popover{-webkit-box-shadow:0 2px 2px rgba(3,3,3,.08);box-shadow:0 2px 2px rgba(3,3,3,.08);padding:0}.popover-content{color:#4d5258;line-height:18px;padding:10px 14px}.popover-title{border-bottom:none;border-radius:0;color:#4d5258;font-size:13px;font-weight:700;min-height:34px}.popover-title .close{height:22px;position:absolute;right:8px;top:6px}.popover-title.closable{padding-right:30px}@-webkit-keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}@keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}.progress{-webkit-box-shadow:inset 0 0 1px rgba(3,3,3,.25);box-shadow:inset 0 0 1px rgba(3,3,3,.25)}.progress.progress-label-left,.progress.progress-label-top-right{overflow:visible;position:relative}.progress.progress-label-left{margin-left:40px}.progress.progress-sm{height:14px;margin-bottom:14px}.progress.progress-xs{height:6px;margin-bottom:6px}td>.progress:first-child:last-child{margin-bottom:0;margin-top:3px}.progress-bar{box-shadow:none}.progress-label-left .progress-bar span,.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{color:#363636;position:absolute;text-align:right}.progress-label-left .progress-bar span{font-size:14px;left:-40px;top:0;width:35px}.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{font-size:11px;overflow:hidden;right:0;text-overflow:ellipsis;white-space:nowrap}.progress-label-right .progress-bar span strong,.progress-label-top-right .progress-bar span strong{font-weight:600}.progress-label-right .progress-bar span{max-width:85px;top:0}.progress-label-top-right .progress-bar span{max-width:47%;top:-30px}.progress-label-left.progress-sm .progress-bar span,.progress-label-top-right.progress-sm .progress-bar span{font-size:12px}.progress-sm .progress-bar{line-height:14px}.progress-xs .progress-bar{line-height:6px}.progress-bar-remaining{background:0 0}.progress-container{position:relative}.progress-container.progress-description-left{padding-left:90px}.progress-container.progress-label-right{padding-right:90px}.progress-description{margin-bottom:10px;max-width:52%;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.progress-description .count{font-size:20px;font-weight:300;line-height:1;margin-right:5px}.progress-description .fa,.progress-description .pficon{font-size:14px;margin-right:3px}.progress-description-left .progress-description{left:0;margin-bottom:0;max-width:85px;position:absolute;top:0}.progress-description .tooltip{white-space:normal}.search-pf.has-button{border-collapse:separate;display:table}.search-pf.has-button .form-group{display:table-cell;width:100%}.search-pf.has-button .form-group .btn{-webkit-box-shadow:none;box-shadow:none;float:left;margin-left:-1px}.search-pf.has-button .form-group .btn.btn-lg{font-size:14.5px}.search-pf.has-button .form-group .btn.btn-sm{font-size:10.7px}.search-pf.has-button .form-group .form-control{float:left}.search-pf .has-clear .clear{background:0 0;background:rgba(255,255,255,0);border:0;height:25px;line-height:1;padding:0;position:absolute;right:1px;top:1px;width:28px}.search-pf .has-clear .clear:focus{outline:0}.search-pf .has-clear .form-control{padding-right:30px}.search-pf .has-clear .form-control::-ms-clear{display:none}.search-pf .has-clear .input-lg+.clear{height:31px;width:28px}.search-pf .has-clear .input-sm+.clear{height:20px;width:28px}.search-pf .has-clear .input-sm+.clear span{font-size:10px}.search-pf .has-clear .search-pf-input-group{position:relative}.sidebar-header{border-bottom:1px solid #ececec;padding-bottom:11px;margin:50px 0 20px}.sidebar-header .actions{margin-top:-2px}.sidebar-pf .sidebar-header+.list-group{border-top:0;margin-top:-10px}.sidebar-pf .sidebar-header+.list-group .list-group-item{background:0 0;border-color:#ececec;padding-left:0}.sidebar-pf .sidebar-header+.list-group .list-group-item-heading{font-size:12px}.sidebar-pf .nav-category h2{color:#9c9c9c;font-size:12px;font-weight:400;line-height:21px;margin:0;padding:8px 0}.sidebar-pf .nav-category+.nav-category{margin-top:10px}.sidebar-pf .nav-pills>li.active>a{background:#0088ce!important;border-color:#0088ce!important;color:#fff}@media (min-width:768px){.sidebar-pf .nav-pills>li.active>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}.sidebar-pf .nav-pills>li.active>a .fa{color:#fff}.sidebar-pf .nav-pills>li>a{border-bottom:1px solid transparent;border-radius:0;border-top:1px solid transparent;color:#363636;font-size:13px;line-height:21px;padding:1px 20px}.sidebar-pf .nav-pills>li>a:hover{background:#def3ff;border-color:#bee1f4}.sidebar-pf .nav-pills>li>a .fa{color:#6a7079;font-size:15px;margin-right:10px;text-align:center;vertical-align:middle;width:15px}.sidebar-pf .nav-stacked{margin-left:-20px;margin-right:-20px}.sidebar-pf .nav-stacked li+li{margin-top:0}.sidebar-pf .panel{background:0 0}.sidebar-pf .panel-body{padding:6px 20px}.sidebar-pf .panel-body .nav-pills>li>a{padding-left:37px}.sidebar-pf .panel-heading{padding:9px 20px}.sidebar-pf .panel-title{font-size:12px}.sidebar-pf .panel-title>a:before{display:inline-block;margin-left:1px;margin-right:4px;width:9px}.sidebar-pf .panel-title>a.collapsed:before{margin-left:3px;margin-right:2px}@media (min-width:767px){.sidebar-header-bleed-left{margin-left:-20px}.sidebar-header-bleed-left>h2{margin-left:20px}.sidebar-header-bleed-right{margin-right:-20px}.sidebar-header-bleed-right .actions{margin-right:20px}.sidebar-header-bleed-right>h2{margin-right:20px}.sidebar-header-bleed-right+.list-group{margin-right:-20px}.sidebar-pf .panel-group .panel-default,.sidebar-pf .treeview{border-left:0;border-right:0;margin-left:-20px;margin-right:-20px}.sidebar-pf .treeview{margin-top:5px}.sidebar-pf .treeview .list-group-item{padding-left:20px;padding-right:20px}.sidebar-pf .treeview .list-group-item.node-selected:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}@media (min-width:768px){.sidebar-pf{background:#fafafa}.sidebar-pf.sidebar-pf-left{border-right:1px solid #d1d1d1}.sidebar-pf.sidebar-pf-right{border-left:1px solid #d1d1d1}.sidebar-pf>.nav-category,.sidebar-pf>.nav-stacked{margin-top:5px}}@-webkit-keyframes rotation{from{-webkit-transform:rotate(0)}to{-webkit-transform:rotate(359deg)}}@keyframes rotation{from{transform:rotate(0)}to{transform:rotate(359deg)}}.spinner{-webkit-animation:rotation .6s infinite linear;animation:rotation .6s infinite linear;border-bottom:4px solid rgba(3,3,3,.25);border-left:4px solid rgba(3,3,3,.25);border-right:4px solid rgba(3,3,3,.25);border-radius:100%;border-top:4px solid rgba(3,3,3,.75);height:24px;margin:0 auto;position:relative;width:24px}.spinner.spinner-inline{display:inline-block;margin-right:3px}.spinner.spinner-lg{border-width:5px;height:30px;width:30px}.spinner.spinner-sm{border-width:3px;height:18px;width:18px}.spinner.spinner-xs{border-width:2px;height:12px;width:12px}.spinner.spinner-inverse{border-bottom-color:rgba(255,255,255,.25);border-left-color:rgba(255,255,255,.25);border-right-color:rgba(255,255,255,.25);border-top-color:rgba(255,255,255,.75)}.ie9 .spinner{background:url(../img/spinner.gif) no-repeat;border:0}.ie9 .spinner.spinner-inverse{background-image:url(../img/spinner-inverse.gif)}.ie9 .spinner.spinner-inverse-lg{background-image:url(../img/spinner-inverse-lg.gif)}.ie9 .spinner.spinner-inverse-sm{background-image:url(../img/spinner-inverse-sm.gif)}.ie9 .spinner.spinner-inverse-xs{background-image:url(../img/spinner-inverse-xs.gif)}.ie9 .spinner.spinner-lg{background-image:url(../img/spinner-lg.gif)}.ie9 .spinner.spinner-sm{background-image:url(../img/spinner-sm.gif)}.ie9 .spinner.spinner-xs{background-image:url(../img/spinner-xs.gif)}.prettyprint .atn,.prettyprint .com,.prettyprint .fun,.prettyprint .var{color:#3f9c35}.prettyprint .atv,.prettyprint .str{color:#a30000}.prettyprint .clo,.prettyprint .dec,.prettyprint .kwd,.prettyprint .opn,.prettyprint .pln,.prettyprint .pun{color:#363636}.prettyprint .lit,.prettyprint .tag,.prettyprint .typ{color:#00659c}.prettyprint ol.linenums{margin-bottom:0}.table>tbody>tr>td,.table>tbody>tr>th,.table>tfoot>tr>td,.table>tfoot>tr>th,.table>thead>tr>td,.table>thead>tr>th{padding:2px 10px 3px}.table>tbody>tr>td>a:hover,.table>tbody>tr>th>a:hover,.table>tfoot>tr>td>a:hover,.table>tfoot>tr>th>a:hover,.table>thead>tr>td>a:hover,.table>thead>tr>th>a:hover{text-decoration:none}.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>th{font-family:'Open Sans';font-style:normal;font-weight:600}.table>thead{background-clip:padding-box;background-color:#f5f5f5;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.table-bordered{border:1px solid #d1d1d1}.table-bordered>tbody>tr>td,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>td,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border:1px solid #d1d1d1}.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border-bottom-width:1px}.table-striped>tbody>tr:nth-of-type(even){background-color:#f5f5f5}.table-striped>tbody>tr:nth-of-type(odd){background-color:transparent}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#def3ff;border-bottom-color:#7dc3e8}.table-treegrid span.indent{margin-left:10px;margin-right:10px}.table-treegrid span.icon{display:inline-block;font-size:13px;margin-right:5px;min-width:10px;text-align:center}.table-treegrid span.collapse-icon,.table-treegrid span.expand-icon{cursor:pointer}.table-treegrid>tbody>tr.odd{background-color:#f5f5f5}.nav-tabs{font-size:14px}.nav-tabs>li>a{color:#4d5258;margin-right:-1px;padding-bottom:5px;padding-top:5px}.nav-tabs>li>a:active,.nav-tabs>li>a:focus,.nav-tabs>li>a:hover{background:0 0;border-color:#ededed;color:#252525}.nav-tabs>li>.dropdown-menu{border-top:0;border-color:#ededed}.nav-tabs>li>.dropdown-menu.pull-right{right:-1px}.nav-tabs+.nav-tabs-pf{font-size:12px}.nav-tabs+.nav-tabs-pf>li:first-child>a{padding-left:15px}.nav-tabs+.nav-tabs-pf>li:first-child>a:before{left:15px!important}.nav-tabs .open>a,.nav-tabs .open>a:focus,.nav-tabs .open>a:hover{background-color:transparent;border-color:#ededed}@media (min-width:768px){.nav-tabs-pf.nav-justified{border-bottom:1px solid #ededed}}.nav-tabs-pf.nav-justified>li:first-child>a{padding-left:15px}.nav-tabs-pf.nav-justified>li>a{border-bottom:0}.nav-tabs-pf.nav-justified>li>a:before{left:0!important;right:0!important}.nav-tabs-pf>li{margin-bottom:0}.nav-tabs-pf>li.active>a:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li.active>a,.nav-tabs-pf>li.active>a:active,.nav-tabs-pf>li.active>a:focus,.nav-tabs-pf>li.active>a:hover{background-color:transparent;border:0!important;color:#0088ce}.nav-tabs-pf>li.active>a:active:before,.nav-tabs-pf>li.active>a:before,.nav-tabs-pf>li.active>a:focus:before,.nav-tabs-pf>li.active>a:hover:before{background:#0088ce}.nav-tabs-pf>li:first-child>a{padding-left:0}.nav-tabs-pf>li:first-child>a:before{left:0!important}.nav-tabs-pf>li>a{border:0;line-height:1;margin-right:0;padding-bottom:10px;padding-top:10px}.nav-tabs-pf>li>a:active:before,.nav-tabs-pf>li>a:focus:before,.nav-tabs-pf>li>a:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li>.dropdown-menu{left:15px;margin-top:1px}.nav-tabs-pf>li>.dropdown-menu.pull-right{left:auto;right:15px}.nav-tabs-pf .open>a,.nav-tabs-pf .open>a:focus,.nav-tabs-pf .open>a:hover{background-color:transparent}.tooltip{font-size:12px;line-height:1.4}.tooltip-inner{padding:7px 12px;text-align:left}.h1,.h2,h1,h2{font-weight:300}.page-header .actions{margin-top:8px}.page-header .actions a>.pficon{margin-right:4px}@media (min-width:767px){.page-header-bleed-left{margin-left:-20px}.page-header-bleed-right{margin-right:-20px}.page-header-bleed-right .actions{margin-right:20px}} +\ No newline at end of file ++ */.bootstrap-select.btn-group,.bootstrap-select.btn-group[class*=span]{float:none;display:inline-block;margin-bottom:10px;margin-left:0}.form-horizontal .bootstrap-select.btn-group,.form-inline .bootstrap-select.btn-group,.form-search .bootstrap-select.btn-group{margin-bottom:0}.bootstrap-select.form-control{margin-bottom:0;padding:0;border:none}.bootstrap-select.btn-group.pull-right,.bootstrap-select.btn-group[class*=span].pull-right,.row-fluid .bootstrap-select.btn-group[class*=span].pull-right{float:right}.input-append .bootstrap-select.btn-group{margin-left:-1px}.input-prepend .bootstrap-select.btn-group{margin-right:-1px}.bootstrap-select:not([class*=span]):not([class*=col-]):not([class*=form-control]){width:220px}.bootstrap-select{width:220px\9}.bootstrap-select.form-control:not([class*=span]){width:100%}.bootstrap-select>.btn{width:100%}.error .bootstrap-select .btn{border:1px solid #b94a48}.dropdown-menu{z-index:2000}.bootstrap-select.show-menu-arrow.open>.btn{z-index:2051}.bootstrap-select .btn:focus{outline:thin dotted #333!important;outline:5px auto -webkit-focus-ring-color!important;outline-offset:-2px}.bootstrap-select.btn-group .btn .filter-option{overflow:hidden;position:absolute;left:12px;right:25px;text-align:left}.bootstrap-select.btn-group .btn .caret{position:absolute;top:50%;right:12px;margin-top:-2px;vertical-align:middle}.bootstrap-select.btn-group .dropdown-menu li.disabled>a,.bootstrap-select.btn-group>.disabled{cursor:not-allowed}.bootstrap-select.btn-group>.disabled:focus{outline:0!important}.bootstrap-select.btn-group[class*=span] .btn{width:100%}.bootstrap-select.btn-group .dropdown-menu{min-width:100%;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}.bootstrap-select.btn-group .dropdown-menu.inner{position:static;border:0;padding:0;margin:0;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0;-webkit-box-shadow:none;-moz-box-shadow:none;box-shadow:none}.bootstrap-select.btn-group .dropdown-menu dt{display:block;padding:3px 20px;cursor:default}.bootstrap-select.btn-group .div-contain{overflow:hidden}.bootstrap-select.btn-group .dropdown-menu li{position:relative}.bootstrap-select.btn-group .dropdown-menu li>a.opt{position:relative;padding-left:35px}.bootstrap-select.btn-group .dropdown-menu li>a{cursor:pointer}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.btn-group.show-tick .dropdown-menu li.selected a i.check-mark{display:inline-block;position:absolute;right:15px;margin-top:2.5px}.bootstrap-select.btn-group .dropdown-menu li a i.check-mark{display:none}.bootstrap-select.btn-group.show-tick .dropdown-menu li a span.text{margin-right:34px}.bootstrap-select.btn-group .dropdown-menu li small{padding-left:.5em}.bootstrap-select.btn-group .dropdown-menu li.active:not(.disabled)>a small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:hover small{color:#64b1d8;color:rgba(255,255,255,.4)}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.show-menu-arrow .dropdown-toggle:before{content:'';display:inline-block;border-left:7px solid transparent;border-right:7px solid transparent;border-bottom:7px solid #CCC;border-bottom-color:rgba(0,0,0,.2);position:absolute;bottom:-4px;left:9px;display:none}.bootstrap-select.show-menu-arrow .dropdown-toggle:after{content:'';display:inline-block;border-left:6px solid transparent;border-right:6px solid transparent;border-bottom:6px solid #fff;position:absolute;bottom:-4px;left:10px;display:none}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:before{bottom:auto;top:-3px;border-top:7px solid #ccc;border-bottom:0;border-top-color:rgba(0,0,0,.2)}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:after{bottom:auto;top:-3px;border-top:6px solid #fff;border-bottom:0}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:before{right:12px;left:auto}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:after{right:13px;left:auto}.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:after,.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:before{display:block}.bootstrap-select.btn-group .no-results{padding:3px;background:#f5f5f5;margin:0 5px}.mobile-device{position:absolute;top:0;left:0;display:block!important;width:100%;height:100%!important;opacity:0}.bootstrap-select.fit-width{width:auto!important}.bootstrap-select.btn-group.fit-width .btn .filter-option{position:static}.bootstrap-select.btn-group.fit-width .btn .caret{position:static;top:auto;margin-top:-1px}.control-group.error .bootstrap-select .dropdown-toggle{border-color:#b94a48}.bootstrap-select-searchbox{padding:4px 8px}.bootstrap-select-searchbox input{margin-bottom:0}.alert{border-width:1px;padding-left:47px;padding-right:14px;position:relative}.alert .alert-link{color:#0088ce}.alert .alert-link:hover{color:#00659c}.alert>.btn.pull-right{margin-top:-3px}.alert>.pficon{font-size:22px;position:absolute;left:13px;top:10px}.alert .close{opacity:.85;filter:alpha(opacity=85)}.alert .close:focus,.alert .close:hover{opacity:1;filter:alpha(opacity=100)}.alert .pficon-info{color:#4d5258}.alert-dismissable{padding-right:28px}.alert-dismissable .close{right:-13px;top:1px}.badge{margin-left:6px}.nav-pills>li>a>.badge{margin-left:6px}.bootstrap-select.btn-group.form-control{margin-bottom:0}.bootstrap-select.btn-group .btn{-webkit-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.bootstrap-select.btn-group .btn:hover{border-color:#7dc3e8}.bootstrap-select.btn-group .btn .caret{margin-top:-4px}.bootstrap-select.btn-group .btn:focus{border-color:#0088ce;outline:0!important;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6);box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6)}.has-error .bootstrap-select.btn-group .btn{border-color:#c00}.has-error .bootstrap-select.btn-group .btn:focus{border-color:#900;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33}.has-success .bootstrap-select.btn-group .btn{border-color:#3c763d}.has-success .bootstrap-select.btn-group .btn:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168}.has-warning .bootstrap-select.btn-group .btn{border-color:#ec7a08}.has-warning .bootstrap-select.btn-group .btn:focus{border-color:#bb6106;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60}.bootstrap-select.btn-group .dropdown-menu>.active>a,.bootstrap-select.btn-group .dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.bootstrap-select.btn-group .dropdown-menu>.active>a small,.bootstrap-select.btn-group .dropdown-menu>.active>a:active small{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.disabled>a{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu .divider{background:#ededed!important;margin:4px 1px!important}.bootstrap-select.btn-group .dropdown-menu dt{color:#8b8d8f;font-weight:400;padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li>a.opt{padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu li a:focus small,.bootstrap-select.btn-group .dropdown-menu li a:hover small{color:#9c9c9c}.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:hover small{color:#9c9c9c}.combobox-container.combobox-selected .glyphicon-remove{display:inline-block}.combobox-container .caret{margin-left:0}.combobox-container .combobox::-ms-clear{display:none}.combobox-container .dropdown-menu{margin-top:-1px;width:100%}.combobox-container .glyphicon-remove{display:none;top:auto;width:12px}.combobox-container .glyphicon-remove:before{content:"\e60b";font-family:PatternFlyIcons-webfont}.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;position:relative}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.combobox-container .input-group-addon:focus,.combobox-container .input-group-addon:hover,.open .dropdown-toggle.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.open .dropdown-toggle.combobox-container .input-group-addon{background-image:none}.combobox-container .input-group-addon.active.focus,.combobox-container .input-group-addon.active:focus,.combobox-container .input-group-addon.active:hover,.combobox-container .input-group-addon:active.focus,.combobox-container .input-group-addon:active:focus,.combobox-container .input-group-addon:active:hover,.open .dropdown-toggle.combobox-container .input-group-addon.focus,.open .dropdown-toggle.combobox-container .input-group-addon:focus,.open .dropdown-toggle.combobox-container .input-group-addon:hover{background-color:#e5e5e5;border-color:#a9a9a9}.combobox-container .input-group-addon.disabled,.combobox-container .input-group-addon.disabled.active,.combobox-container .input-group-addon.disabled:active,.combobox-container .input-group-addon.disabled:focus,.combobox-container .input-group-addon.disabled:hover,.combobox-container .input-group-addon[disabled],.combobox-container .input-group-addon[disabled].active,.combobox-container .input-group-addon[disabled]:active,.combobox-container .input-group-addon[disabled]:focus,.combobox-container .input-group-addon[disabled]:hover,fieldset[disabled] .combobox-container .input-group-addon,fieldset[disabled] .combobox-container .input-group-addon.active,fieldset[disabled] .combobox-container .input-group-addon:active,fieldset[disabled] .combobox-container .input-group-addon:focus,fieldset[disabled] .combobox-container .input-group-addon:hover{background-color:#f1f1f1;border-color:#bbb}.combobox-container .input-group-addon:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.treeview .list-group{border-top:0}.treeview .list-group-item{background:0 0;border-bottom:1px solid transparent!important;border-top:1px solid transparent!important;margin-bottom:0;padding:0 10px}.treeview .list-group-item:hover{background:#def3ff!important;border-color:#bee1f4!important}.treeview .list-group-item.node-selected{background:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.treeview span.icon{display:inline-block;font-size:13px;min-width:10px;text-align:center}.treeview span.icon>[class*=fa-angle]{font-size:15px}.treeview span.indent{margin-right:5px}.breadcrumb{padding-left:0}.breadcrumb>.active strong{font-weight:600}.breadcrumb>li{display:inline}.breadcrumb>li+li:before{color:#9c9c9c;content:"\f101";font-family:FontAwesome;font-size:11px;padding:0 9px 0 7px}.btn{-webkit-box-shadow:0 2px 3px rgba(3,3,3,.1);box-shadow:0 2px 3px rgba(3,3,3,.1)}.btn:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{background-color:#fafafa!important;background-image:none!important;border-color:#d1d1d1!important;color:#8b8d8f!important;opacity:1}.btn.disabled:active,.btn[disabled]:active,fieldset[disabled] .btn:active{-webkit-box-shadow:none;box-shadow:none}.btn.disabled.btn-link,.btn[disabled].btn-link,fieldset[disabled] .btn.btn-link{background-color:transparent!important;border:0}.btn-danger{background-color:#a30000;background-image:-webkit-linear-gradient(top,#c00 0,#a30000 100%);background-image:-o-linear-gradient(top,#c00 0,#a30000 100%);background-image:linear-gradient(to bottom,#c00 0,#a30000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffcc0000', endColorstr='#ffa30000', GradientType=0);border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.btn-danger:focus,.btn-danger:hover,.open .dropdown-toggle.btn-danger{background-color:#a30000;background-image:none;border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.open .dropdown-toggle.btn-danger{background-image:none}.btn-danger.active.focus,.btn-danger.active:focus,.btn-danger.active:hover,.btn-danger:active.focus,.btn-danger:active:focus,.btn-danger:active:hover,.open .dropdown-toggle.btn-danger.focus,.open .dropdown-toggle.btn-danger:focus,.open .dropdown-toggle.btn-danger:hover{background-color:#8a0000;border-color:#670000}.btn-danger.disabled,.btn-danger.disabled.active,.btn-danger.disabled:active,.btn-danger.disabled:focus,.btn-danger.disabled:hover,.btn-danger[disabled],.btn-danger[disabled].active,.btn-danger[disabled]:active,.btn-danger[disabled]:focus,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger,fieldset[disabled] .btn-danger.active,fieldset[disabled] .btn-danger:active,fieldset[disabled] .btn-danger:focus,fieldset[disabled] .btn-danger:hover{background-color:#a30000;border-color:#8b0000}.btn-default{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.btn-default:focus,.btn-default:hover,.open .dropdown-toggle.btn-default{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.open .dropdown-toggle.btn-default{background-image:none}.btn-default.active.focus,.btn-default.active:focus,.btn-default.active:hover,.btn-default:active.focus,.btn-default:active:focus,.btn-default:active:hover,.open .dropdown-toggle.btn-default.focus,.open .dropdown-toggle.btn-default:focus,.open .dropdown-toggle.btn-default:hover{background-color:#e5e5e5;border-color:#a9a9a9}.btn-default.disabled,.btn-default.disabled.active,.btn-default.disabled:active,.btn-default.disabled:focus,.btn-default.disabled:hover,.btn-default[disabled],.btn-default[disabled].active,.btn-default[disabled]:active,.btn-default[disabled]:focus,.btn-default[disabled]:hover,fieldset[disabled] .btn-default,fieldset[disabled] .btn-default.active,fieldset[disabled] .btn-default:active,fieldset[disabled] .btn-default:focus,fieldset[disabled] .btn-default:hover{background-color:#f1f1f1;border-color:#bbb}.btn-link,.btn-link:active{-webkit-box-shadow:none;box-shadow:none}.btn-primary{background-color:#0088ce;background-image:-webkit-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:-o-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:linear-gradient(to bottom,#39a5dc 0,#0088ce 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff39a5dc', endColorstr='#ff0088ce', GradientType=0);border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.btn-primary:focus,.btn-primary:hover,.open .dropdown-toggle.btn-primary{background-color:#0088ce;background-image:none;border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.open .dropdown-toggle.btn-primary{background-image:none}.btn-primary.active.focus,.btn-primary.active:focus,.btn-primary.active:hover,.btn-primary:active.focus,.btn-primary:active:focus,.btn-primary:active:hover,.open .dropdown-toggle.btn-primary.focus,.open .dropdown-toggle.btn-primary:focus,.open .dropdown-toggle.btn-primary:hover{background-color:#0077b5;border-color:#004e78}.btn-primary.disabled,.btn-primary.disabled.active,.btn-primary.disabled:active,.btn-primary.disabled:focus,.btn-primary.disabled:hover,.btn-primary[disabled],.btn-primary[disabled].active,.btn-primary[disabled]:active,.btn-primary[disabled]:focus,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary,fieldset[disabled] .btn-primary.active,fieldset[disabled] .btn-primary:active,fieldset[disabled] .btn-primary:focus,fieldset[disabled] .btn-primary:hover{background-color:#0088ce;border-color:#00659c}.btn-group-xs .btn,.btn-group-xs>.btn,.btn-xs{font-weight:400}.close{text-shadow:none;opacity:.6;filter:alpha(opacity=60)}.close:focus,.close:hover{opacity:.9;filter:alpha(opacity=90)}.ColVis_Button:active:focus{outline:0}.ColVis_catcher{position:absolute;z-index:999}.ColVis_collection{background-color:#fff;border:1px solid #bbb;border-radius:1px;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);background-clip:padding-box;list-style:none;margin:-1px 0 0 0;padding:5px 10px;width:150px;z-index:1000}.ColVis_collection label{font-weight:400;margin-bottom:5px;margin-top:5px;padding-left:20px}.ColVis_collectionBackground{background-color:#fff;height:100%;left:0;position:fixed;top:0;width:100%;z-index:998}.dataTables_header{background-color:#f5f5f5;border:1px solid #d1d1d1;border-bottom:none;padding:5px;position:relative;text-align:center}.dataTables_header .btn{-webkit-box-shadow:none;box-shadow:none}.dataTables_header .ColVis{position:absolute;right:5px;text-align:left;top:5px}.dataTables_header .ColVis+.dataTables_info{padding-right:30px}.dataTables_header .dataTables_filter{position:absolute}.dataTables_header .dataTables_filter input{border:1px solid #bbb;height:24px}@media (max-width:767px){.dataTables_header .dataTables_filter input{width:100px}}.dataTables_header .dataTables_info{padding:2px 0}@media (max-width:480px){.dataTables_header .dataTables_info{text-align:right}}.dataTables_header .dataTables_info b{font-weight:700}.dataTables_footer{background-color:#fff;border:1px solid #d1d1d1;border-top:none;overflow:hidden}.dataTables_paginate{background:#fafafa;float:right;margin:0}.dataTables_paginate .pagination{float:left;margin:0}.dataTables_paginate .pagination>li>span{border-color:#fff #d1d1d1 #f5f5f5;border-width:0 1px;font-size:16px;font-weight:400;padding:0;text-align:center;width:31px}.dataTables_paginate .pagination>li>span:focus,.dataTables_paginate .pagination>li>span:hover{filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination>li.last>span{border-right:none}.dataTables_paginate .pagination>li.disabled>span{background:#f5f5f5;border-left-color:#ededed;border-right-color:#ededed;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination-input{float:left;font-size:12px;line-height:1em;padding:4px 15px 0;text-align:right}.dataTables_paginate .pagination-input .paginate_input{border:1px solid #d1d1d1;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075);box-shadow:inset 0 1px 1px rgba(3,3,3,.075);font-size:12px;font-weight:600;height:19px;margin-right:8px;padding-right:3px;text-align:right;width:30px}.dataTables_paginate .pagination-input .paginate_of{position:relative}.dataTables_paginate .pagination-input .paginate_of b{margin-left:3px}.dataTables_wrapper{margin:20px 0}@media (max-width:767px){.dataTables_wrapper .table-responsive{margin-bottom:0}}.DTCR_clonedTable{background-color:rgba(255,255,255,.7);z-index:202}.DTCR_pointer{background-color:#0088ce;width:1px;z-index:201}table.datatable{margin-bottom:0;max-width:none!important}table.datatable thead .sorting,table.datatable thead .sorting_asc,table.datatable thead .sorting_asc_disabled,table.datatable thead .sorting_desc,table.datatable thead .sorting_desc_disabled{cursor:pointer}table.datatable thead .sorting_asc,table.datatable thead .sorting_desc{color:#0088ce!important;position:relative}table.datatable thead .sorting_asc:after,table.datatable thead .sorting_desc:after{content:"\f107";font-family:FontAwesome;font-size:10px;font-weight:400;height:9px;left:7px;line-height:12px;position:relative;top:2px;vertical-align:baseline;width:12px}table.datatable thead .sorting_asc:before,table.datatable thead .sorting_desc:before{background:#0088ce;content:'';height:2px;position:absolute;left:0;top:0;width:100%}table.datatable thead .sorting_asc:after{content:"\f106";top:-3px}table.datatable th:active{outline:0}.caret{font-family:FontAwesome;font-weight:400;height:9px;position:relative;vertical-align:baseline;width:12px}.caret:before{bottom:0;content:"\f107";left:0;line-height:12px;position:absolute;text-align:center;top:-1px;right:0}.dropup .caret:before{content:"\f106"}.dropdown-menu .divider{background-color:#ededed;height:1px;margin:4px 1px;overflow:hidden}.dropdown-menu>li>a{border-color:transparent;border-style:solid;border-width:1px 0;padding:1px 10px}.dropdown-menu>li>a:focus,.dropdown-menu>li>a:hover{border-color:#bee1f4;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>li>a:active{background-color:#0088ce;border-color:#0088ce;color:#fff!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.active>a,.dropdown-menu>.active>a:focus,.dropdown-menu>.active>a:hover{background-color:#0088ce!important;border-color:#0088ce!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-header{padding-left:10px;padding-right:10px;text-transform:uppercase}.btn-group>.dropdown-menu,.dropdown>.dropdown-menu,.input-group-btn>.dropdown-menu{margin-top:-1px}.dropup .dropdown-menu{margin-bottom:-1px}.dropdown-submenu{position:relative}.dropdown-submenu:hover>a{background-color:#def3ff;border-color:#bee1f4}.dropdown-submenu:hover>.dropdown-menu{display:block}.dropdown-submenu.pull-left{float:none!important}.dropdown-submenu.pull-left>.dropdown-menu{left:auto;margin-left:10px;right:100%}.dropdown-submenu>a{padding-right:20px!important}.dropdown-submenu>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:2px}.dropdown-submenu>.dropdown-menu{left:100%;margin-top:0;top:-6px}.dropup .dropdown-submenu>.dropdown-menu{bottom:-5px;top:auto}.open .dropdown-submenu.active>.dropdown-menu{display:block}.dropdown-kebab-pf .btn-link{color:#252525;font-size:16px;line-height:1;padding:4px 0}.dropdown-kebab-pf .btn-link:active,.dropdown-kebab-pf .btn-link:focus,.dropdown-kebab-pf .btn-link:hover{color:#0088ce}.dropdown-kebab-pf .dropdown-menu{left:-15px;margin-top:11px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right{left:auto;right:-15px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:after,.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:before{left:auto;right:6px}.dropdown-kebab-pf .dropdown-menu:after,.dropdown-kebab-pf .dropdown-menu:before{border-bottom-color:#bbb;border-bottom-style:solid;border-bottom-width:10px;border-left:10px solid transparent;border-right:10px solid transparent;content:"";display:inline-block;left:6px;position:absolute;top:-11px}.dropdown-kebab-pf .dropdown-menu:after{border-bottom-color:#fff;top:-10px}.dropdown-kebab-pf.dropup .dropdown-menu{margin-bottom:11px;margin-top:0}.dropdown-kebab-pf.dropup .dropdown-menu:after,.dropdown-kebab-pf.dropup .dropdown-menu:before{border-bottom:none;border-top-color:#bbb;border-top-style:solid;border-top-width:10px;bottom:-11px;top:auto}.dropdown-kebab-pf.dropup .dropdown-menu:after{border-top-color:#fff;bottom:-10px}@font-face{font-family:'Open Sans';font-style:normal;font-weight:400;src:local('Open Sans'),local('OpenSans'),url(../fonts/open-sans/OpenSans-Regular.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:300;src:local('OpenSans-Light'),local('Open Sans Light'),url(../fonts/open-sans/OpenSans-Light.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:600;src:local('Open Sans Semibold'),local('OpenSans-Semibold'),url(../fonts/open-sans/OpenSans-Semibold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:700;src:local('Open Sans Bold'),local('OpenSans-Bold'),url(../fonts/open-sans/OpenSans-Bold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:800;src:local('Open Sans Extrabold'),local('OpenSans-Extrabold'),url(../fonts/open-sans/OpenSans-ExtraBold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:300;src:local('Open Sans Light Italic'),local('OpenSansLight-Italic'),url(../fonts/open-sans/OpenSans-LightItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:400;src:local('Open Sans Italic'),local('OpenSans-Italic'),url(../fonts/open-sans/OpenSans-Italic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:600;src:local('Open Sans Semibold Italic'),local('OpenSans-SemiboldItalic'),url(../fonts/open-sans/OpenSans-SemiboldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:700;src:local('Open Sans Bold Italic'),local('OpenSans-BoldItalic'),url(../fonts/open-sans/OpenSans-BoldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:800;src:local('Open Sans Extrabold Italic'),local('OpenSans-ExtraboldItalic'),url(../fonts/open-sans/OpenSans-ExtraBoldItalic.ttf) format('truetype')}.chars-remaining-pf span{font-weight:600;padding-right:5px}.chars-warn-remaining-pf{color:#c00}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f}.form-control[disabled]:hover,.form-control[readonly]:hover,fieldset[disabled] .form-control:hover{border-color:#bbb}.form-control:hover{border-color:#7dc3e8}.has-error .form-control:hover{border-color:#900}.has-success .form-control:hover{border-color:#2b542c}.has-warning .form-control:hover{border-color:#bb6106}.has-error .checkbox,.has-error .checkbox-inline,.has-error .control-label,.has-error .radio,.has-error .radio-inline,.has-error.checkbox label,.has-error.checkbox-inline label,.has-error.radio label,.has-error.radio-inline label,.has-success .checkbox,.has-success .checkbox-inline,.has-success .control-label,.has-success .radio,.has-success .radio-inline,.has-success.checkbox label,.has-success.checkbox-inline label,.has-success.radio label,.has-success.radio-inline label,.has-warning .checkbox,.has-warning .checkbox-inline,.has-warning .control-label,.has-warning .radio,.has-warning .radio-inline,.has-warning.checkbox label,.has-warning.checkbox-inline label,.has-warning.radio label,.has-warning.radio-inline label{color:#363636}.help-block{margin-bottom:0}.input-group .input-group-btn .btn{-webkit-box-shadow:none;box-shadow:none}label{font-weight:600}.navbar-nav>li>.dropdown-menu.infotip{border-top-width:1px!important;margin-top:10px}@media (max-width:767px){.navbar-pf .navbar-nav .open .dropdown-menu.infotip{background-color:#fff!important;margin-top:0}}.infotip{min-width:235px;padding:0}.infotip .list-group{border-top:0;margin:0;padding:8px 0}.infotip .list-group .list-group-item{border:none;margin:0 15px 0 34px;padding:5px 0}.infotip .list-group .list-group-item>.i{color:#4d5258;font-size:13px;left:-20px;position:absolute;top:8px}.infotip .list-group .list-group-item>a{color:#4d5258;line-height:13px}.infotip .list-group .list-group-item>.close{float:right}.infotip .footer{background-color:#f5f5f5;padding:6px 15px}.infotip .footer a:hover{color:#0088ce}.infotip .arrow,.infotip .arrow:after{border-color:transparent;border-style:solid;display:block;height:0;position:absolute;width:0}.infotip .arrow{border-width:11px}.infotip .arrow:after{border-width:10px;content:""}.infotip.bottom .arrow,.infotip.bottom-left .arrow,.infotip.bottom-right .arrow{border-bottom-color:#999;border-bottom-color:#bbb;border-top-width:0;left:50%;margin-left:-11px;top:-11px}.infotip.bottom .arrow:after,.infotip.bottom-left .arrow:after,.infotip.bottom-right .arrow:after{border-top-width:0;border-bottom-color:#fff;content:" ";margin-left:-10px;top:1px}.infotip.bottom-left .arrow{left:20%}.infotip.bottom-right .arrow{left:80%}.infotip.top .arrow{border-bottom-width:0;border-top-color:#999;border-top-color:#bbb;bottom:-11px;left:50%;margin-left:-11px}.infotip.top .arrow:after{border-bottom-width:0;border-top-color:#f5f5f5;bottom:1px;content:" ";margin-left:-10px}.infotip.right .arrow{border-left-width:0;border-right-color:#999;border-right-color:#bbb;left:-11px;margin-top:-11px;top:50%}.infotip.right .arrow:after{bottom:-10px;border-left-width:0;border-right-color:#fff;content:" ";left:1px}.infotip.left .arrow{border-left-color:#999;border-left-color:#bbb;border-right-width:0;margin-top:-11px;right:-11px;top:50%}.infotip.left .arrow:after{border-left-color:#fff;border-right-width:0;bottom:-10px;content:" ";right:1px}.label{border-radius:0;font-size:100%;font-weight:600}h1 .label,h2 .label,h3 .label,h4 .label,h5 .label,h6 .label{font-size:75%}.list-group{border-top:1px solid #ededed}.list-group .list-group-item:first-child{border-top:0}.list-group-item{border-top:0;border-left:0;border-right:0;margin-bottom:0}.list-group-item-heading{font-weight:600}.list-group-item.active,.list-group-item.active:focus,.list-group-item.active:hover{border-top:solid 1px #39a5dc;margin-top:-1px;z-index:auto}.list-group-item.active:first-child{border-top:1px solid #39a5dc!important;margin-top:-1px}.login-pf{height:100%}.login-pf #brand{position:relative;top:-70px}.login-pf #brand img{display:block;height:18px;margin:0 auto;max-width:100%}@media (min-width:768px){.login-pf #brand img{margin:0;text-align:left}}.login-pf #badge{display:block;margin:20px auto 70px;position:relative;text-align:center}@media (min-width:768px){.login-pf #badge{float:right;margin-right:64px;margin-top:50px}}.login-pf body{background:#1a1a1a url(../img/bg-login.jpg) repeat-x 50% 0;background-size:auto}@media (min-width:768px){.login-pf body{background-size:100% auto}}.login-pf .container{background-color:transparent;clear:right;color:#fff;padding-bottom:40px;padding-top:20px;width:auto}@media (min-width:768px){.login-pf .container{bottom:13%;padding-left:80px;position:absolute;width:100%}}.login-pf .container [class^=alert]{background:0 0;color:#fff}.login-pf .container .details p:first-child{border-top:1px solid rgba(255,255,255,.3);padding-top:25px;margin-top:25px}@media (min-width:768px){.login-pf .container .details{border-left:1px solid rgba(255,255,255,.3);padding-left:40px}.login-pf .container .details p:first-child{border-top:0;padding-top:0;margin-top:0}}.login-pf .container .details p{margin-bottom:2px}.login-pf .container .form-horizontal .control-label{font-size:13px;font-weight:400;text-align:left}.login-pf .container .form-horizontal .form-group:last-child,.login-pf .container .form-horizontal .form-group:last-child .help-block:last-child{margin-bottom:0}.login-pf .container .help-block{color:#fff}@media (min-width:768px){.login-pf .container .login{padding-right:40px}}.login-pf .container .submit{text-align:right}.modal-header{background-color:#f5f5f5;border-bottom:none;padding:10px 18px}.modal-header .close{margin-top:2px}.modal-title{font-size:13px;font-weight:700}.modal-footer{border-top:none;margin-top:15px;padding:14px 15px 15px}.modal-footer>.btn{padding-left:10px;padding-right:10px}.modal-footer>.btn>.fa-angle-left{margin-right:5px}.modal-footer>.btn>.fa-angle-right{margin-left:5px}.navbar-pf{background:#393F45;border:0;border-radius:0;border-top:3px solid #c00;margin-bottom:0;min-height:0}.navbar-pf .navbar-brand{color:#fff;height:auto;padding:12px 0;margin:0 0 0 20px}.navbar-pf .navbar-brand img{display:block}.navbar-pf .navbar-collapse{border-top:0;-webkit-box-shadow:none;box-shadow:none;padding:0}.navbar-pf .navbar-header{border-bottom:1px solid #53565b;float:none}.navbar-pf .navbar-nav{margin:0}.navbar-pf .navbar-nav>.active>a,.navbar-pf .navbar-nav>.active>a:focus,.navbar-pf .navbar-nav>.active>a:hover{background-color:#454C53;color:#fff}.navbar-pf .navbar-nav>li>a{color:#dbdada;line-height:1;padding:10px 20px;text-shadow:none}.navbar-pf .navbar-nav>li>a:focus,.navbar-pf .navbar-nav>li>a:hover{color:#fff}.navbar-pf .navbar-nav>.open>a,.navbar-pf .navbar-nav>.open>a:focus,.navbar-pf .navbar-nav>.open>a:hover{background-color:#454C53;color:#fff}@media (max-width:767px){.navbar-pf .navbar-nav .active .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent,.navbar-pf .navbar-nav .open .dropdown-menu{background-color:#3c434a!important;margin-left:0;padding-bottom:0;padding-top:0}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:hover{background-color:#424950!important;color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent>li>a,.navbar-pf .navbar-nav .open .dropdown-menu>li>a{background-color:transparent;border:0;color:#dbdada;outline:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu>li>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>li>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>li>a:hover{color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu .divider,.navbar-pf .navbar-nav .active .navbar-persistent .divider,.navbar-pf .navbar-nav .open .dropdown-menu .divider{background-color:#53565b;margin:0 1px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-header{padding-bottom:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open .dropdown-toggle{color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.pull-left{float:none!important}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu>a:after,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu>a:after{display:none}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-header{padding-left:45px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu{border:0;bottom:auto;-webkit-box-shadow:none;box-shadow:none;display:block;float:none;margin:0;min-width:0;padding:0;position:relative;left:auto;right:auto;top:auto}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu>li>a{padding:5px 15px 5px 45px;line-height:20px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a{padding-left:60px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-menu{display:block}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after{display:inline-block!important;position:relative;right:auto;top:1px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu{display:none}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-submenu>a:after{display:none!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu{background-color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active small{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.disabled>a{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li>a.opt{border-bottom:1px solid transparent;border-top:1px solid transparent;color:#363636;padding-left:10px;padding-right:10px}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:focus small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:hover small{color:#9c9c9c}.navbar-pf .navbar-nav .context-bootstrap-select>.open>.dropdown-menu{padding-bottom:5px;padding-top:5px}}.navbar-pf .navbar-persistent{display:none}.navbar-pf .active>.navbar-persistent{display:block}.navbar-pf .navbar-primary{float:none}.navbar-pf .navbar-primary .context{border-bottom:1px solid #53565b}.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group,.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group[class*=span]{margin:8px 20px 9px;width:auto}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a{position:relative}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{content:"\f107";display:inline-block;font-family:FontAwesome;font-weight:400}@media (max-width:767px){.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{height:10px;margin-left:4px;vertical-align:baseline}}.navbar-pf .navbar-toggle{border:0;margin:0;padding:10px 20px}.navbar-pf .navbar-toggle:focus,.navbar-pf .navbar-toggle:hover{background-color:transparent;outline:0}.navbar-pf .navbar-toggle:focus .icon-bar,.navbar-pf .navbar-toggle:hover .icon-bar{-webkit-box-shadow:0 0 3px #fff;box-shadow:0 0 3px #fff}.navbar-pf .navbar-toggle .icon-bar{background-color:#fff}.navbar-pf .navbar-utility{border-bottom:1px solid #53565b}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:36px;position:relative}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:20px;position:absolute;top:10px}@media (max-width:767px){.navbar-pf .navbar-utility>li+li{border-top:1px solid #53565b}}@media (min-width:768px){.navbar-pf .navbar-brand{padding:7px 0 8px}.navbar-pf .navbar-nav>li>a{padding-bottom:14px;padding-top:14px}.navbar-pf .navbar-persistent{font-size:14px}.navbar-pf .navbar-primary{font-size:14px;background-image:-webkit-linear-gradient(top,#474c50 0,#383f43 100%);background-image:-o-linear-gradient(top,#474c50 0,#383f43 100%);background-image:linear-gradient(to bottom,#474c50 0,#383f43 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff474c50', endColorstr='#ff383f43', GradientType=0)}.navbar-pf .navbar-primary.persistent-secondary .context .dropdown-menu{top:auto}.navbar-pf .navbar-primary.persistent-secondary .dropup .dropdown-menu{bottom:-5px;top:auto}.navbar-pf .navbar-primary.persistent-secondary>li{position:static}.navbar-pf .navbar-primary.persistent-secondary>li.active{margin-bottom:32px}.navbar-pf .navbar-primary.persistent-secondary>li.active>.navbar-persistent{display:block;left:0;position:absolute}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent{background:#f6f6f6;border-bottom:1px solid #cecdcd;padding:0;width:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent a{text-decoration:none!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a:hover{color:#0088ce!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active .active>a{color:#fff}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu:hover>.dropdown-menu{display:none}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-menu{display:block;left:20px;margin-top:1px;top:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle{padding-right:35px!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle:after{position:absolute;right:20px;top:10px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a:after,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a{background-color:transparent;display:block;line-height:1;padding:9px 20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle{padding-right:35px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle:after{font-size:15px;position:absolute;right:20px;top:9px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a:hover{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li a{color:#4d5258}.navbar-pf .navbar-primary>li>a{border-bottom:1px solid transparent;border-top:1px solid transparent;position:relative;margin:-1px 0 0}.navbar-pf .navbar-primary>li>a:hover{background-color:#4b5053;border-top-color:#949699;color:#dbdada;background-image:-webkit-linear-gradient(top,#5c6165 0,#4b5053 100%);background-image:-o-linear-gradient(top,#5c6165 0,#4b5053 100%);background-image:linear-gradient(to bottom,#5c6165 0,#4b5053 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5c6165', endColorstr='#ff4b5053', GradientType=0)}.navbar-pf .navbar-primary>.active>a,.navbar-pf .navbar-primary>.active>a:focus,.navbar-pf .navbar-primary>.active>a:hover,.navbar-pf .navbar-primary>.open>a,.navbar-pf .navbar-primary>.open>a:focus,.navbar-pf .navbar-primary>.open>a:hover{background-color:#64686c;border-bottom-color:#64686c;border-top-color:#949699;-webkit-box-shadow:none;box-shadow:none;color:#fff;background-image:-webkit-linear-gradient(top,#72757a 0,#64686c 100%);background-image:-o-linear-gradient(top,#72757a 0,#64686c 100%);background-image:linear-gradient(to bottom,#72757a 0,#64686c 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff72757a', endColorstr='#ff64686c', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select .filter-option{max-width:160px;text-overflow:ellipsis}.navbar-pf .navbar-primary li.context.dropdown{border-bottom:0}.navbar-pf .navbar-primary li.context.context-bootstrap-select,.navbar-pf .navbar-primary li.context>a{background-color:#505458;border-bottom-color:#65696d;border-right:1px solid #65696d;border-top-color:#64696d;font-weight:600;background-image:-webkit-linear-gradient(top,#585d61 0,#505458 100%);background-image:-o-linear-gradient(top,#585d61 0,#505458 100%);background-image:linear-gradient(to bottom,#585d61 0,#505458 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff585d61', endColorstr='#ff505458', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select:hover,.navbar-pf .navbar-primary li.context>a:hover{background-color:#5a5e62;border-bottom-color:#6e7276;border-right-color:#6e7276;border-top-color:#6c7276;background-image:-webkit-linear-gradient(top,#62676b 0,#5a5e62 100%);background-image:-o-linear-gradient(top,#62676b 0,#5a5e62 100%);background-image:linear-gradient(to bottom,#62676b 0,#5a5e62 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff62676b', endColorstr='#ff5a5e62', GradientType=0)}.navbar-pf .navbar-primary li.context.open>a{background-color:#65696d;border-bottom-color:#6e7276;border-right-color:#777a7e;border-top-color:#767a7e;background-image:-webkit-linear-gradient(top,#6b7175 0,#65696d 100%);background-image:-o-linear-gradient(top,#6b7175 0,#65696d 100%);background-image:linear-gradient(to bottom,#6b7175 0,#65696d 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff6b7175', endColorstr='#ff65696d', GradientType=0)}.navbar-pf .navbar-utility{border-bottom:0;font-size:11px;position:absolute;right:0;top:0}.navbar-pf .navbar-utility>.active>a,.navbar-pf .navbar-utility>.active>a:focus,.navbar-pf .navbar-utility>.active>a:hover,.navbar-pf .navbar-utility>.open>a,.navbar-pf .navbar-utility>.open>a:focus,.navbar-pf .navbar-utility>.open>a:hover{background:#5b6165;color:#fff}.navbar-pf .navbar-utility>li>a{border-left:1px solid #53565b;color:#fff!important;padding:7px 10px}.navbar-pf .navbar-utility>li>a:hover{background:#4a5053;border-left-color:#636466}.navbar-pf .navbar-utility>li.open>a{border-left-color:#6c6e70;color:#fff!important}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:26px}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:10px;top:7px}.navbar-pf .navbar-utility .open .dropdown-menu{left:auto;right:0}.navbar-pf .navbar-utility .open .dropdown-menu .dropdown-menu{left:auto;right:100%}.navbar-pf .navbar-utility .open .dropdown-menu{border-top-width:0}.navbar-pf .open .dropdown-submenu>.dropdown-menu,.navbar-pf .open.bootstrap-select .dropdown-menu{border-top-width:1px!important}}@media (max-width:360px){.navbar-pf .navbar-brand{margin-left:10px;width:75%}.navbar-pf .navbar-brand img{height:auto;max-width:100%}.navbar-pf .navbar-toggle{padding-left:0}}.drawer-pf{background-color:#fafafa;border:1px solid #d1d1d1;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);overflow-y:auto;position:absolute;right:0;width:320px;z-index:2}.drawer-pf .panel{border-bottom:none;border-left:none;border-right:none}.drawer-pf .panel-group .panel-heading+.panel-collapse .panel-body{border-top:none;border-bottom:1px solid #d1d1d1;padding:0}.drawer-pf .panel-counter{display:block;font-style:italic;line-height:1.2;padding-left:18px;padding-top:5px}.drawer-pf .panel-heading{border-bottom:1px solid #d1d1d1}.drawer-pf .panel-group{bottom:0;margin-bottom:0;position:absolute;top:25px;width:100%}.drawer-pf .panel-title a{cursor:pointer;display:block}.drawer-pf.drawer-pf-expanded{left:270px;width:inherit}.drawer-pf.drawer-pf-expanded .drawer-pf-toggle-expand:before{content:"\f101"}.drawer-pf-toggle-expand{color:inherit;cursor:pointer;left:0;padding:2px 5px;position:absolute}.drawer-pf-toggle-expand:before{content:"\f100";font-family:FontAwesome}.drawer-pf-toggle-expand:focus,.drawer-pf-toggle-expand:hover{color:inherit;text-decoration:none}.drawer-pf-action .btn-link{color:#0088ce;padding:10px 0}.drawer-pf-action .btn-link:hover{color:#00659c}.drawer-pf-loading{color:#4d5258;font-size:14px;padding:20px 15px}.drawer-pf-notification{border-bottom:1px solid #d1d1d1;padding:15px}.drawer-pf-notification .date{border-right:1px solid #aaa;display:inline-block;line-height:1;margin-right:5px;padding-right:9px}.drawer-pf-notification .pficon{font-size:14px;margin-top:3px}.drawer-pf-notification:last-of-type{border-bottom:none}.drawer-pf-notification:hover{background-color:#def3ff}.drawer-pf-notification.unread .drawer-pf-notification-message{font-weight:700}.drawer-pf-notification.expanded-notification .date{border-right:none;padding-right:0}.drawer-pf-notification-info,.drawer-pf-notification-message{display:block;padding-left:27px;padding-right:19px}.expanded-notification .drawer-pf-notification-info,.expanded-notification .drawer-pf-notification-message{display:inline-block}.drawer-pf-notifications-non-clickable .drawer-pf-notification:hover{background-color:#fff}.drawer-pf-title{background-color:#fafafa;border-bottom:1px solid #d1d1d1;position:absolute;width:318px}.drawer-pf-title h3{font-size:12px;margin:0;padding:6px 15px}.navbar-pf-vertical .drawer-pf{height:calc(100vh - 80px);top:58px}.navbar-pf-vertical .nav .drawer-pf-trigger .drawer-pf-trigger-icon{border-left:1px solid #53565b;border-right:1px solid #53565b;padding-left:15px;padding-right:15px}.navbar-pf-vertical .nav .drawer-pf-trigger.open .drawer-pf-trigger-icon{background-color:#4a5053}.navbar-pf .drawer-pf{height:calc(100vh - 46px);top:26px}.navbar-pf .drawer-pf-trigger-icon{cursor:pointer}.pager li>a,.pager li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;font-weight:600;line-height:22px;padding:2px 14px}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>a:focus,.pager li>a:hover,.pager li>span.active,.pager li>span:active,.pager li>span:focus,.pager li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>span.active,.pager li>span:active{background-image:none}.open .dropdown-toggle.pager li>a.focus,.open .dropdown-toggle.pager li>a:focus,.open .dropdown-toggle.pager li>a:hover,.open .dropdown-toggle.pager li>span.focus,.open .dropdown-toggle.pager li>span:focus,.open .dropdown-toggle.pager li>span:hover,.pager li>a.active.focus,.pager li>a.active:focus,.pager li>a.active:hover,.pager li>a:active.focus,.pager li>a:active:focus,.pager li>a:active:hover,.pager li>span.active.focus,.pager li>span.active:focus,.pager li>span.active:hover,.pager li>span:active.focus,.pager li>span:active:focus,.pager li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pager li>a.disabled,.pager li>a.disabled.active,.pager li>a.disabled:active,.pager li>a.disabled:focus,.pager li>a.disabled:hover,.pager li>a[disabled],.pager li>a[disabled].active,.pager li>a[disabled]:active,.pager li>a[disabled]:focus,.pager li>a[disabled]:hover,.pager li>span.disabled,.pager li>span.disabled.active,.pager li>span.disabled:active,.pager li>span.disabled:focus,.pager li>span.disabled:hover,.pager li>span[disabled],.pager li>span[disabled].active,.pager li>span[disabled]:active,.pager li>span[disabled]:focus,.pager li>span[disabled]:hover,fieldset[disabled] .pager li>a,fieldset[disabled] .pager li>a.active,fieldset[disabled] .pager li>a:active,fieldset[disabled] .pager li>a:focus,fieldset[disabled] .pager li>a:hover,fieldset[disabled] .pager li>span,fieldset[disabled] .pager li>span.active,fieldset[disabled] .pager li>span:active,fieldset[disabled] .pager li>span:focus,fieldset[disabled] .pager li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pager li>a>.i,.pager li>span>.i{font-size:18px;vertical-align:top;margin:2px 0}.pager li>a:hover>a:focus{color:#4d5258}.pager li a:active{background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(3,3,3,.125);box-shadow:inset 0 3px 5px rgba(3,3,3,.125);outline:0}.pager .disabled>a,.pager .disabled>a:active,.pager .disabled>a:focus,.pager .disabled>a:hover,.pager .disabled>span{background:#f5f5f5;-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f;cursor:default}.pager .next>a>.i,.pager .next>span>.i{margin-left:5px}.pager .previous>a>.i,.pager .previous>span>.i{margin-right:5px}.pager-sm li>a,.pager-sm li>span{font-weight:400;line-height:16px;padding:1px 10px}.pager-sm li>a>.i,.pager-sm li>span>.i{font-size:12px}.pagination>li>a,.pagination>li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;cursor:default;font-weight:600;padding:2px 10px}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>a:focus,.pagination>li>a:hover,.pagination>li>span.active,.pagination>li>span:active,.pagination>li>span:focus,.pagination>li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>span.active,.pagination>li>span:active{background-image:none}.open .dropdown-toggle.pagination>li>a.focus,.open .dropdown-toggle.pagination>li>a:focus,.open .dropdown-toggle.pagination>li>a:hover,.open .dropdown-toggle.pagination>li>span.focus,.open .dropdown-toggle.pagination>li>span:focus,.open .dropdown-toggle.pagination>li>span:hover,.pagination>li>a.active.focus,.pagination>li>a.active:focus,.pagination>li>a.active:hover,.pagination>li>a:active.focus,.pagination>li>a:active:focus,.pagination>li>a:active:hover,.pagination>li>span.active.focus,.pagination>li>span.active:focus,.pagination>li>span.active:hover,.pagination>li>span:active.focus,.pagination>li>span:active:focus,.pagination>li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pagination>li>a.disabled,.pagination>li>a.disabled.active,.pagination>li>a.disabled:active,.pagination>li>a.disabled:focus,.pagination>li>a.disabled:hover,.pagination>li>a[disabled],.pagination>li>a[disabled].active,.pagination>li>a[disabled]:active,.pagination>li>a[disabled]:focus,.pagination>li>a[disabled]:hover,.pagination>li>span.disabled,.pagination>li>span.disabled.active,.pagination>li>span.disabled:active,.pagination>li>span.disabled:focus,.pagination>li>span.disabled:hover,.pagination>li>span[disabled],.pagination>li>span[disabled].active,.pagination>li>span[disabled]:active,.pagination>li>span[disabled]:focus,.pagination>li>span[disabled]:hover,fieldset[disabled] .pagination>li>a,fieldset[disabled] .pagination>li>a.active,fieldset[disabled] .pagination>li>a:active,fieldset[disabled] .pagination>li>a:focus,fieldset[disabled] .pagination>li>a:hover,fieldset[disabled] .pagination>li>span,fieldset[disabled] .pagination>li>span.active,fieldset[disabled] .pagination>li>span:active,fieldset[disabled] .pagination>li>span:focus,fieldset[disabled] .pagination>li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pagination>li>a>.i,.pagination>li>span>.i{font-size:15px;vertical-align:top;margin:2px 0}.pagination>li>a:active,.pagination>li>span:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.pagination>.active>a,.pagination>.active>a:focus,.pagination>.active>a:hover,.pagination>.active>span,.pagination>.active>span:focus,.pagination>.active>span:hover{background-color:#f1f1f1;border-color:#bbb;-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2);color:#4d5258;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination>.disabled>a,.pagination>.disabled>a:focus,.pagination>.disabled>a:hover,.pagination>.disabled>span,.pagination>.disabled>span:focus,.pagination>.disabled>span:hover{-webkit-box-shadow:none;box-shadow:none;cursor:default;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination-sm>li>a,.pagination-sm>li>span{padding:2px 6px;font-size:11px;line-height:1.5}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:1px;border-top-left-radius:1px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-bottom-right-radius:1px;border-top-right-radius:1px}.pagination-sm>li>a,.pagination-sm>li>span{font-weight:400}.pagination-sm>li>a>.i,.pagination-sm>li>span>.i{font-size:12px;margin-top:2px}.panel-title{font-weight:700}.panel-group .panel{color:#4d5258}.panel-group .panel+.panel{margin-top:-1px}.panel-group .panel-default{border-color:#bbb;border-top-color:#bbb}.panel-group .panel-heading{background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.panel-group .panel-heading+.panel-collapse .panel-body{border-top:1px solid #d1d1d1}.panel-group .panel-title{font-weight:500;line-height:1}.panel-group .panel-title>a{color:#4d5258;font-weight:600}.panel-group .panel-title>a:before{content:"\f107";display:inline-block;font-family:FontAwesome;font-size:13px;margin-right:5px;text-align:center;vertical-align:0;width:8px}.panel-group .panel-title>a:focus{outline:0;text-decoration:none}.panel-group .panel-title>a:hover{text-decoration:none}.panel-group .panel-title>a.collapsed:before{content:"\f105"}.popover{-webkit-box-shadow:0 2px 2px rgba(3,3,3,.08);box-shadow:0 2px 2px rgba(3,3,3,.08);padding:0}.popover-content{color:#4d5258;line-height:18px;padding:10px 14px}.popover-title{border-bottom:none;border-radius:0;color:#4d5258;font-size:13px;font-weight:700;min-height:34px}.popover-title .close{height:22px;position:absolute;right:8px;top:6px}.popover-title.closable{padding-right:30px}@-webkit-keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}@keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}.progress{-webkit-box-shadow:inset 0 0 1px rgba(3,3,3,.25);box-shadow:inset 0 0 1px rgba(3,3,3,.25)}.progress.progress-label-left,.progress.progress-label-top-right{overflow:visible;position:relative}.progress.progress-label-left{margin-left:40px}.progress.progress-sm{height:14px;margin-bottom:14px}.progress.progress-xs{height:6px;margin-bottom:6px}td>.progress:first-child:last-child{margin-bottom:0;margin-top:3px}.progress-bar{box-shadow:none}.progress-label-left .progress-bar span,.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{color:#363636;position:absolute;text-align:right}.progress-label-left .progress-bar span{font-size:14px;left:-40px;top:0;width:35px}.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{font-size:11px;overflow:hidden;right:0;text-overflow:ellipsis;white-space:nowrap}.progress-label-right .progress-bar span strong,.progress-label-top-right .progress-bar span strong{font-weight:600}.progress-label-right .progress-bar span{max-width:85px;top:0}.progress-label-top-right .progress-bar span{max-width:47%;top:-30px}.progress-label-left.progress-sm .progress-bar span,.progress-label-top-right.progress-sm .progress-bar span{font-size:12px}.progress-sm .progress-bar{line-height:14px}.progress-xs .progress-bar{line-height:6px}.progress-bar-remaining{background:0 0}.progress-container{position:relative}.progress-container.progress-description-left{padding-left:90px}.progress-container.progress-label-right{padding-right:90px}.progress-description{margin-bottom:10px;max-width:52%;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.progress-description .count{font-size:20px;font-weight:300;line-height:1;margin-right:5px}.progress-description .fa,.progress-description .pficon{font-size:14px;margin-right:3px}.progress-description-left .progress-description{left:0;margin-bottom:0;max-width:85px;position:absolute;top:0}.progress-description .tooltip{white-space:normal}.search-pf.has-button{border-collapse:separate;display:table}.search-pf.has-button .form-group{display:table-cell;width:100%}.search-pf.has-button .form-group .btn{-webkit-box-shadow:none;box-shadow:none;float:left;margin-left:-1px}.search-pf.has-button .form-group .btn.btn-lg{font-size:14.5px}.search-pf.has-button .form-group .btn.btn-sm{font-size:10.7px}.search-pf.has-button .form-group .form-control{float:left}.search-pf .has-clear .clear{background:0 0;background:rgba(255,255,255,0);border:0;height:25px;line-height:1;padding:0;position:absolute;right:1px;top:1px;width:28px}.search-pf .has-clear .clear:focus{outline:0}.search-pf .has-clear .form-control{padding-right:30px}.search-pf .has-clear .form-control::-ms-clear{display:none}.search-pf .has-clear .input-lg+.clear{height:31px;width:28px}.search-pf .has-clear .input-sm+.clear{height:20px;width:28px}.search-pf .has-clear .input-sm+.clear span{font-size:10px}.search-pf .has-clear .search-pf-input-group{position:relative}.sidebar-header{border-bottom:1px solid #ececec;padding-bottom:11px;margin:50px 0 20px}.sidebar-header .actions{margin-top:-2px}.sidebar-pf .sidebar-header+.list-group{border-top:0;margin-top:-10px}.sidebar-pf .sidebar-header+.list-group .list-group-item{background:0 0;border-color:#ececec;padding-left:0}.sidebar-pf .sidebar-header+.list-group .list-group-item-heading{font-size:12px}.sidebar-pf .nav-category h2{color:#9c9c9c;font-size:12px;font-weight:400;line-height:21px;margin:0;padding:8px 0}.sidebar-pf .nav-category+.nav-category{margin-top:10px}.sidebar-pf .nav-pills>li.active>a{background:#0088ce!important;border-color:#0088ce!important;color:#fff}@media (min-width:768px){.sidebar-pf .nav-pills>li.active>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}.sidebar-pf .nav-pills>li.active>a .fa{color:#fff}.sidebar-pf .nav-pills>li>a{border-bottom:1px solid transparent;border-radius:0;border-top:1px solid transparent;color:#363636;font-size:13px;line-height:21px;padding:1px 20px}.sidebar-pf .nav-pills>li>a:hover{background:#def3ff;border-color:#bee1f4}.sidebar-pf .nav-pills>li>a .fa{color:#6a7079;font-size:15px;margin-right:10px;text-align:center;vertical-align:middle;width:15px}.sidebar-pf .nav-stacked{margin-left:-20px;margin-right:-20px}.sidebar-pf .nav-stacked li+li{margin-top:0}.sidebar-pf .panel{background:0 0}.sidebar-pf .panel-body{padding:6px 20px}.sidebar-pf .panel-body .nav-pills>li>a{padding-left:37px}.sidebar-pf .panel-heading{padding:9px 20px}.sidebar-pf .panel-title{font-size:12px}.sidebar-pf .panel-title>a:before{display:inline-block;margin-left:1px;margin-right:4px;width:9px}.sidebar-pf .panel-title>a.collapsed:before{margin-left:3px;margin-right:2px}@media (min-width:767px){.sidebar-header-bleed-left{margin-left:-20px}.sidebar-header-bleed-left>h2{margin-left:20px}.sidebar-header-bleed-right{margin-right:-20px}.sidebar-header-bleed-right .actions{margin-right:20px}.sidebar-header-bleed-right>h2{margin-right:20px}.sidebar-header-bleed-right+.list-group{margin-right:-20px}.sidebar-pf .panel-group .panel-default,.sidebar-pf .treeview{border-left:0;border-right:0;margin-left:-20px;margin-right:-20px}.sidebar-pf .treeview{margin-top:5px}.sidebar-pf .treeview .list-group-item{padding-left:20px;padding-right:20px}.sidebar-pf .treeview .list-group-item.node-selected:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}@media (min-width:768px){.sidebar-pf{background:#fafafa}.sidebar-pf.sidebar-pf-left{border-right:1px solid #d1d1d1}.sidebar-pf.sidebar-pf-right{border-left:1px solid #d1d1d1}.sidebar-pf>.nav-category,.sidebar-pf>.nav-stacked{margin-top:5px}}@-webkit-keyframes rotation{from{-webkit-transform:rotate(0)}to{-webkit-transform:rotate(359deg)}}@keyframes rotation{from{transform:rotate(0)}to{transform:rotate(359deg)}}.spinner{-webkit-animation:rotation .6s infinite linear;animation:rotation .6s infinite linear;border-bottom:4px solid rgba(3,3,3,.25);border-left:4px solid rgba(3,3,3,.25);border-right:4px solid rgba(3,3,3,.25);border-radius:100%;border-top:4px solid rgba(3,3,3,.75);height:24px;margin:0 auto;position:relative;width:24px}.spinner.spinner-inline{display:inline-block;margin-right:3px}.spinner.spinner-lg{border-width:5px;height:30px;width:30px}.spinner.spinner-sm{border-width:3px;height:18px;width:18px}.spinner.spinner-xs{border-width:2px;height:12px;width:12px}.spinner.spinner-inverse{border-bottom-color:rgba(255,255,255,.25);border-left-color:rgba(255,255,255,.25);border-right-color:rgba(255,255,255,.25);border-top-color:rgba(255,255,255,.75)}.ie9 .spinner{background:url(../img/spinner.gif) no-repeat;border:0}.ie9 .spinner.spinner-inverse{background-image:url(../img/spinner-inverse.gif)}.ie9 .spinner.spinner-inverse-lg{background-image:url(../img/spinner-inverse-lg.gif)}.ie9 .spinner.spinner-inverse-sm{background-image:url(../img/spinner-inverse-sm.gif)}.ie9 .spinner.spinner-inverse-xs{background-image:url(../img/spinner-inverse-xs.gif)}.ie9 .spinner.spinner-lg{background-image:url(../img/spinner-lg.gif)}.ie9 .spinner.spinner-sm{background-image:url(../img/spinner-sm.gif)}.ie9 .spinner.spinner-xs{background-image:url(../img/spinner-xs.gif)}.prettyprint .atn,.prettyprint .com,.prettyprint .fun,.prettyprint .var{color:#3f9c35}.prettyprint .atv,.prettyprint .str{color:#a30000}.prettyprint .clo,.prettyprint .dec,.prettyprint .kwd,.prettyprint .opn,.prettyprint .pln,.prettyprint .pun{color:#363636}.prettyprint .lit,.prettyprint .tag,.prettyprint .typ{color:#00659c}.prettyprint ol.linenums{margin-bottom:0}.table>tbody>tr>td,.table>tbody>tr>th,.table>tfoot>tr>td,.table>tfoot>tr>th,.table>thead>tr>td,.table>thead>tr>th{padding:2px 10px 3px}.table>tbody>tr>td>a:hover,.table>tbody>tr>th>a:hover,.table>tfoot>tr>td>a:hover,.table>tfoot>tr>th>a:hover,.table>thead>tr>td>a:hover,.table>thead>tr>th>a:hover{text-decoration:none}.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>th{font-family:'Open Sans';font-style:normal;font-weight:600}.table>thead{background-clip:padding-box;background-color:#f5f5f5;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.table-bordered{border:1px solid #d1d1d1}.table-bordered>tbody>tr>td,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>td,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border:1px solid #d1d1d1}.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border-bottom-width:1px}.table-striped>tbody>tr:nth-of-type(even){background-color:#f5f5f5}.table-striped>tbody>tr:nth-of-type(odd){background-color:transparent}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#def3ff;border-bottom-color:#7dc3e8}.table-treegrid span.indent{margin-left:10px;margin-right:10px}.table-treegrid span.icon{display:inline-block;font-size:13px;margin-right:5px;min-width:10px;text-align:center}.table-treegrid span.collapse-icon,.table-treegrid span.expand-icon{cursor:pointer}.table-treegrid>tbody>tr.odd{background-color:#f5f5f5}.nav-tabs{font-size:14px}.nav-tabs>li>a{color:#4d5258;margin-right:-1px;padding-bottom:5px;padding-top:5px}.nav-tabs>li>a:active,.nav-tabs>li>a:focus,.nav-tabs>li>a:hover{background:0 0;border-color:#ededed;color:#252525}.nav-tabs>li>.dropdown-menu{border-top:0;border-color:#ededed}.nav-tabs>li>.dropdown-menu.pull-right{right:-1px}.nav-tabs+.nav-tabs-pf{font-size:12px}.nav-tabs+.nav-tabs-pf>li:first-child>a{padding-left:15px}.nav-tabs+.nav-tabs-pf>li:first-child>a:before{left:15px!important}.nav-tabs .open>a,.nav-tabs .open>a:focus,.nav-tabs .open>a:hover{background-color:transparent;border-color:#ededed}@media (min-width:768px){.nav-tabs-pf.nav-justified{border-bottom:1px solid #ededed}}.nav-tabs-pf.nav-justified>li:first-child>a{padding-left:15px}.nav-tabs-pf.nav-justified>li>a{border-bottom:0}.nav-tabs-pf.nav-justified>li>a:before{left:0!important;right:0!important}.nav-tabs-pf>li{margin-bottom:0}.nav-tabs-pf>li.active>a:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li.active>a,.nav-tabs-pf>li.active>a:active,.nav-tabs-pf>li.active>a:focus,.nav-tabs-pf>li.active>a:hover{background-color:transparent;border:0!important;color:#0088ce}.nav-tabs-pf>li.active>a:active:before,.nav-tabs-pf>li.active>a:before,.nav-tabs-pf>li.active>a:focus:before,.nav-tabs-pf>li.active>a:hover:before{background:#0088ce}.nav-tabs-pf>li:first-child>a{padding-left:0}.nav-tabs-pf>li:first-child>a:before{left:0!important}.nav-tabs-pf>li>a{border:0;line-height:1;margin-right:0;padding-bottom:10px;padding-top:10px}.nav-tabs-pf>li>a:active:before,.nav-tabs-pf>li>a:focus:before,.nav-tabs-pf>li>a:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li>.dropdown-menu{left:15px;margin-top:1px}.nav-tabs-pf>li>.dropdown-menu.pull-right{left:auto;right:15px}.nav-tabs-pf .open>a,.nav-tabs-pf .open>a:focus,.nav-tabs-pf .open>a:hover{background-color:transparent}.tooltip{font-size:12px;line-height:1.4}.tooltip-inner{padding:7px 12px;text-align:left}.h1,.h2,h1,h2{font-weight:300}.page-header .actions{margin-top:8px}.page-header .actions a>.pficon{margin-right:4px}@media (min-width:767px){.page-header-bleed-left{margin-left:-20px}.page-header-bleed-right{margin-right:-20px}.page-header-bleed-right .actions{margin-right:20px}} +\ No newline at end of file +-- +2.26.2 + + +From bcc1a38148401ba766d98647a5aba69a0905214e Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 7 Oct 2018 12:25:40 +0300 +Subject: [PATCH 2/3] install/ui/less/brand.less: Change branding to IPA and + Identity Management + +--- + install/ui/less/brand.less | 103 ++++++++++++++++++------------------- + 1 file changed, 50 insertions(+), 53 deletions(-) + +diff --git a/install/ui/less/brand.less b/install/ui/less/brand.less +index c9030bb..7488eaf 100644 +--- a/install/ui/less/brand.less ++++ b/install/ui/less/brand.less +@@ -20,58 +20,55 @@ + + // this file should be overridden with brand/platform specific content + +-@login-details-border: #777777; ++@img-badge-ie8-height: 44px; ++@img-badge-ie8-width: 137px; ++// @img-bg-login: "bg-login.png"; ++// @img-bg-login-2: "bg-login-2.png"; ++@login-bg-color: #1a1a1a; ++@login-container-bg-color: transparent; ++@login-container-bg-color-rgba: transparent; ++@navbar-pf-bg-color: #393F45; ++@navbar-pf-border-color: #cc0000; ++@navbar-pf-active-color: #fff; ++@navbar-pf-color: #dbdada; ++@navbar-pf-icon-bar-bg-color: #fff; ++@navbar-pf-navbar-header-border-color: #53565b; ++@navbar-pf-navbar-nav-active-bg-color: #454C53; ++@navbar-pf-navbar-nav-active-active-bg-color: #3c434a; ++@navbar-pf-navbar-nav-active-active-open-bg-color: #424950; ++@navbar-pf-navbar-navbar-brand-min-width: 300px; ++@navbar-pf-navbar-navbar-brand-padding: 7px 0 8px; ++@navbar-pf-navbar-navbar-persistent-bg-color: #f6f6f6; ++@navbar-pf-navbar-navbar-persistent-border-color: #cecdcd; ++@navbar-pf-navbar-primary-active-bg-color-start: #72757a; ++@navbar-pf-navbar-primary-active-bg-color-stop: #64686c; ++@navbar-pf-navbar-primary-active-border-color: #949699; ++@navbar-pf-navbar-primary-bg-color-start: #474c50; ++@navbar-pf-navbar-primary-bg-color-stop: #383f43; ++@navbar-pf-navbar-primary-hover-bg-color-start: #5c6165; ++@navbar-pf-navbar-primary-hover-bg-color-stop: #4b5053; ++@navbar-pf-navbar-primary-hover-border-color: #949699; ++@navbar-pf-navbar-primary-context-active-bg-color-start: #6b7175; ++@navbar-pf-navbar-primary-context-active-bg-color-stop: #65696d; ++@navbar-pf-navbar-primary-context-active-border-color: #6e7276; ++@navbar-pf-navbar-primary-context-active-border-right-color: #777a7e; ++@navbar-pf-navbar-primary-context-active-border-top-color: #767a7e; ++@navbar-pf-navbar-primary-context-bg-color-start: #585d61; ++@navbar-pf-navbar-primary-context-bg-color-stop: #505458; ++@navbar-pf-navbar-primary-context-border-color: #65696d; ++@navbar-pf-navbar-primary-context-border-top-color: #64696d; ++@navbar-pf-navbar-primary-context-hover-bg-color-start: #62676b; ++@navbar-pf-navbar-primary-context-hover-bg-color-stop: #5a5e62; ++@navbar-pf-navbar-primary-context-hover-border-color: #6e7276; ++@navbar-pf-navbar-primary-context-hover-border-top-color: #6c7276; ++@navbar-pf-navbar-utility-border-color: #53565b; ++@navbar-pf-navbar-utility-color: #fff; ++@navbar-pf-navbar-utility-hover-bg-color: #4a5053; ++@navbar-pf-navbar-utility-hover-border-color: #636466; ++@navbar-pf-navbar-utility-open-bg-color: #5b6165; ++@navbar-pf-navbar-utility-open-border-color: #6c6e70; + +-.login-pf { +- +- .login-pf-body { +- padding-top: 50px; +- } +- +- #badge img { +- display: none; +- } +- +- #brand { +- position: absolute; +- top: -135px; +- img { +- height: auto; +- } +- } +- +- .container { +- padding-top: 40px; +- +- .details p:first-child { +- border-top: 1px solid @login-details-border; +- } +- } +-} +- +-// 768px == @screen-sm-min +-@media (min-width: 768px) { +- .navbar-pf .navbar-brand { +- padding: 2px 0 3px; +- } +- +- .login-pf .container .details { +- p:first-child { +- border-top: 0; +- } +- border-left: 1px solid @login-details-border; +- } +-} +- +-@media (max-height: 520px) { +- .reset-login-pf-height; +- .login-pf { +- .login-pf-body { +- padding-top: 0; +- } +- #badge { +- margin-top: 0; +- height: 70px; +- } +- } ++.info-page .navbar-header { ++ line-height: inherit; ++ margin-left: 20px; + } +\ No newline at end of file +-- +2.26.2 + + +From b9506f826164e757c9b4a694c9ca1bfda921f931 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 7 Oct 2018 12:25:40 +0300 +Subject: [PATCH 3/3] install/ui/less/patternfly.less: Change branding to IPA + and Identity Management + +--- + install/ui/less/patternfly.less | 48 +++++++++++++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/install/ui/less/patternfly.less b/install/ui/less/patternfly.less +index a2e30c8..97a8d5c 100644 +--- a/install/ui/less/patternfly.less ++++ b/install/ui/less/patternfly.less +@@ -129,3 +129,51 @@ + + // our overrides + @fa-font-path: "../fonts/fontawesome"; ++ ++@img-badge-ie8-height: 44px; ++@img-badge-ie8-width: 137px; ++// @img-bg-login: "bg-login.png"; ++// @img-bg-login-2: "bg-login-2.png"; ++@login-bg-color: #1a1a1a; ++@login-container-bg-color: transparent; ++@login-container-bg-color-rgba: transparent; ++@navbar-pf-bg-color: #393F45; ++@navbar-pf-border-color: #cc0000; ++@navbar-pf-active-color: #fff; ++@navbar-pf-color: #dbdada; ++@navbar-pf-icon-bar-bg-color: #fff; ++@navbar-pf-navbar-header-border-color: #53565b; ++@navbar-pf-navbar-nav-active-bg-color: #454C53; ++@navbar-pf-navbar-nav-active-active-bg-color: #3c434a; ++@navbar-pf-navbar-nav-active-active-open-bg-color: #424950; ++@navbar-pf-navbar-navbar-brand-min-width: 300px; ++@navbar-pf-navbar-navbar-brand-padding: 7px 0 8px; ++@navbar-pf-navbar-navbar-persistent-bg-color: #f6f6f6; ++@navbar-pf-navbar-navbar-persistent-border-color: #cecdcd; ++@navbar-pf-navbar-primary-active-bg-color-start: #72757a; ++@navbar-pf-navbar-primary-active-bg-color-stop: #64686c; ++@navbar-pf-navbar-primary-active-border-color: #949699; ++@navbar-pf-navbar-primary-bg-color-start: #474c50; ++@navbar-pf-navbar-primary-bg-color-stop: #383f43; ++@navbar-pf-navbar-primary-hover-bg-color-start: #5c6165; ++@navbar-pf-navbar-primary-hover-bg-color-stop: #4b5053; ++@navbar-pf-navbar-primary-hover-border-color: #949699; ++@navbar-pf-navbar-primary-context-active-bg-color-start: #6b7175; ++@navbar-pf-navbar-primary-context-active-bg-color-stop: #65696d; ++@navbar-pf-navbar-primary-context-active-border-color: #6e7276; ++@navbar-pf-navbar-primary-context-active-border-right-color: #777a7e; ++@navbar-pf-navbar-primary-context-active-border-top-color: #767a7e; ++@navbar-pf-navbar-primary-context-bg-color-start: #585d61; ++@navbar-pf-navbar-primary-context-bg-color-stop: #505458; ++@navbar-pf-navbar-primary-context-border-color: #65696d; ++@navbar-pf-navbar-primary-context-border-top-color: #64696d; ++@navbar-pf-navbar-primary-context-hover-bg-color-start: #62676b; ++@navbar-pf-navbar-primary-context-hover-bg-color-stop: #5a5e62; ++@navbar-pf-navbar-primary-context-hover-border-color: #6e7276; ++@navbar-pf-navbar-primary-context-hover-border-top-color: #6c7276; ++@navbar-pf-navbar-utility-border-color: #53565b; ++@navbar-pf-navbar-utility-color: #fff; ++@navbar-pf-navbar-utility-hover-bg-color: #4a5053; ++@navbar-pf-navbar-utility-hover-border-color: #636466; ++@navbar-pf-navbar-utility-open-bg-color: #5b6165; ++@navbar-pf-navbar-utility-open-border-color: #6c6e70; +-- +2.26.2 + diff --git a/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch b/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch new file mode 100644 index 0000000..48bb8e0 --- /dev/null +++ b/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch @@ -0,0 +1,122 @@ +From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 26 Nov 2021 11:13:51 +0200 +Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and + MS-SFU updates + +New versions of MS-KILE and MS-SFU after Windows Server November 2021 +security updates add PAC_REQUESTER_SID buffer check behavior: + + - PAC_REQUESTER_SID should only be added for TGT requests + + - if PAC_REQUESTER_SID is present, KDC must verify that the cname on + the ticket resolves to the account with the same SID as the + PAC_REQUESTER_SID. If it doesn't KDC must respond with + KDC_ERR_TKT_REVOKED + +Change requester SID check to skip exact check for non-local +PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains +we know about. + +If requester SID is the same as in PAC, we already do cname vs PAC SID +verification. + +With these changes FreeIPA works against Windows Server 2019 with +November 2021 security fixes in cross-realm S4U2Self operations. + +Fixes: https://pagure.io/freeipa/issue/9031 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++--------- + 1 file changed, 34 insertions(+), 13 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 538cfbba9..1b972c167 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, + "local [%s], PAC [%s]", + dom ? dom : "", + sid ? sid : ""); +- return KRB5KDC_ERR_POLICY; ++ return KRB5KDC_ERR_TGT_REVOKED; + } + } + +@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, + kerr = ipadb_get_principal(context, client_princ, flags, &client_actual); + if (kerr != 0) { + krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed."); +- return KRB5KDC_ERR_POLICY; ++ return KRB5KDC_ERR_TGT_REVOKED; + } + + ied = (struct ipadb_e_data *)client_actual->e_data; +@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, + "local [%s] vs PAC [%s]", + local_sid ? local_sid : "", + pac_sid ? pac_sid : ""); +- kerr = KRB5KDC_ERR_POLICY; ++ kerr = KRB5KDC_ERR_TGT_REVOKED; + goto done; + } + +@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context, + /* Check that requester SID is the same as in the PAC entry */ + if (requester_sid != NULL) { + struct dom_sid client_sid; ++ bool is_from_trusted_domain = false; + kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid); + if (kerr) { + goto done; + } + result = dom_sid_check(&client_sid, requester_sid, true); + if (!result) { +- /* memctx is freed by the caller */ +- char *pac_sid = dom_sid_string(tmpctx, &client_sid); +- char *req_sid = dom_sid_string(tmpctx, requester_sid); +- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID " +- "different from what PAC requester claims. " +- "PAC [%s] vs PAC requester [%s]", +- pac_sid ? pac_sid : "", +- req_sid ? req_sid : ""); +- kerr = KRB5KDC_ERR_POLICY; +- goto done; ++ struct ipadb_context *ipactx = ipadb_get_context(context); ++ if (!ipactx || !ipactx->mspac) { ++ return KRB5_KDB_DBNOTINITED; ++ } ++ /* In S4U case we might be dealing with the PAC issued by the trusted domain */ ++ if (is_s4u && (ipactx->mspac->trusts != NULL)) { ++ /* Iterate through list of trusts and check if this SID belongs to ++ * one of the domains we trust */ ++ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) { ++ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid, ++ requester_sid, false); ++ if (result) { ++ is_from_trusted_domain = true; ++ break; ++ } ++ } ++ } ++ ++ if (!is_from_trusted_domain) { ++ /* memctx is freed by the caller */ ++ char *pac_sid = dom_sid_string(tmpctx, &client_sid); ++ char *req_sid = dom_sid_string(tmpctx, requester_sid); ++ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID " ++ "different from what PAC requester claims. " ++ "PAC [%s] vs PAC requester [%s]", ++ pac_sid ? pac_sid : "", ++ req_sid ? req_sid : ""); ++ kerr = KRB5KDC_ERR_TGT_REVOKED; ++ goto done; ++ } + } + } + +-- +2.31.1 + diff --git a/freeipa-4.9.8.tar.gz.asc b/freeipa-4.9.8.tar.gz.asc new file mode 100644 index 0000000..c14420c --- /dev/null +++ b/freeipa-4.9.8.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi +00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe +MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM +XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q +E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp +q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6 +BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA +CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C +UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi +q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy +urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo +w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg= +=t9up +-----END PGP SIGNATURE----- diff --git a/freeipa.spec b/freeipa.spec new file mode 100644 index 0000000..6de0f77 --- /dev/null +++ b/freeipa.spec @@ -0,0 +1,3184 @@ +%define ipa_requires_gt() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} >= %%{epoch}:%%{version}-%%{release}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") + +# ipatests enabled by default, can be disabled with --without ipatests +%bcond_without ipatests +# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml +# On RHEL 8 we should use --with ipa_join_xml +%bcond_with ipa_join_xml + +# Linting is disabled by default, needed for upstream testing +%bcond_with lint + +# Build documentation with sphinx +%bcond_with doc + +# Build Python wheels +%bcond_with wheels + +# 389-ds-base 1.4 no longer supports i686 platform, build only client +# packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386 +%ifarch %{ix86} + %{!?ONLY_CLIENT:%global ONLY_CLIENT 1} +%endif + +# Define ONLY_CLIENT to only make the ipa-client and ipa-python +# subpackages +%{!?ONLY_CLIENT:%global ONLY_CLIENT 0} +%if %{ONLY_CLIENT} + %global enable_server_option --disable-server +%else + %global enable_server_option --enable-server +%endif + +%if %{ONLY_CLIENT} + %global with_ipatests 0 +%endif + +# Whether to build ipatests +%if %{with ipatests} + %global with_ipatests_option --with-ipatests +%else + %global with_ipatests_option --without-ipatests +%endif + +# Whether to use XML-RPC with ipa-join +%if %{with ipa_join_xml} + %global with_ipa_join_xml_option --with-ipa-join-xml +%else + %global with_ipa_join_xml_option --without-ipa-join-xml +%endif + +# lint is not executed during rpmbuild +# %%global with_lint 1 +%if %{with lint} + %global linter_options --enable-pylint --without-jslint --enable-rpmlint +%else + %global linter_options --disable-pylint --without-jslint --disable-rpmlint +%endif + +# Include SELinux subpackage +%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8 + %global with_selinux 1 + %global selinuxtype targeted + %global modulename ipa +%endif + +%if 0%{?rhel} +%global package_name ipa +%global alt_name freeipa +%global krb5_version 1.19.1-15 +%global krb5_kdb_version 8.0 +# 0.7.16: https://github.com/drkjam/netaddr/issues/71 +%global python_netaddr_version 0.7.19 +# Require 4.7.0 which brings Python 3 bindings +%global samba_version 4.15.2-2 +%global selinux_policy_version 3.14.3-52 +%global slapi_nis_version 0.56.4 +%global python_ldap_version 3.1.0-1 +%if 0%{?rhel} < 9 +# Bug 1929067 - PKI instance creation failed with new 389-ds-base build +%global ds_version 1.4.3.16-12 +%else +# DNA interval enabled +%global ds_version 2.0.5-1 +%endif + +# Fix for TLS 1.3 PHA, RHBZ#1775158 +%global httpd_version 2.4.37-21 +%global bind_version 9.11.20-6 + +%else +# Fedora +%global package_name freeipa +%global alt_name ipa +# Fix for CVE-2020-28196 +%global krb5_version 1.18.2-29 +# 0.7.16: https://github.com/drkjam/netaddr/issues/71 +%global python_netaddr_version 0.7.16 +# Require 4.7.0 which brings Python 3 bindings +# Require 4.12 which has DsRGetForestTrustInformation access rights fixes +%global samba_version 2:4.12.10 + +# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface +%global selinux_policy_version 3.14.5-45 +%global slapi_nis_version 0.56.5 + +%global krb5_kdb_version 8.0 + +# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324 +%global python_ldap_version 3.1.0-1 + +# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700 +# and has DNA interval enabled +%if 0%{?fedora} < 34 +%global ds_version 1.4.4.16-1 +%else +%global ds_version 2.0.7-1 +%endif + +# Fix for TLS 1.3 PHA, RHBZ#1775146 +%global httpd_version 2.4.41-9 + +%global bind_version 9.11.24-1 +# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet. +# Some packages don't provide new dist aliases. +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ +%{?python_disable_dependency_generator} +# Fedora +%endif + +# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11 +# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9) +%if 0%{?fedora} || 0%{?rhel} >= 9 + %global openssl_pkcs11_version 0.4.10-6 + %global softhsm_version 2.5.0-4 +%else + %global with_bind_pkcs11 1 +%endif + +%if 0%{?rhel} == 8 +# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 +%global pki_version 10.10.5 +%else +# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 +%global pki_version 10.10.5 +%endif + +# RHEL 8.3+, F32+ has 0.79.13 +%global certmonger_version 0.79.7-3 + +# RHEL 8.2+, F32+ has 3.58 +%global nss_version 3.44.0-4 + +# RHEL 8.7+, F35+, adds IdP integration +%global sssd_version 2.7.0 + +%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version) +%global kdcproxy_version 0.4-3 + +%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9 +# systemd with resolved enabled +# see https://pagure.io/freeipa/issue/8275 +%global systemd_version 246.6-3 +%else +%global systemd_version 239 +%endif + +# augeas support for new chrony options +# see https://pagure.io/freeipa/issue/8676 +# https://bugzilla.redhat.com/show_bug.cgi?id=1931787 +%if 0%{?fedora} >= 33 +%global augeas_version 1.12.0-6 +%else +%if 0%{?rhel} >= 9 +%global augeas_version 1.12.1-0 +%else +%global augeas_version 1.12.0-3 +%endif +%endif + +%global plugin_dir %{_libdir}/dirsrv/plugins +%global etc_systemd_dir %{_sysconfdir}/systemd/system +%global gettext_domain ipa + +%define _hardened_build 1 + +# Work-around fact that RPM SPEC parser does not accept +# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement +%define IPA_VERSION 4.10.0 +# Release candidate version -- uncomment with one percent for RC versions +#%%global rc_version %%nil +%define AT_SIGN @ +# redefine IPA_VERSION only if its value matches the Autoconf placeholder +%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}" + %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser +%endif + +%define NON_DEVELOPER_BUILD ("%{lua: print(rpm.expand('%{suffix:%IPA_VERSION}'):find('^dev'))}" == "nil") + +Name: %{package_name} +Version: %{IPA_VERSION} +Release: 5%{?rc_version:.%rc_version}%{?dist} +Summary: The Identity, Policy and Audit system + +License: GPLv3+ +URL: http://www.freeipa.org/ +Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz +# Only use detached signature for the distribution builds. If it is a developer build, skip it +%if %{NON_DEVELOPER_BUILD} +Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc +%endif + +# RHEL spec file only: START: Change branding to IPA and Identity Management +# Moved branding logos and background to redhat-logos-ipa-80.4: +# header-logo.png, login-screen-background.jpg, login-screen-logo.png, +# product-name.png +# RHEL spec file only: END: Change branding to IPA and Identity Management + +# RHEL spec file only: START +%if %{NON_DEVELOPER_BUILD} +%if 0%{?rhel} >= 8 +Patch0001: 0001-Only-calculate-LDAP-password-grace-when-the-password.patch +Patch0002: 0002-webui-Do-not-allow-empty-pagination-size.patch +Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch +%endif +%endif +# RHEL spec file only: END + +# For the timestamp trick in patch application +BuildRequires: diffstat + +BuildRequires: openldap-devel +# For KDB DAL version, make explicit dependency so that increase of version +# will cause the build to fail due to unsatisfied dependencies. +# DAL version change may cause code crash or memory leaks, it is better to fail early. +BuildRequires: krb5-kdb-version = %{krb5_kdb_version} +BuildRequires: krb5-kdb-devel-version = %{krb5_kdb_version} +BuildRequires: krb5-devel >= %{krb5_version} +BuildRequires: pkgconfig(krb5) +%if %{with ipa_join_xml} +# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation +BuildRequires: xmlrpc-c-devel >= 1.27.4 +%else +BuildRequires: libcurl-devel +BuildRequires: jansson-devel +%endif +BuildRequires: popt-devel +BuildRequires: gcc +BuildRequires: make +BuildRequires: pkgconfig +BuildRequires: pkgconf +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: make +BuildRequires: libtool +BuildRequires: gettext +BuildRequires: gettext-devel +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: systemd >= %{systemd_version} +# systemd-tmpfiles which is executed from make install requires apache user +BuildRequires: httpd +BuildRequires: nspr-devel +BuildRequires: openssl-devel +BuildRequires: libini_config-devel +BuildRequires: cyrus-sasl-devel +%if ! %{ONLY_CLIENT} +BuildRequires: 389-ds-base-devel >= %{ds_version} +BuildRequires: samba-devel >= %{samba_version} +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +BuildRequires: libuuid-devel +BuildRequires: libpwquality-devel +BuildRequires: libsss_idmap-devel +BuildRequires: libsss_certmap-devel +BuildRequires: libsss_nss_idmap-devel >= %{sssd_version} +BuildRequires: nodejs(abi) +# use old dependency on RHEL 8 for now +%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9 +BuildRequires: python3-rjsmin +%else +BuildRequires: uglify-js +%endif +BuildRequires: libverto-devel +BuildRequires: libunistring-devel +# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773 +# 0.13.0-2: fix for missing dependency on python-six +BuildRequires: python3-lesscpy >= 0.13.0-2 +BuildRequires: cracklib-dicts +# ONLY_CLIENT +%endif + +# +# Build dependencies for makeapi/makeaci +# +BuildRequires: python3-cffi +BuildRequires: python3-dns +BuildRequires: python3-ldap >= %{python_ldap_version} +BuildRequires: python3-libsss_nss_idmap +BuildRequires: python3-netaddr >= %{python_netaddr_version} +BuildRequires: python3-pyasn1 +BuildRequires: python3-pyasn1-modules +BuildRequires: python3-six +BuildRequires: python3-psutil + +# +# Build dependencies for wheel packaging and PyPI upload +# +%if %{with wheels} +BuildRequires: dbus-glib-devel +BuildRequires: libffi-devel +BuildRequires: python3-tox +%if 0%{?fedora} <= 28 +BuildRequires: python3-twine +%else +BuildRequires: twine +%endif +BuildRequires: python3-wheel +# with_wheels +%endif + +%if %{with doc} +BuildRequires: python3-sphinx +BuildRequires: plantuml +BuildRequires: fontconfig +BuildRequires: google-noto-sans-vf-fonts +%endif + +# +# Build dependencies for lint and fastcheck +# +%if %{with lint} + +# python3-pexpect might not be available in RHEL9 +%if 0%{?fedora} || 0%{?rhel} < 9 +BuildRequires: python3-pexpect +%endif + +# jsl is orphaned in Fedora 34+ +%if 0%{?fedora} < 34 +BuildRequires: jsl +%endif + +BuildRequires: git +BuildRequires: nss-tools +BuildRequires: rpmlint +BuildRequires: softhsm + +BuildRequires: keyutils +BuildRequires: python3-augeas +BuildRequires: python3-cffi +BuildRequires: python3-cryptography >= 1.6 +BuildRequires: python3-dateutil +BuildRequires: python3-dbus +BuildRequires: python3-dns >= 1.15 +BuildRequires: python3-docker +BuildRequires: python3-gssapi >= 1.2.0 +BuildRequires: python3-jinja2 +BuildRequires: python3-jwcrypto >= 0.4.2 +BuildRequires: python3-ldap >= %{python_ldap_version} +BuildRequires: python3-ldap >= %{python_ldap_version} +BuildRequires: python3-lib389 >= %{ds_version} +BuildRequires: python3-libipa_hbac +BuildRequires: python3-libsss_nss_idmap +BuildRequires: python3-lxml +BuildRequires: python3-netaddr >= %{python_netaddr_version} +BuildRequires: python3-netifaces +BuildRequires: python3-paste +BuildRequires: python3-pki >= %{pki_version} +BuildRequires: python3-polib +BuildRequires: python3-pyasn1 +BuildRequires: python3-pyasn1-modules +BuildRequires: python3-pycodestyle +# .wheelconstraints.in limits pylint version in Azure and tox tests +BuildRequires: python3-pylint +BuildRequires: python3-pytest-multihost +BuildRequires: python3-pytest-sourceorder +BuildRequires: python3-qrcode-core >= 5.0.0 +BuildRequires: python3-samba +BuildRequires: python3-six +BuildRequires: python3-sss +BuildRequires: python3-sss-murmur +BuildRequires: python3-sssdconfig >= %{sssd_version} +BuildRequires: python3-systemd +BuildRequires: python3-yaml +BuildRequires: python3-yubico +# with_lint +%endif + +# +# Build dependencies for unit tests +# +%if ! %{ONLY_CLIENT} +BuildRequires: libcmocka-devel +# Required by ipa_kdb_tests +BuildRequires: krb5-server >= %{krb5_version} +# ONLY_CLIENT +%endif + +# Build dependencies for SELinux policy +%if %{with selinux} +BuildRequires: selinux-policy-devel >= %{selinux_policy_version} +%endif + +%description +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). + + +%if ! %{ONLY_CLIENT} + +%package server +Summary: The IPA authentication server +Requires: %{name}-server-common = %{version}-%{release} +Requires: %{name}-client = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipaserver = %{version}-%{release} +Requires: python3-ldap >= %{python_ldap_version} +Requires: 389-ds-base >= %{ds_version} +Requires: openldap-clients > 2.4.35-4 +Requires: nss-tools >= %{nss_version} +Requires(post): krb5-server >= %{krb5_version} +Requires(post): krb5-server >= %{krb5_base_version} +Requires: krb5-kdb-version = %{krb5_kdb_version} +Requires: krb5-pkinit-openssl >= %{krb5_version} +Requires: cyrus-sasl-gssapi%{?_isa} +Requires: chrony +Requires: httpd >= %{httpd_version} +Requires(preun): python3 +Requires(postun): python3 +Requires: python3-gssapi >= 1.2.0-5 +Requires: python3-systemd +Requires: python3-mod_wsgi +Requires: mod_auth_gssapi >= 1.5.0 +Requires: mod_ssl >= %{httpd_version} +Requires: mod_session >= %{httpd_version} +# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3 +Requires: mod_lookup_identity >= 0.9.9 +Requires: acl +Requires: systemd-units >= %{systemd_version} +Requires(pre): systemd-units >= %{systemd_version} +Requires(post): systemd-units >= %{systemd_version} +Requires(preun): systemd-units >= %{systemd_version} +Requires(postun): systemd-units >= %{systemd_version} +Requires(pre): shadow-utils +Requires: selinux-policy >= %{selinux_policy_version} +Requires(post): selinux-policy-base >= %{selinux_policy_version} +Requires: slapi-nis >= %{slapi_nis_version} +Requires: pki-ca >= %{pki_version} +Requires: pki-kra >= %{pki_version} +# pki-acme package was split out in pki-10.10.0 +Requires: (pki-acme >= %{pki_version} if pki-ca >= 10.10.0) +Requires: policycoreutils >= 2.1.12-5 +Requires: tar +Requires(pre): certmonger >= %{certmonger_version} +Requires(pre): 389-ds-base >= %{ds_version} +Requires: fontawesome-fonts +Requires: open-sans-fonts +%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9 +# https://pagure.io/freeipa/issue/8632 +Requires: openssl > 1.1.1i +%else +Requires: openssl +%endif +Requires: softhsm >= 2.0.0rc1-1 +Requires: p11-kit +Requires: %{etc_systemd_dir} +Requires: gzip +Requires: oddjob +# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 +Requires: gssproxy >= 0.7.0-2 +Requires: sssd-dbus >= %{sssd_version} +Requires: libpwquality +Requires: cracklib-dicts +# NDR libraries are internal in Samba and change with version without changing SONAME +%ipa_requires_gt samba-client-libs + +Provides: %{alt_name}-server = %{version} +Conflicts: %{alt_name}-server +Obsoletes: %{alt_name}-server < %{version} + +# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the +# entire SELinux policy is stored in the system policy +Obsoletes: freeipa-server-selinux < 3.3.0 + +# upgrade path from monolithic -server to -server + -server-dns +Obsoletes: %{name}-server <= 4.2.0 + +# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to +# member. +Conflicts: nss-pam-ldapd < 0.8.4 + +# RHEL spec file only: START: Do not build tests +%if 0%{?rhel} == 8 +# ipa-tests subpackage was moved to separate srpm +Conflicts: ipa-tests < 3.3.3-9 +%endif +# RHEL spec file only: END: Do not build tests + +%description server +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + + +%package -n python3-ipaserver +Summary: Python libraries used by IPA server +BuildArch: noarch +%{?python_provide:%python_provide python3-ipaserver} +Requires: %{name}-server-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +# we need pre-requires since earlier versions may break upgrade +Requires(pre): python3-ldap >= %{python_ldap_version} +Requires: python3-augeas +Requires: augeas-libs >= %{augeas_version} +Requires: python3-dbus +Requires: python3-dns >= 1.15 +Requires: python3-gssapi >= 1.2.0 +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-kdcproxy >= %{kdcproxy_version} +Requires: python3-lxml +Requires: python3-pki >= %{pki_version} +Requires: python3-pyasn1 >= 0.3.2-2 +Requires: python3-sssdconfig >= %{sssd_version} +Requires: python3-psutil +Requires: rpm-libs +# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support +%if 0%{?rhel} +Requires: python3-urllib3 >= 1.24.2-3 +%else +Requires: python3-urllib3 >= 1.25.7 +%endif + +%description -n python3-ipaserver +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + + +%package server-common +Summary: Common files used by IPA server +BuildArch: noarch +Requires: %{name}-client-common = %{version}-%{release} +Requires: httpd >= %{httpd_version} +Requires: systemd-units >= %{systemd_version} +%if 0%{?rhel} >= 8 && ! 0%{?eln} +Requires: system-logos-ipa >= 80.4 +%endif + +Provides: %{alt_name}-server-common = %{version} +Conflicts: %{alt_name}-server-common +Obsoletes: %{alt_name}-server-common < %{version} + +%description server-common +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + + +%package server-dns +Summary: IPA integrated DNS server with support for automatic DNSSEC signing +BuildArch: noarch +Requires: %{name}-server = %{version}-%{release} +Requires: bind-dyndb-ldap >= 11.2-2 +Requires: bind >= %{bind_version} +Requires: bind-utils >= %{bind_version} +# bind-dnssec-utils is required by the OpenDNSSec integration +# https://pagure.io/freeipa/issue/9026 +Requires: bind-dnssec-utils >= %{bind_version} +%if %{with bind_pkcs11} +Requires: bind-pkcs11 >= %{bind_version} +%else +Requires: softhsm >= %{softhsm_version} +Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} +%endif +# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812 +# RHEL 8.3+ and Fedora 32+ have 2.1 +Requires: opendnssec >= 2.1.6-5 +%{?systemd_requires} + +Provides: %{alt_name}-server-dns = %{version} +Conflicts: %{alt_name}-server-dns +Obsoletes: %{alt_name}-server-dns < %{version} + +# upgrade path from monolithic -server to -server + -server-dns +Obsoletes: %{name}-server <= 4.2.0 + +%description server-dns +IPA integrated DNS server with support for automatic DNSSEC signing. +Integrated DNS server is BIND 9. OpenDNSSEC provides key management. + + +%package server-trust-ad +Summary: Virtual package to install packages required for Active Directory trusts +Requires: %{name}-server = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} + +Requires: samba >= %{samba_version} +Requires: samba-winbind +Requires: sssd-winbind-idmap +Requires: libsss_idmap +%if 0%{?rhel} +Obsoletes: ipa-idoverride-memberof-plugin <= 0.1 +%endif +Requires(post): python3 +Requires: python3-samba +Requires: python3-libsss_nss_idmap +Requires: python3-sss + +# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 +# on the installes where server-trust-ad subpackage is installed because +# IPA AD trusts cannot be used at the same time with the locator plugin +# since Winbindd will be configured in a different mode +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Requires(preun): %{_sbindir}/update-alternatives + +Provides: %{alt_name}-server-trust-ad = %{version} +Conflicts: %{alt_name}-server-trust-ad +Obsoletes: %{alt_name}-server-trust-ad < %{version} + +%description server-trust-ad +Cross-realm trusts with Active Directory in IPA require working Samba 4 +installation. This package is provided for convenience to install all required +dependencies at once. + +# ONLY_CLIENT +%endif + + +%package client +Summary: IPA authentication for use on clients +Requires: %{name}-client-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-gssapi >= 1.2.0-5 +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-ldap >= %{python_ldap_version} +Requires: python3-sssdconfig >= %{sssd_version} +Requires: cyrus-sasl-gssapi%{?_isa} +Requires: chrony +Requires: krb5-workstation >= %{krb5_version} +# authselect: sssd profile with-subid +%if 0%{?fedora} >= 36 +Requires: authselect >= 1.4.0 +%else +Requires: authselect >= 1.2.5 +%endif +Requires: curl +# NIS domain name config: /usr/lib/systemd/system/*-domainname.service +# All Fedora 28+ and RHEL8+ contain the service in hostname package +Requires: hostname +Requires: libcurl >= 7.21.7-2 +%if %{with ipa_join_xml} +Requires: xmlrpc-c >= 1.27.4 +%else +Requires: jansson +%endif +Requires: sssd-ipa >= %{sssd_version} +Requires: sssd-idp >= %{sssd_version} +Requires: certmonger >= %{certmonger_version} +Requires: nss-tools >= %{nss_version} +Requires: bind-utils +Requires: oddjob-mkhomedir +Requires: libsss_autofs +Requires: autofs +Requires: libnfsidmap +Requires: nfs-utils +Requires: sssd-tools >= %{sssd_version} +Requires(post): policycoreutils + +# https://pagure.io/freeipa/issue/8530 +Recommends: libsss_sudo +Recommends: sudo +Requires: (libsss_sudo if sudo) + +Provides: %{alt_name}-client = %{version} +Conflicts: %{alt_name}-client +Obsoletes: %{alt_name}-client < %{version} + +Provides: %{alt_name}-admintools = %{version} +Conflicts: %{alt_name}-admintools +Obsoletes: %{alt_name}-admintools < 4.4.1 + +Obsoletes: %{name}-admintools < 4.4.1 +Provides: %{name}-admintools = %{version}-%{release} + +%if 0%{?rhel} == 8 +# Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module +Conflicts: crypto-policies < 20200629-1 +%endif + +%if 0%{?rhel} == 9 +# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and +# AD-SUPPORT-LEGACY policy modules +Conflicts: crypto-policies < 20220223-1 +%endif + +%description client +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If your network uses IPA for authentication, this package should be +installed on every client machine. +This package provides command-line tools for IPA administrators. + +%package client-samba +Summary: Tools to configure Samba on IPA client +Group: System Environment/Base +Requires: %{name}-client = %{version}-%{release} +Requires: python3-samba +Requires: samba-client +Requires: samba-winbind +Requires: samba-common-tools +Requires: samba +Requires: sssd-winbind-idmap +Requires: tdb-tools +Requires: cifs-utils + +%description client-samba +This package provides command-line tools to deploy Samba domain member +on the machine enrolled into a FreeIPA environment + +%package client-epn +Summary: Tools to configure Expiring Password Notification in IPA +Group: System Environment/Base +Requires: %{name}-client = %{version}-%{release} +Requires: systemd-units >= %{systemd_version} +Requires(post): systemd-units >= %{systemd_version} +Requires(preun): systemd-units >= %{systemd_version} +Requires(postun): systemd-units >= %{systemd_version} + +%description client-epn +This package provides a service to collect and send expiring password +notifications via email (SMTP). + +%package -n python3-ipaclient +Summary: Python libraries used by IPA client +BuildArch: noarch +%{?python_provide:%python_provide python3-ipaclient} +Requires: %{name}-client-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipalib = %{version}-%{release} +Requires: python3-augeas +Requires: augeas-libs >= %{augeas_version} +Requires: python3-dns >= 1.15 +Requires: python3-jinja2 + +%description -n python3-ipaclient +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If your network uses IPA for authentication, this package should be +installed on every client machine. + +%package client-common +Summary: Common files used by IPA client +BuildArch: noarch + +Provides: %{alt_name}-client-common = %{version} +Conflicts: %{alt_name}-client-common +Obsoletes: %{alt_name}-client-common < %{version} +# python2-ipa* packages are no longer available in 4.8. +Obsoletes: python2-ipaclient < 4.8.0-1 +Obsoletes: python2-ipalib < 4.8.0-1 +Obsoletes: python2-ipaserver < 4.8.0-1 +Obsoletes: python2-ipatests < 4.8.0-1 + + +%description client-common +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If your network uses IPA for authentication, this package should be +installed on every client machine. + + +%package python-compat +Summary: Compatiblity package for Python libraries used by IPA +BuildArch: noarch +Obsoletes: %{name}-python < 4.2.91 +Provides: %{name}-python = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipalib = %{version}-%{release} + +Provides: %{alt_name}-python-compat = %{version} +Conflicts: %{alt_name}-python-compat +Obsoletes: %{alt_name}-python-compat < %{version} + +Obsoletes: %{alt_name}-python < 4.2.91 +Provides: %{alt_name}-python = %{version} + +%description python-compat +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +This is a compatibility package to accommodate %{name}-python split into +python3-ipalib and %{name}-common. Packages still depending on +%{name}-python should be fixed to depend on python2-ipaclient or +%{name}-common instead. + + +%package -n python3-ipalib +Summary: Python3 libraries used by IPA +BuildArch: noarch +%{?python_provide:%python_provide python3-ipalib} +Provides: python3-ipapython = %{version}-%{release} +%{?python_provide:%python_provide python3-ipapython} +Provides: python3-ipaplatform = %{version}-%{release} +%{?python_provide:%python_provide python3-ipaplatform} +Requires: %{name}-common = %{version}-%{release} +# we need pre-requires since earlier versions may break upgrade +Requires(pre): python3-ldap >= %{python_ldap_version} +Requires: gnupg2 +Requires: keyutils +Requires: python3-cffi +Requires: python3-cryptography >= 1.6 +Requires: python3-dateutil +Requires: python3-dbus +Requires: python3-dns >= 1.15 +Requires: python3-gssapi >= 1.2.0 +Requires: python3-jwcrypto >= 0.4.2 +Requires: python3-libipa_hbac +Requires: python3-netaddr >= %{python_netaddr_version} +Requires: python3-netifaces >= 0.10.4 +Requires: python3-pyasn1 >= 0.3.2-2 +Requires: python3-pyasn1-modules >= 0.3.2-2 +Requires: python3-pyusb +Requires: python3-qrcode-core >= 5.0.0 +Requires: python3-requests +Requires: python3-six +Requires: python3-sss-murmur +Requires: python3-yubico >= 1.3.2-7 +%if 0%{?rhel} && 0%{?rhel} == 8 +Requires: platform-python-setuptools +%else +Requires: python3-setuptools +%endif + +%description -n python3-ipalib +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are using IPA with Python 3, you need to install this package. + + +%package common +Summary: Common files used by IPA +BuildArch: noarch +Conflicts: %{name}-python < 4.2.91 + +Provides: %{alt_name}-common = %{version} +Conflicts: %{alt_name}-common +Obsoletes: %{alt_name}-common < %{version} + +Conflicts: %{alt_name}-python < %{version} + +%if %{with selinux} +# This ensures that the *-selinux package and all it’s dependencies are not +# pulled into containers and other systems that do not use SELinux. The +# policy defines types and file contexts for client and server. +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif + +%description common +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are using IPA, you need to install this package. + + +%if %{with ipatests} + +%package -n python3-ipatests +Summary: IPA tests and test tools +BuildArch: noarch +%{?python_provide:%python_provide python3-ipatests} +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-ipaserver = %{version}-%{release} +Requires: iptables +Requires: python3-cryptography >= 1.6 +%if 0%{?fedora} +# These packages do not exist on RHEL and for ipatests use +# they are installed on the controller through other means +Requires: ldns-utils +Requires: python3-pexpect +# update-crypto-policies +Requires: crypto-policies-scripts +Requires: python3-polib +Requires: python3-pytest >= 3.9.1 +Requires: python3-pytest-multihost >= 0.5 +Requires: python3-pytest-sourceorder +Requires: sshpass +%endif +Requires: python3-sssdconfig >= %{sssd_version} +Requires: tar +Requires: xz +Requires: openssh-clients +%if 0%{?rhel} +AutoReqProv: no +%endif + +%description -n python3-ipatests +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +This package contains tests that verify IPA functionality under Python 3. + +# with ipatests +%endif + + +%if %{with selinux} +# SELinux subpackage +%package selinux +Summary: FreeIPA SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +%{?selinux_requires} + +%description selinux +Custom SELinux policy module for FreeIPA +# with selinux +%endif + + +%prep +# Update timestamps on the files touched by a patch, to avoid non-equal +# .pyc/.pyo files across the multilib peers within a build, where "Level" +# is the patch prefix option (e.g. -p1) +# Taken from specfile for sssd and python-simplejson +UpdateTimestamps() { + Level=$1 + PatchFile=$2 + + # Locate the affected files: + for f in $(diffstat $Level -l $PatchFile); do + # Set the files to have the same timestamp as that of the patch: + touch -c -r $PatchFile $f + done +} + +%setup -n freeipa-%{version}%{?rc_version} -q + +# To allow proper application patches to the stripped po files, strip originals +pushd po +for i in *.po ; do + msgattrib --translated --no-fuzzy --no-location -s $i > $i.tmp || exit 1 + mv $i.tmp $i || exit 1 +done +popd + +for p in %patches ; do + %__patch -p1 -i $p + UpdateTimestamps -p1 $p +done + +%build +# PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 +export PATH=/usr/bin:/usr/sbin:$PATH + +export PYTHON=%{__python3} +autoreconf -ivf +%configure --with-vendor-suffix=-%{release} \ + %{enable_server_option} \ + %{with_ipatests_option} \ + %{with_ipa_join_xml_option} \ + %{linter_options} + +# run build in default dir +# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 +%make_build -Onone + + +%check +make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir} + + +%install +# Please put as much logic as possible into make install. It allows: +# - easier porting to other distributions +# - rapid devel & install cycle using make install +# (instead of full RPM build and installation each time) +# +# All files and directories created by spec install should be marked as ghost. +# (These are typically configuration files created by IPA installer.) +# All other artifacts should be created by make install. + +%make_install + +# don't package ipasphinx for now +rm -rf %{buildroot}%{python3_sitelib}/ipasphinx* + +%if %{with ipatests} +mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} +mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} +mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} +ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3 +ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3 +ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3 +ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests +ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config +ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task +# with_ipatests +%endif + +# remove files which are useful only for make uninstall +find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; + +%if 0%{?rhel} +# RHEL spec file only: START +# Moved branding logos and background to redhat-logos-ipa-80.4: +# header-logo.png, login-screen-background.jpg, login-screen-logo.png, +# product-name.png +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png +%endif +# RHEL spec file only: END + +%find_lang %{gettext_domain} + +%if ! %{ONLY_CLIENT} +# Remove .la files from libtool - we don't want to package +# these files +rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la +rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la +rm %{buildroot}/%{plugin_dir}/libipa_winsync.la +rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la +rm %{buildroot}/%{plugin_dir}/libipa_uuid.la +rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la +rm %{buildroot}/%{plugin_dir}/libipa_lockout.la +rm %{buildroot}/%{plugin_dir}/libipa_cldap.la +rm %{buildroot}/%{plugin_dir}/libipa_dns.la +rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la +rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la +rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la +rm %{buildroot}/%{plugin_dir}/libipa_range_check.la +rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la +rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la +rm %{buildroot}/%{plugin_dir}/libipa_graceperiod.la +rm %{buildroot}/%{plugin_dir}/libtopology.la +rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la +rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la + +# So we can own our Apache configuration +mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf +/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con + +mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 +touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so + +# ONLY_CLIENT +%endif + +/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf +/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt + +%if ! %{ONLY_CLIENT} +mkdir -p %{buildroot}%{_sysconfdir}/cron.d +# ONLY_CLIENT +%endif + +%if ! %{ONLY_CLIENT} + +%post server +# NOTE: systemd specific section + /bin/systemctl --system daemon-reload 2>&1 || : +# END +if [ $1 -gt 1 ] ; then + /bin/systemctl condrestart certmonger.service 2>&1 || : +fi +/bin/systemctl reload-or-try-restart dbus +/bin/systemctl reload-or-try-restart oddjobd + +%tmpfiles_create ipa.conf + +%posttrans server +# don't execute upgrade and restart of IPA when server is not installed +%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 + +if [ $? -eq 0 ]; then + # This is necessary for Fedora system upgrades which by default + # work with the network being offline + /bin/systemctl start network-online.target + + # Restart IPA processes. This must be also run in postrans so that plugins + # and software is in consistent state. This will also perform the + # system upgrade. + # NOTE: systemd specific section + + /bin/systemctl is-enabled ipa.service >/dev/null 2>&1 + if [ $? -eq 0 ]; then + /bin/systemctl restart ipa.service >/dev/null + fi + + /bin/systemctl is-enabled ipa-ccache-sweep.timer >/dev/null 2>&1 + if [ $? -eq 1 ]; then + /bin/systemctl enable ipa-ccache-sweep.timer>/dev/null + fi +fi +# END + + +%preun server +if [ $1 = 0 ]; then +# NOTE: systemd specific section + /bin/systemctl --quiet stop ipa.service || : + /bin/systemctl --quiet disable ipa.service || : + /bin/systemctl reload-or-try-restart dbus + /bin/systemctl reload-or-try-restart oddjobd +# END +fi + + +%pre server +# Stop ipa_kpasswd if it exists before upgrading so we don't have a +# zombie process when we're done. +if [ -e /usr/sbin/ipa_kpasswd ]; then +# NOTE: systemd specific section + /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || : +# END +fi + + +%pre server-common +# create users and groups +# create kdcproxy group and user +getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy +getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy +# create ipaapi group and user +getent group ipaapi >/dev/null || groupadd -f -r ipaapi +getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi +# add apache to ipaaapi group +id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi + + +%post server-dns +%systemd_post ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service + +%preun server-dns +%systemd_preun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service + +%postun server-dns +%systemd_postun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service + + +%postun server-trust-ad +if [ "$1" -ge "1" ]; then + if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then + %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null + fi +fi + + +%post server-trust-ad +%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ + winbind_krb5_locator.so /dev/null 90 +/bin/systemctl reload-or-try-restart dbus +/bin/systemctl reload-or-try-restart oddjobd + + +%posttrans server-trust-ad +%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 +if [ $? -eq 0 ]; then +# NOTE: systemd specific section + /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : +# END +fi + + +%preun server-trust-ad +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null + /bin/systemctl reload-or-try-restart dbus + /bin/systemctl reload-or-try-restart oddjobd +fi + +# ONLY_CLIENT +%endif + +%preun client-epn +%systemd_preun ipa-epn.service +%systemd_preun ipa-epn.timer + +%postun client-epn +%systemd_postun ipa-epn.service +%systemd_postun ipa-epn.timer + +%post client-epn +%systemd_post ipa-epn.service +%systemd_post ipa-epn.timer + +%post client +if [ $1 -gt 1 ] ; then + # Has the client been configured? + restore=0 + test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + + if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then + if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then + echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew + cat /etc/krb5.conf >> /etc/krb5.conf.ipanew + mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf + fi + fi + + if [ $restore -ge 2 ]; then + if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then + sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew + mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf + cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem + cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem + fi + + %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 + %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 + chmod 0600 /var/log/ipaupgrade.log + SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" + if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then + sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" + fi + fi +fi + + +%if %{with selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +semodule -d ipa_custodia &> /dev/null || true; +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} + semodule -e ipa_custodia &> /dev/null || true; +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} +# with_selinux +%endif + + +%triggerin client -- openssh-server < 8.2 +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then + sed -r ' + /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d + ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew + + if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then + sed -ri ' + s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/ + s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + fi + + mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config + chmod 600 /etc/ssh/sshd_config + + /bin/systemctl condrestart sshd.service 2>&1 || : + fi +fi + + +%triggerin client -- openssh-server >= 8.2 +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + # If the snippet already exists, skip + if [ ! -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then + # Take the values from /etc/ssh/sshd_config and put them in 04-ipa.conf + grep -E '^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)' /etc/ssh/sshd_config 2>/dev/null > /etc/ssh/sshd_config.d/04-ipa.conf + # Remove the values from sshd_conf + sed -ri ' + /^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)[ \t]/ d + ' /etc/ssh/sshd_config + + /bin/systemctl condrestart sshd.service 2>&1 || : + fi + # If the snippet has been created, ensure that it is included + # either by /etc/ssh/sshd_config.d/*.conf or directly + if [ -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then + if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/\*\.conf' /etc/ssh/sshd_config 2> /dev/null ; then + if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/04-ipa\.conf' /etc/ssh/sshd_config 2> /dev/null ; then + # Include the snippet + echo "Include /etc/ssh/sshd_config.d/04-ipa.conf" > /etc/ssh/sshd_config.ipanew + cat /etc/ssh/sshd_config >> /etc/ssh/sshd_config.ipanew + mv -fZ --backup=existing --suffix .ipaold /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config + fi + fi + fi +fi + + +%if ! %{ONLY_CLIENT} + +%files server +%doc README.md Contributors.txt +%license COPYING +%{_sbindir}/ipa-backup +%{_sbindir}/ipa-restore +%{_sbindir}/ipa-ca-install +%{_sbindir}/ipa-kra-install +%{_sbindir}/ipa-server-install +%{_sbindir}/ipa-replica-conncheck +%{_sbindir}/ipa-replica-install +%{_sbindir}/ipa-replica-manage +%{_sbindir}/ipa-csreplica-manage +%{_sbindir}/ipa-server-certinstall +%{_sbindir}/ipa-server-upgrade +%{_sbindir}/ipa-ldap-updater +%{_sbindir}/ipa-otptoken-import +%{_sbindir}/ipa-compat-manage +%{_sbindir}/ipa-nis-manage +%{_sbindir}/ipa-managed-entries +%{_sbindir}/ipactl +%{_sbindir}/ipa-advise +%{_sbindir}/ipa-cacert-manage +%{_sbindir}/ipa-winsync-migrate +%{_sbindir}/ipa-pkinit-manage +%{_sbindir}/ipa-crlgen-manage +%{_sbindir}/ipa-cert-fix +%{_sbindir}/ipa-acme-manage +%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit +%{_libexecdir}/certmonger/ipa-server-guard +%dir %{_libexecdir}/ipa +%{_libexecdir}/ipa/ipa-ccache-sweeper +%{_libexecdir}/ipa/ipa-custodia +%{_libexecdir}/ipa/ipa-custodia-check +%{_libexecdir}/ipa/ipa-httpd-kdcproxy +%{_libexecdir}/ipa/ipa-httpd-pwdreader +%{_libexecdir}/ipa/ipa-pki-retrieve-key +%{_libexecdir}/ipa/ipa-pki-wait-running +%{_libexecdir}/ipa/ipa-otpd +%{_libexecdir}/ipa/ipa-print-pac +%{_libexecdir}/ipa/ipa-subids +%dir %{_libexecdir}/ipa/custodia +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent +%dir %{_libexecdir}/ipa/oddjob +%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck +%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent +%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf +%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf +%dir %{_libexecdir}/ipa/certmonger +%attr(755,root,root) %{_libexecdir}/ipa/certmonger/* +# NOTE: systemd specific section +%attr(644,root,root) %{_unitdir}/ipa.service +%attr(644,root,root) %{_unitdir}/ipa-otpd.socket +%attr(644,root,root) %{_unitdir}/ipa-otpd@.service +%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service +%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer +# END +%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so +%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so +%attr(755,root,root) %{plugin_dir}/libipa_winsync.so +%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so +%attr(755,root,root) %{plugin_dir}/libipa_uuid.so +%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so +%attr(755,root,root) %{plugin_dir}/libipa_lockout.so +%attr(755,root,root) %{plugin_dir}/libipa_dns.so +%attr(755,root,root) %{plugin_dir}/libipa_range_check.so +%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so +%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so +%attr(755,root,root) %{plugin_dir}/libtopology.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so +%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so +%attr(755,root,root) %{plugin_dir}/libipa_graceperiod.so +%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so +%{_mandir}/man1/ipa-replica-conncheck.1* +%{_mandir}/man1/ipa-replica-install.1* +%{_mandir}/man1/ipa-replica-manage.1* +%{_mandir}/man1/ipa-csreplica-manage.1* +%{_mandir}/man1/ipa-server-certinstall.1* +%{_mandir}/man1/ipa-server-install.1* +%{_mandir}/man1/ipa-server-upgrade.1* +%{_mandir}/man1/ipa-ca-install.1* +%{_mandir}/man1/ipa-kra-install.1* +%{_mandir}/man1/ipa-compat-manage.1* +%{_mandir}/man1/ipa-nis-manage.1* +%{_mandir}/man1/ipa-managed-entries.1* +%{_mandir}/man1/ipa-ldap-updater.1* +%{_mandir}/man8/ipactl.8* +%{_mandir}/man1/ipa-backup.1* +%{_mandir}/man1/ipa-restore.1* +%{_mandir}/man1/ipa-advise.1* +%{_mandir}/man1/ipa-otptoken-import.1* +%{_mandir}/man1/ipa-cacert-manage.1* +%{_mandir}/man1/ipa-winsync-migrate.1* +%{_mandir}/man1/ipa-pkinit-manage.1* +%{_mandir}/man1/ipa-crlgen-manage.1* +%{_mandir}/man1/ipa-cert-fix.1* +%{_mandir}/man1/ipa-acme-manage.1* + + +%files -n python3-ipaserver +%doc README.md Contributors.txt +%license COPYING +%{python3_sitelib}/ipaserver +%{python3_sitelib}/ipaserver-*.egg-info + + +%files server-common +%doc README.md Contributors.txt +%license COPYING +%ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy +%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf +# NOTE: systemd specific section +%{_tmpfilesdir}/ipa.conf +%attr(644,root,root) %{_unitdir}/ipa-custodia.service +%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf +# END +%{_usr}/share/ipa/wsgi.py* +%{_usr}/share/ipa/kdcproxy.wsgi +%{_usr}/share/ipa/ipaca*.ini +%{_usr}/share/ipa/*.ldif +%exclude %{_datadir}/ipa/ipa-cldap-conf.ldif +%{_usr}/share/ipa/*.uldif +%{_usr}/share/ipa/*.template +%dir %{_usr}/share/ipa/advise +%dir %{_usr}/share/ipa/advise/legacy +%{_usr}/share/ipa/advise/legacy/*.template +%dir %{_usr}/share/ipa/profiles +%{_usr}/share/ipa/profiles/README +%{_usr}/share/ipa/profiles/*.cfg +%dir %{_usr}/share/ipa/html +%{_usr}/share/ipa/html/ssbrowser.html +%{_usr}/share/ipa/html/unauthorized.html +%dir %{_usr}/share/ipa/migration +%{_usr}/share/ipa/migration/index.html +%{_usr}/share/ipa/migration/migration.py* +%dir %{_usr}/share/ipa/ui +%{_usr}/share/ipa/ui/index.html +%{_usr}/share/ipa/ui/reset_password.html +%{_usr}/share/ipa/ui/sync_otp.html +%{_usr}/share/ipa/ui/*.ico +%{_usr}/share/ipa/ui/*.css +%dir %{_usr}/share/ipa/ui/css +%{_usr}/share/ipa/ui/css/*.css +%dir %{_usr}/share/ipa/ui/js +%dir %{_usr}/share/ipa/ui/js/dojo +%{_usr}/share/ipa/ui/js/dojo/dojo.js +%dir %{_usr}/share/ipa/ui/js/libs +%{_usr}/share/ipa/ui/js/libs/*.js +%dir %{_usr}/share/ipa/ui/js/freeipa +%{_usr}/share/ipa/ui/js/freeipa/app.js +%{_usr}/share/ipa/ui/js/freeipa/core.js +%dir %{_usr}/share/ipa/ui/js/plugins +%dir %{_usr}/share/ipa/ui/images +%if 0%{?rhel} +%{_usr}/share/ipa/ui/images/facet-*.png +# Moved branding logos and background to redhat-logos-ipa-80.4: +# header-logo.png, login-screen-background.jpg, login-screen-logo.png, +# product-name.png +%else +%{_usr}/share/ipa/ui/images/*.jpg +%{_usr}/share/ipa/ui/images/*.png +%endif +%dir %{_usr}/share/ipa/wsgi +%{_usr}/share/ipa/wsgi/plugins.py* +%dir %{_sysconfdir}/ipa +%dir %{_sysconfdir}/ipa/html +%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html +%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf +%ghost %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt +%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf +%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-options-ext.conf +%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con +%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini +%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con +%dir %{_usr}/share/ipa/updates/ +%{_usr}/share/ipa/updates/* +%dir %{_localstatedir}/lib/ipa +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy +%attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade +%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca +%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds +%ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish +%ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa +%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia +%dir %{_usr}/share/ipa/schema.d +%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README +%attr(0644,root,root) %{_usr}/share/ipa/gssapi.login +%{_usr}/share/ipa/ipakrb5.aug + +%files server-dns +%doc README.md Contributors.txt +%license COPYING +%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd +%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec +%{_libexecdir}/ipa/ipa-dnskeysyncd +%{_libexecdir}/ipa/ipa-dnskeysync-replica +%{_libexecdir}/ipa/ipa-ods-exporter +%{_sbindir}/ipa-dns-install +%{_mandir}/man1/ipa-dns-install.1* +%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service +%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket +%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service + +%files server-trust-ad +%doc README.md Contributors.txt +%license COPYING +%{_sbindir}/ipa-adtrust-install +%{_usr}/share/ipa/smb.conf.empty +%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so +%attr(755,root,root) %{plugin_dir}/libipa_cldap.so +%{_datadir}/ipa/ipa-cldap-conf.ldif +%{_mandir}/man1/ipa-adtrust-install.1* +%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so +%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf +%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf +%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains + +# ONLY_CLIENT +%endif + + +%files client +%doc README.md Contributors.txt +%license COPYING +%{_sbindir}/ipa-client-install +%{_sbindir}/ipa-client-automount +%{_sbindir}/ipa-certupdate +%{_sbindir}/ipa-getkeytab +%{_sbindir}/ipa-rmkeytab +%{_sbindir}/ipa-join +%{_bindir}/ipa +%config %{_sysconfdir}/bash_completion.d +%config %{_sysconfdir}/sysconfig/certmonger +%{_mandir}/man1/ipa.1* +%{_mandir}/man1/ipa-getkeytab.1* +%{_mandir}/man1/ipa-rmkeytab.1* +%{_mandir}/man1/ipa-client-install.1* +%{_mandir}/man1/ipa-client-automount.1* +%{_mandir}/man1/ipa-certupdate.1* +%{_mandir}/man1/ipa-join.1* +%dir %{_libexecdir}/ipa/acme +%{_libexecdir}/ipa/acme/certbot-dns-ipa + +%files client-samba +%doc README.md Contributors.txt +%license COPYING +%{_sbindir}/ipa-client-samba +%{_mandir}/man1/ipa-client-samba.1* + + +%files client-epn +%doc README.md Contributors.txt +%dir %{_sysconfdir}/ipa/epn +%license COPYING +%{_sbindir}/ipa-epn +%{_mandir}/man1/ipa-epn.1* +%{_mandir}/man5/epn.conf.5* +%attr(644,root,root) %{_unitdir}/ipa-epn.service +%attr(644,root,root) %{_unitdir}/ipa-epn.timer +%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf +%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template + +%files -n python3-ipaclient +%doc README.md Contributors.txt +%license COPYING +%dir %{python3_sitelib}/ipaclient +%{python3_sitelib}/ipaclient/*.py +%{python3_sitelib}/ipaclient/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/install +%{python3_sitelib}/ipaclient/install/*.py +%{python3_sitelib}/ipaclient/install/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/plugins +%{python3_sitelib}/ipaclient/plugins/*.py +%{python3_sitelib}/ipaclient/plugins/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/remote_plugins +%{python3_sitelib}/ipaclient/remote_plugins/*.py +%{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/remote_plugins/2_* +%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py +%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py* +%{python3_sitelib}/ipaclient-*.egg-info + + +%files client-common +%doc README.md Contributors.txt +%license COPYING +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/ +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb +# old dbm format +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db +# new sql format +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt +%ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit +%dir %{_localstatedir}/lib/ipa-client +%dir %{_localstatedir}/lib/ipa-client/pki +%dir %{_localstatedir}/lib/ipa-client/sysrestore +%{_mandir}/man5/default.conf.5* +%dir %{_usr}/share/ipa/client +%{_usr}/share/ipa/client/*.template + + +%files python-compat +%doc README.md Contributors.txt +%license COPYING + + +%files common -f %{gettext_domain}.lang +%doc README.md Contributors.txt +%license COPYING +%dir %{_usr}/share/ipa +%dir %{_libexecdir}/ipa + +%files -n python3-ipalib +%doc README.md Contributors.txt +%license COPYING + +%{python3_sitelib}/ipapython/ +%{python3_sitelib}/ipalib/ +%{python3_sitelib}/ipaplatform/ +%{python3_sitelib}/ipapython-*.egg-info +%{python3_sitelib}/ipalib-*.egg-info +%{python3_sitelib}/ipaplatform-*.egg-info + + +%if %{with ipatests} + + +%files -n python3-ipatests +%doc README.md Contributors.txt +%license COPYING +%{python3_sitelib}/ipatests +%{python3_sitelib}/ipatests-*.egg-info +%{_bindir}/ipa-run-tests-3 +%{_bindir}/ipa-test-config-3 +%{_bindir}/ipa-test-task-3 +%{_bindir}/ipa-run-tests-%{python3_version} +%{_bindir}/ipa-test-config-%{python3_version} +%{_bindir}/ipa-test-task-%{python3_version} +%{_bindir}/ipa-run-tests +%{_bindir}/ipa-test-config +%{_bindir}/ipa-test-task +%{_mandir}/man1/ipa-run-tests.1* +%{_mandir}/man1/ipa-test-config.1* +%{_mandir}/man1/ipa-test-task.1* + +# with ipatests +%endif + + +%if %{with selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +# with selinux +%endif + +%changelog +* Thu Jul 28 2022 Francisco Trivino - 4.10.0-5 +- Resolves: rhbz#2109645 + - Rebuild for samba-4.16.3-101.el9 + +* Thu Jul 21 2022 Francisco Trivino - 4.10.0-4 +- Resolves: rhbz#2109645 + - Rebuild for samba-4.16.3-100.el9 + +* Fri Jul 15 2022 Florence Blanc-Renaud - 4.10.0-3 +- Resolves: rhbz#2105294 IdM WebUI Pagination Size should not allow empty value + +* Thu Jun 30 2022 Florence Blanc-Renaud - 4.10.0-2 +- Resolves: rhbz#2091988 [RFE] Add code to check password expiration on ldap bind + +* Thu Jun 30 2022 Florence Blanc-Renaud - 4.10.0-1 +- Resolves: rhbz#747959 [RFE] Support random serial numbers in IPA certificates +- Resolves: rhbz#2100227 [UX] Preserving a user account produces output saying it was deleted + +* Fri Jun 17 2022 Florence Blanc-Renaud - 4.9.10-1 +- Resolves: rhbz#2079469 [Rebase] Rebase ipa to latest 4.9.x release +- Resolves: rhbz#2012911 named journalctl logs shows 'zone testrealm.test/IN: serial (serialnumber) write back to LDAP failed.' +- Resolves: rhbz#2069202 [RFE] add support for authenticating against external IdP services using OAUTH2 preauthenticaiton mechanism provided by SSSD +- Resolves: rhbz#2083218 ipa-dnskeysyncd floods /var/log/messages with DEBUG messages +- Resolves: rhbz#2089750 RFE: Improve error message with more detail for ipa-replica-install command +- Resolves: rhbz#2091988 [RFE] Add code to check password expiration on ldap bind +- Resolves: rhbz#2094400 [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf +- Resolves: rhbz#2096922 secret in ipa-pki-proxy.conf is not changed if new requiredSecret value is present in /etc/pki/pki-tomcat/server.xml + +* Wed Apr 06 2022 Florence Blanc-Renaud - 4.9.8-8 +- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9 + - tests: ensure AD-SUPPORT subpolicy is active in more cases + - ipatests: fix check for AD topology being present + +* Thu Mar 24 2022 Florence Blanc-Renaud - 4.9.8-7 +- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9 + - KRB instance: make provision to work with crypto policy without SHA-1 HMAC types + - tests: ensure AD-SUPPORT subpolicy is active + - ipatests: extend AES keyset to SHA2-based ones + - freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream + - Kerberos instance: default to AES256-SHA2 for master key encryption + - test_otp: do not use paramiko unless it is really needed + - test_krbtpolicy: skip SPAKE-related tests in FIPS mode + - Support AES for KRA archival wrapping + - Set AES as default for KRA archival wrapping + +* Thu Feb 24 2022 Florence Blanc-Renaud - 4.9.8-6 +- Resolves: rhbz#2057467 Backport latest test fixes in python3-ipatests + - ipatests: Tests for Autoprivate group. + - mark xfail for test_idoverride_with_auto_private_group[hybrid] + - Mark xfail test_gidnumber_not_corresponding_existing_group[true,hybrid] + +* Mon Feb 14 2022 Alexander Bokovoy - 4.9.8-5 +- Resolves: rhbz#2053025 + - add IPA test suite fixes + +* Mon Feb 14 2022 Alexander Bokovoy - 4.9.8-4 +- Resolves: rhbz#2053586 IPA LDAP plugin ipa-cldap memory leak + - fix memory leak in CLDAP responder + +* Fri Feb 11 2022 Florence Blanc-Renaud - 4.9.8-3 +- Resolves: rhbz#2050540 Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes + - Don't always override the port in import_included_profiles +- Resolves: rhbz#2051582 Enable ipa-ccache-sweep.timer during server installation + - Test ipa-ccache-sweep.timer enabled by default during installation + - Enable the ccache sweep timer during installation +- Resolves: rhbz#2051844 ipa-join tests are failing due to changes in expected output + - Remove ipa-join errors from behind the debug option + +* Thu Feb 03 2022 Florence Blanc-Renaud - 4.9.8-2 +- Resolves: rhbz#2040619 - Changing default pac type to 'nfs:NONE and MS-PAC' doesnot display error 'ipa: ERROR: no modifications to be performed' + - Config plugin: return EmptyModlist when no change is applied + - config plugin: add a test ensuring EmptyModlist is returned +- Resolves: rhbz#2048510 - [rhel-9.0] Backport latest test fixes in python3-ipatests + - ipatests: webui: Tests for subordinate ids. + - ipatests: webui: Use safe-loader for loading YAML configuration file + - ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown + - Test cases for ipa-replica-conncheck command + - PEP8 Fixes + - ipatests: Test empty cert request doesn't force certmonger to segfault + - ipatests: Test default value of nsslapd-sizelimit. + - Extend test to see if replica is not shown when running `ipa-replica-manage list -v ` + - Added test automation for SHA384withRSA CSR support +- Resolves: rhbz#2049104 - User can't log in after ipa-user-mod --user-auth-type=hardened + - ipa-kdb: do not remove keys for hardened auth-enabled users + - ipatests: add case for hardened-only ticket policy +- Resolves: rhbz#2049174 - KRA GetStatus service blocked by IPA proxy + - ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus + +* Thu Dec 02 2021 Florence Blanc-Renaud - 4.9.8-1 +- Resolves: rhbz#2015608 - [Rebase] Rebase ipa to latest 4.9.x release RHEL9 +- Resolves: rhbz#1825010 - Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1' +- Resolves: rhbz#1966289 - Info about searchrecordslimit set search limit to 10,000 after upgrade +- Resolves: rhbz#1980356 - reinstalling samba client causes winbindd coredump +- Resolves: rhbz#1986054 - fix automountlocation-tofiles output +- Resolves: rhbz#2020205 - Missing bind-pkcs11-utils causing failures in OpenDNSSec +- Resolves: rhbz#2021445 - CVE-2020-25719 ipa: samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets + - ipa-kdb: issue PAC_REQUESTER_SID only for TGTs + - ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates + +* Tue Oct 5 2021 Florence Blanc-Renaud - 4.9.6-9 +- Resolves: rhbz#2010701 ipa-server-install fails while 'configuring certificate server instance' + - Parse getStatus as JSON not XML + - Parse cert chain as JSON not XML + - Specify PKI installation log paths + - Make Dogtag return XML for ipa cert-find + +* Fri Sep 17 2021 Florence Blanc-Renaud - 4.9.6-8 +- Resolves: rhbz#2005864 ipa cert-request replaces user certificate instead of adding + - Don't store entries with a usercertificate in the LDAP cache + - ipatests: Test that a user can be issued multiple certificates + +* Fri Sep 10 2021 Florence Blanc-Renaud - 4.9.6-7 +- Resolves: rhbz#2003005 AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server + - selinux policy: allow custodia to access /proc/cpuinfo +- Resolves: rhbz#2003004 extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT + - extdom: return LDAP_NO_SUCH_OBJECT if domains differ +- Resolves: rhbz#2003003 subid: subid-match displays the DN of the owner, not its UID. + - subid: subid-match: display the owner's ID not DN +- Resolves: rhbz#2013116 ipa migrate-ds command fails to warn when compat plugin is enabled + - migrate-ds: workaround to detect compat tree + +* Thu Aug 26 2021 Florence Blanc-Renaud - 4.9.6-6 +- Resolves: rhbz#1998098 - Backport latest test fixes in python3-ipatests + - ipatests: Test unsecure nsupdate. + - ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser + - ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files + - ipatests: test to renew certs on replica using ipa-cert-fix + - ipatests: wait while http/ldap/pkinit cert get renew on replica + - ipatests: refactor test_ipa_cert_fix with tasks + - ipatests: use whole date for journalctl --since +* Tue Aug 17 2021 Florence Blanc-Renaud - 4.9.6-5 +- Resolves: rhbz#1988383 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided + - ipa-getkeytab: add option to discover servers using DNS SRV + - ipa-getkeytab: fix compiler warnings + - ipatests: test ipa-getkeytab server option +- Resolves: rhbz#1986329 ipa-server install failure without DNS + - Fix ldapupdate.get_sub_dict() for missing named user +- Resolves: rhbz#1980734 Remove python3-pexpect as dependency for ipatests pkg + - freeipa.spec.in: remove python3-pexpect from Requires +- Resolves: rhbz#1992538 Backport recent test fixes in python3-ipatests + - ipatests: use whole date when calling journalctl --since + - ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab + - ipatests: test_ipahealthcheck: print a message if a system is healthy + - ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency + - webui tests: close notification when revoking cert + - ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg + - webui tests: fix algo for finding available idrange + - ipatests: smbclient "-k" => "--use-kerberos=desired" + - test_acme: refactor with tasks + - test_acme: make password renewal more robust + - tasks.py: fix flake8-reported issues + - ipatests: Test for OTP when the LDAP connection timed out. + - ipatests: verify that getcert output includes the issued date + - ipatests: Look for warning into stderr instead of stdout + - ipatests: use krb5_trace in TestIpaAdTrustInstall + - ipatests: Test ldapsearch with base scope works with compat tree. + - ipatests: skip test_basesearch_compat_tree on fedora. + - ipatests: Refactor test_check_otpd_after_idle_timeout + +* Mon Aug 09 2021 Mohan Boddu - 4.9.6-4.1 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Jul 23 2021 Rob Crittenden - 4.9.6-4 +- Use new method in check to prevent removal of last KRA (#1985072) +- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL (#1982952) +- Fix index definition for memberOf (#1952028) + +* Thu Jul 15 2021 Florence Blanc-Renaud - 4.9.6-3 +- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services +- Resolves: rhbz#1982212 ipa-trust-add fails with "not enough quota" +- Resolves: rhbz#1952028 [RFE] Add support for managing subuids and subgids in FreeIPA +- Resolves: rhbz#1981789 [man page] contradiction in ipa-server-upgrade command's man page and usage + +* Fri Jul 9 2021 Florence Blanc-Renaud - 4.9.6-2 +- Resolves: rhbz#1955440 ipa installation fails to configure chrony +- Resolves: rhbz#1976761 Package python3-ipatests (from CRB repo) Requires python3-coverage +- Resolves: rhbz#1979609 Unable to set ipaUserAuthType with stageuser-add +- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services + +* Wed Jun 30 2021 Florence Blanc-Renaud - 4.9.6-1 +- Resolves: rhbz#1969351 Rebase IPA to latest 4.9.x version +- Resolves: rhbz#1976288 ansible-freeipa automember test fails with `automember_add_condition: testgroup: 'objectclass'` due to ldap cache +- Resolves: rhbz#1975139 Upgrade error: Add failure missing required attribute "objectclass" +- Resolves: rhbz#1973024 CA_less ipa-server-install fails if CA cert subject contains non ascii chars +- Resolves: rhbz#1966101 [RFE] - IDM - Allow specifying permanent logging settings for BIND +- Resolves: rhbz#1962570 IPA in c9s should not require redhat-logos-ipa as a runtime package +- Resolves: rhbz#1957736 [RFE] IPA to allow configuring auto-private-groups at idrange level + +* Wed Jun 16 2021 Mohan Boddu - 4.9.3-2.1 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Tue Apr 20 2021 Florence Blanc-Renaud - 4.9.3-2 +- RHEL 9 Beta mass rebuild. Resolves: rhbz#1951304 + +* Wed Mar 31 2021 Alexander Bokovoy - 4.9.3-1 +- Upstream release FreeIPA 4.9.3 + +* Fri Feb 26 2021 Alexander Bokovoy - 4.9.2-4 +- Rebuild against 389-ds and PKI to fix https://github.com/389ds/389-ds-base/issues/4609 + +* Tue Feb 23 2021 Alexander Bokovoy - 4.9.2-3 +- Only use python-platform on RHEL 8 + +* Mon Feb 15 2021 Alexander Bokovoy - 4.9.2-2 +- Fix ipatests dependency to python3-pexpect + +* Mon Feb 15 2021 Alexander Bokovoy - 4.9.2-1 +- Upstream release FreeIPA 4.9.2 + +* Wed Jan 27 2021 Alexander Bokovoy - 4.9.1-1 +- Upstream release FreeIPA 4.9.1 + +* Tue Jan 26 2021 Fedora Release Engineering - 4.9.0-2.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jan 20 2021 Rob Crittenden - 4.9.0-2 +- Set client keytab location for 389ds (RHBZ#1918075) + +* Wed Dec 23 17:05:00 EET 2020 Alexander Bokovoy - 4.9.0-1 +- FreeIPA 4.9.0 final release + +* Wed Dec 16 07:52:00 EET 2020 Alexander Bokovoy - 4.9.0-0.6.rc3 +- Refactor DNSSEC paths creation code (upstream PR#5340) + +* Thu Dec 10 20:06:03 EET 2020 Alexander Bokovoy - 4.9.0-0.5.rc3 +- FreeIPA 4.9.0 release candidate 3 +- Enforce C.UTF-8 locale in systemd service units +- Fold up fixes from Rawhide and RHEL 8.4 testing + +* Wed Dec 9 20:06:03 EET 2020 Alexander Bokovoy - 4.9.0-0.4.rc2 +- Fix upgrade script for CA rule rewrites +- Fix permissions for /run/ipa/ccaches + +* Fri Dec 4 22:17:00 EET 2020 Alexander Bokovoy - 4.9.0-0.3.rc2 +- Correct SELinux policy requirements + +* Fri Dec 4 13:41:28 EET 2020 Alexander Bokovoy - 4.9.0-0.2.rc2 +- FreeIPA 4.9.0 release candidate 2 + +* Thu Nov 19 2020 Alexander Bokovoy - 4.9.0-0.1.rc1 +- Use correct bind PKCS11 engine dependencies +- Fix SELinux build requirement +- Fix linting requirements + +* Wed Nov 18 2020 Alexander Bokovoy - 4.9.0-0.rc1 +- FreeIPA 4.9.0 release candidate 1 +- Synchronize spec file with upstream and RHEL + +* Wed Oct 28 2020 Adam Williamson - 4.8.10-7 +- Backport #5212 for deployment failures with 389-ds-base 1.4.4.6+ + +* Tue Oct 13 2020 Alexander Bokovoy - 4.8.10-6 +- Handle sshd_config upgrade properly + Fixes: rhbz#1887928 + +* Tue Sep 29 2020 Alexander Bokovoy - 4.8.10-5 +- Properly handle upgrade case when systemd-resolved is enabled + +* Mon Sep 28 2020 Alexander Bokovoy - 4.8.10-4 +- Fix permissions for /etc/systemd/resolved.conf.d/zzz-ipa.conf +- Add NetworkManager and systemd-resolved configuration files to backup + +* Sun Sep 27 2020 Alexander Bokovoy - 4.8.10-3 +- Fix dependency between freeipa-selinux and freeipa-common +- Resolves: rhbz#1883005 + +* Sat Sep 26 2020 Alexander Bokovoy - 4.8.10-2 +- Support upgrade F32 -> F33 with systemd-resolved + +* Sat Sep 26 2020 Alexander Bokovoy - 4.8.10-1 +- Upstream release FreeIPA 4.8.10 + +* Fri Aug 21 2020 Alexander Bokovoy - 4.8.9-2 +- Backport fix for detecting older installations on upgrade + +* Thu Aug 20 2020 François Cami - 4.8.9-1 +- Upstream release FreeIPA 4.8.9 + +* Mon Aug 03 2020 Alexander Bokovoy - 4.8.7-5 +- Make use of unshare+chroot in ipa-extdom-extop unittests to work against glibc 2.32 + +* Sat Aug 01 2020 Fedora Release Engineering - 4.8.7-4 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jul 30 2020 Merlin Mathesius - 4.8.7-3 +- Conditional fixes for ELN to set krb5-kdb version appropriately + +* Mon Jul 27 2020 Fedora Release Engineering - 4.8.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jun 10 2020 Alexander Bokovoy - 4.8.7-1 +- Upstream release FreeIPA 4.8.7 + +* Tue May 26 2020 Miro Hrončok - 4.8.6-2 +- Rebuilt for Python 3.9 + +* Fri Mar 27 2020 Alexander Bokovoy - 4.8.6-1 +- Upstream release FreeIPA 4.8.6 + +* Sat Mar 21 2020 Alexander Bokovoy - 4.8.5-2 +- Roll up post-release fixes from upstream +- Move freeipa-selinux to be a dependency of freeipa-common + +* Wed Mar 18 2020 Alexander Bokovoy - 4.8.5-1 +- Upstream release FreeIPA 4.8.5 +- Depend on selinux-policy-devel 3.14.6-9 for build due to a makefile issue in + SELinux external policy support + +* Tue Mar 03 2020 Alexander Bokovoy - 4.8.4-8 +- Support opendnssec 2.1 +- Resolves: #1809492 + +* Mon Feb 17 2020 François Cami - 4.8.4-7 +- Fix audit_as_req() callback usage +- Resolves: #1803786 + +* Sat Feb 01 2020 Alexander Bokovoy - 4.8.4-6 +- Fix constraint delegation for krb5 1.18 update +- Resolves: #1797096 + +* Tue Jan 28 2020 Fedora Release Engineering - 4.8.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Jan 28 2020 Alexander Bokovoy - 4.8.4-4 +- Rebuild against krb5 1.18 beta + +* Sun Jan 26 2020 Alexander Bokovoy - 4.8.4-3 +- Rebuild against Samba 4.12RC1 + +* Mon Dec 16 2019 Adam Williamson - 4.8.4-2 +- Backport PR #4045 to fix overlapping DNS zone check bugs + +* Sat Dec 14 2019 Alexander Bokovoy - 4.8.4-1 +- New upstream release 4.8.4 + +* Tue Nov 26 2019 Alexander Bokovoy - 4.8.3-1 +- New upstream release 4.8.3 +- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() +- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch + +* Tue Nov 12 2019 Rob Crittenden - 4.8.2-1 +- New upstream release 4.8.2 +- Replace %%{_libdir} macro in BuildRequires (#1746882) +- Restore user-nsswitch.conf before calling authselect (#1746557) +- ipa service-find does not list cifs service created by + ipa-client-samba (#1731433) +- Occasional 'whoami.data is undefined' error in FreeIPA web UI + (#1699109) +- ipa-kra-install fails due to fs.protected_regular=1 (#1698384) + +* Sun Oct 20 2019 Alexander Bokovoy - 4.8.1-5 +- Don't create log files from helper scripts +- Fixes: rhbz#1754189 + +* Tue Oct 08 2019 Christian Heimes - 4.8.1-4 +- Fix compatibility issue with preexec_fn in Python 3.8 +- Fixes: rhbz#1759290 + +* Tue Oct 1 2019 Alexander Bokovoy - 4.8.1-3 +- Fix ipasam for compatibility with Samba 4.11 +- Fixes: rhbz#1757089 + +* Mon Aug 19 2019 Miro Hrončok - 4.8.1-2 +- Rebuilt for Python 3.8 + +* Wed Aug 14 2019 Alexander Bokovoy - 4.8.1-1 +- New upstream release 4.8.1 +- Fixes: rhbz#1732528 +- Fixes: rhbz#1732524 + +* Thu Jul 25 2019 Fedora Release Engineering - 4.8.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Jul 03 2019 Alexander Bokovoy - 4.8.0-1 +- New upstream release 4.8.0 +- New subpackage: freeipa-client-samba + +* Sat May 11 2019 Alexander Bokovoy - 4.7.90.pre1-6 +- Upgrade: handle situation when trusts were configured but not established yet + Fixed: rhbz#1708808 + +* Fri May 3 2019 Alexander Bokovoy - 4.7.90.pre1-5 +- Add krb5-kdb-server dependency provided by krb5-server >= 1.17-17 + +* Fri May 3 2019 Alexander Bokovoy - 4.7.90.pre1-4 +- Rebuild to drop upper limit for Kerberos package + After krb5-server will provide krb5-kdb-version, we'll switch to it + +* Wed May 1 2019 Adam Williamson - 4.7.90.pre1-3 +- Backport PR #3104 to fix a font path error + +* Wed May 1 2019 Alexander Bokovoy - 4.7.90.pre1-2 +- Revert MINSSF defaults because realmd cannot join FreeIPA right now + as it uses anonymous LDAP connection for the discovery and validation + +* Mon Apr 29 2019 Alexander Bokovoy - 4.7.90.pre1-1 +- First release candidate for FreeIPA 4.8.0 + +* Sat Apr 06 2019 Alexander Bokovoy - 4.7.2-8 +- Fixed: rhbz#1696963 (Failed to install replica) + +* Sat Apr 06 2019 Alexander Bokovoy - 4.7.2-7 +- Support Samba 4.10 +- Support 389-ds 1.4.1.2-2.fc30 or later + +* Thu Feb 28 2019 Alexander Bokovoy - 4.7.2-6 +- Support new nfs-utils behavior (#1668836) +- ipa-client-automount now works without /etc/sysconfig/nfs + +* Tue Feb 19 2019 François Cami - 4.7.2-5 +- Fix FTBS due to Samba having removed talloc_strackframe.h + and memory.h (#1678670) +- Fix CA setup when fs.protected_regular=1 (#1677027) + +* Mon Feb 11 2019 Alexander Bokovoy - 4.7.2-4 +- Disable python dependency generator in Rawhide as not all required packages support it yet +- Require python-kdcproxy 0.4.1 or later on Rawhide + +* Fri Feb 8 2019 Alexander Bokovoy - 4.7.2-3 +- Fix compile issues after a mass rebuild using upstream patches + +* Thu Jan 31 2019 Fedora Release Engineering - 4.7.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Dec 03 2018 Alexander Bokovoy - 4.7.2-1 +- Upstream release FreeIPA 4.7.2 + +* Wed Nov 28 2018 Adam Williamson - 4.7.1-4 +- Update PR #2610 patch to tiran's modified version + +* Tue Nov 27 2018 Adam Williamson - 4.7.1-3 +- Backport PR #2610 to fix for authselect 1.0.2+ (see #1645708) + +* Sun Nov 11 2018 Alexander Bokovoy - 4.7.1-2 +- Rebuild for krb5-1.17 (#1648673) +- Bump required SSSD version to 2.0.0-4 to get back pysss.getgrouplist() API + +* Fri Oct 5 2018 Rob Crittenden - 4.7.1-1 +- Update to upstream 4.7.1 + +* Tue Sep 25 2018 Christian Heimes - 4.7.0-5 +- Remove Python 2 support from Fedora 30 +- https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal + +* Tue Sep 4 2018 Thomas Woerner - 4.7.0-4 +- Enable python2 client packages for f30 for now again + +* Tue Sep 4 2018 Thomas Woerner - 4.7.0-3 +- Force generation of aclocal.m4 and configuration scripts +- Fix only client build for Fedora>=28 and RHEL>7 +- Bring back special patch handling for Fedora + +* Mon Sep 3 2018 Thomas Woerner - 4.7.0-2 +- Restore SELinux context of session_dir /etc/httpd/alias (pagure#7662) +- Restore SELinux context of template_dir /var/log/dirsrv/slapd-X (pagure#7662) +- Add "389-ds-base-legacy-tools" to requires +- Refactor os-release and platform information (#1609475) +- Don't check for systemd service (#1609475) +- Switched to upstream spec file with small adaptions + +* Thu Jul 26 2018 Thomas Woerner - 4.7.0-1 +- Update to upstream 4.7.0 +- New BuildRequires for nodejs and uglify-js +- New Requires for 389-ds-base-legacy-tools in server (RHBZ#1606541) +- Do not build python2-ipaserver and python2-ipatests for Fedora 29 and up +- Do not build any python2 packages for Fedora 30 +- Added ipatest man pages to python3-ipatests packages also +- Added ipatest bindir links to python3-ipatests for Fedora up to 28 +- Dropped explicit copy of freeipa.template, install is doing this now +- Added upstream fix: (f3faecb) Fix $-style format string in ipa_ldap_init +- Added upstream fix: (4b592fe,1a7baa2) Added reason to raise of errors.NotFound + +* Mon Jul 16 2018 Alexander Bokovoy - 4.6.90.pre2-11 +- Use version-aware macros for Python + +* Fri Jul 13 2018 Fedora Release Engineering - 4.6.90.pre2-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 02 2018 Miro Hrončok - 4.6.90.pre2-9 +- Rebuilt for Python 3.7 + +* Wed Jun 27 2018 Rob Crittenden - 4.6.90.pre2-8 +- Build UI using py3-lesscpy + +* Tue Jun 19 2018 Rob Crittenden - 4.6.90.pre2-7 +- *-domainname.service moved to the hostname package in F29 (#1592355) + +* Tue Jun 19 2018 Miro Hrončok - 4.6.90.pre2-6 +- Rebuilt for Python 3.7 + +* Fri Jun 15 2018 Rob Crittenden - 4.6.90.pre2-5 +- Change BuildRequires from python-lesscpy to python3-lesscpy + +* Fri Jun 15 2018 Rob Crittenden - 4.6.90.pre2-4.1 +- Rename service fedora-domainname.service to nis-domainname.service + (#1588192) +- Fix bad date in changelog + +* Wed May 16 2018 Alexander Bokovoy - 4.6.90.pre2-3 +- Fine tune packaging of server templates so that it doesn't include + freeipa.template which always go to freeipa-client-common + +* Tue May 15 2018 Rob Crittenden - 4.6.90.pre2-2 +- Exclude /usr/share from client-only builds + +* Tue May 15 2018 Rob Crittenden - 4.6.90.pre2-1 +- Update to upstream 4.6.90.pre2 + +* Wed May 02 2018 Alexander Bokovoy - 4.6.90.pre1-7 +- Fix upgrade when named.conf does not exist +- Resolves rhbz#1573671 +- Requires newer slapi-nis to avoid hitting rhbz#1573636 + +* Wed Mar 21 2018 Alexander Bokovoy - 4.6.90.pre1-6.1 +- Change upgrade code to use DIR-based ccache and no kinit (#1558818) +- Require pki-symkey until pki-core has proper dependencies + +* Wed Mar 21 2018 Alexander Bokovoy - 4.6.90.pre1-6 +- Change upgrade code to use DIR-based ccache and no kinit (#1558818) + +* Tue Mar 20 2018 Alexander Bokovoy - 4.6.90.pre1-5 +- Apply upstream fix for #1558354 +- Run upgrade under file-based ccache (#1558818) +- Fix OTP token issuance due to regression in https://pagure.io/389-ds-base/issue/49617 + +* Tue Mar 20 2018 Adam Williamson - 4.6.90.pre1-4 +- Fix upgrades harder (extension of -3 patch) (#1558354) + +* Tue Mar 20 2018 Alexander Bokovoy - 4.6.90.pre1-3 +- Fix upgrade from F27 to F28 (#1558354) + +* Mon Mar 19 2018 Rob Crittenden - 4.6.90.pre1-2 +- Patch to fix GUI login for non-admin users (#1557609) + +* Fri Mar 16 2018 Rob Crittenden - 4.6.90.pre1-1 +- Update to upstream 4.6.90.pre1 + +* Tue Feb 20 2018 Rob Crittenden - 4.6.3-5 +- Disable i686 server builds because 389-ds no longer provides + builds on that arch. (#1544386) + +* Fri Feb 09 2018 Igor Gnatenko - 4.6.3-4 +- Escape macros in %%changelog + +* Thu Feb 8 2018 Rob Crittenden - 4.6.3-3 +- Don't fail on upgrades if KRA is not installed +- Remove Conflicts between mod_wsgi and python3-mod_wsgi + +* Wed Feb 07 2018 Fedora Release Engineering - 4.6.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jan 31 2018 Rob Crittenden - 4.6.3-1 +- Update to upstream 4.6.3 + +* Wed Jan 03 2018 Lumír Balhar - 4.6.1-5 +- Fix directory ownership in python3 subpackage + +* Tue Oct 17 2017 Rob Crittenden - 4.6.1-4 +- Update workaround patch to prevent SELinux execmem AVC (#1491508) + +* Mon Oct 16 2017 Alexander Bokovoy - 4.6.1-3 +- Another attempt at fix for bug #1491053 + +* Fri Oct 06 2017 Tomas Krizek - 4.6.1-2 +- Rebuild against krb5-1.16 + +* Fri Sep 22 2017 Tomas Krizek - 4.6.1-1 +- Fixes #1491053 Firefox reports insecure TLS configuration when visiting + FreeIPA web UI after standard server deployment + +* Wed Sep 13 2017 Adam Williamson - 4.6.0-3 +- Fixes #1490762 Ipa-server-install update dse.ldif with wrong SELinux context +- Fixes #1491056 FreeIPA enrolment via kickstart fails + +* Wed Sep 06 2017 Adam Williamson - 4.6.0-2 +- Fixes #1488640 "unknown command 'undefined'" error when changing password in web UI +- BuildRequires diffstat (for the use in patch application) + +* Mon Sep 04 2017 Tomas Krizek - 4.6.0-1 +- Rebase to upstream 4.6.0 + +* Wed Aug 02 2017 Fedora Release Engineering - 4.5.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 4.5.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jul 21 2017 Tomas Krizek - 4.5.3-1 +- Update to upstream 4.5.3 - see https://www.freeipa.org/page/Releases/4.5.3 + +* Thu Jul 13 2017 Alexander Bokovoy - 4.5.2-4 +- Make sure tmpfiles.d snippet for replica is in place after install + +* Mon Jul 10 2017 Alexander Bokovoy - 4.5.2-3 +- Fix build with Samba 4.7.0-RC1 +- Increase java stack for rhino calls to get around crashes on ppc64-le + +* Tue Jun 20 2017 Tomas Krizek - 4.5.2-2 +- Patch: Fix IP address checks +- Patch: python-netifaces fix + +* Sun Jun 18 2017 Tomas Krizek - 4.5.2-1 +- Update to upstream 4.5.2 - see https://www.freeipa.org/page/Releases/4.5.2 + +* Thu May 25 2017 Tomas Krizek - 4.5.1-1 +- Update to upstream 4.5.1 - see https://www.freeipa.org/page/Releases/4.5.1 +- Fixes #1168266 UI drops "Enknown Error" when the ipa record in /etc/hosts changes + +* Tue May 23 2017 Tomas Krizek - 4.4.4-2 +- Fixes #1448049 Subpackage freeipa-server-common has unmet dependencies on Rawhide +- Fixes #1430247 FreeIPA server deployment runs ipa-custodia on Python 3, should use Python 2 +- Fixes #1446744 python2-ipaclient subpackage does not own %%{python_sitelib}/ipaclient/plugins +- Fixes #1440525 surplus 'the' in output of `ipa-adtrust-install` +- Fixes #1411810 ipa-replica-install fails with 406 Client Error +- Fixes #1405814 ipa plugins: ERROR an internal error occured + +* Fri Mar 24 2017 Tomas Krizek - 4.4.4-1 +- Update to upstream 4.4.4 - see https://www.freeipa.org/page/Releases/4.4.4 +- Add upstream signature file for tarball + +* Wed Mar 1 2017 Alexander Bokovoy - 4.4.3-8 +- Use different method to keep /usr/bin/ipa on Python 2 +- Fixes #1426847 + +* Mon Feb 27 2017 Tomas Krizek - 4.4.3-7 +- Fixes #1413137 CVE-2017-2590 ipa: Insufficient permission check for + ca-del, ca-disable and ca-enable commands + +* Mon Feb 27 2017 Alexander Bokovoy - 4.4.3-6 +- Rebuild to pick up system-python dependency change +- Fixes #1426847 - Cannot upgrade freeipa-client on rawhide + +* Wed Feb 15 2017 Tomas Krizek - 4.4.3-5 +- Fixes #1403352 - bind-dyndb-ldap: support new named.conf API in BIND 9.11 +- Fixes #1412739 - ipa-kdb: support DAL version 6.1 + +* Fri Feb 10 2017 Fedora Release Engineering - 4.4.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sat Jan 21 2017 Igor Gnatenko - 4.4.3-3 +- Rebuild for xmlrpc-c + +* Thu Dec 22 2016 Miro Hrončok - 4.4.3-2 +- Rebuild for Python 3.6 + +* Fri Dec 16 2016 Pavel Vomacka - 4.4.3-1 +- Update to upstream 4.4.3 - see http://www.freeipa.org/page/Releases/4.4.3 + +* Wed Dec 14 2016 Pavel Vomacka - 4.4.2-4 +- Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod +- Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services + by abusing password policy + +* Tue Nov 29 2016 Petr Vobornik - 4.4.2-3 +- Fixes 1389866 krb5-server: ipadb_change_pwd(): kdb5_util killed by SIGSEGV + +* Fri Oct 21 2016 Petr Vobornik - 4.4.2-2 +- Rebuild against krb5-1.15 + +* Thu Oct 13 2016 Petr Vobornik - 4.4.2-1 +- Update to upstream 4.4.2 - see http://www.freeipa.org/page/Releases/4.4.2 + +* Thu Sep 01 2016 Alexander Bokovoy - 4.4.1-1 +- Update to upstream 4.4.1 - see http://www.freeipa.org/page/Releases/4.4.1 + +* Fri Aug 19 2016 Petr Vobornik - 4.3.2-2 +- Fixes 1365669 - The ipa-server-upgrade command failed when named-pkcs11 does + not happen to run during dnf upgrade +- Fixes 1367883 - CVE-2016-5404 freeipa: ipa: Insufficient privileges check + in certificate revocation +- Fixes 1364338 - Freeipa cannot be build on fedora 25 + +* Fri Jul 22 2016 Petr Vobornik - 4.3.2-1 +- Update to upstream 4.3.2 - see http://www.freeipa.org/page/Releases/4.3.2 + +* Tue Jul 19 2016 Fedora Release Engineering - 4.3.1-2 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Mar 24 2016 Petr Vobornik - 4.3.1-1 +- Update to upstream 4.3.1 - see http://www.freeipa.org/page/Releases/4.3.1 + +* Thu Feb 04 2016 Petr Vobornik - 4.3.0-3 +- Fix build with Samba 4.4 +- Update SELinux requires to fix connection check during installation + +* Wed Feb 03 2016 Fedora Release Engineering - 4.3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Dec 18 2015 Petr Vobornik - 4.3.0-1 +- Update to upstream 4.3.0 - see http://www.freeipa.org/page/Releases/4.3.0 + +* Mon Dec 07 2015 Petr Vobornik - 4.2.3-2 +- Workarounds for SELinux execmem violations in cryptography + +* Mon Nov 02 2015 Petr Vobornik - 4.2.3-1 +- Update to upstream 4.2.3 - see http://www.freeipa.org/page/Releases/4.2.3 +- fix #1274905 + +* Wed Oct 21 2015 Alexander Bokovoy - 4.2.2-2 +- Depend on samba-common-tools for the trust-ad subpackage after + samba package split +- Rebuild against krb5 1.14 to fix bug #1273957 + +* Thu Oct 8 2015 Petr Vobornik - 4.2.2-1 +- Update to upstream 4.2.2 - see http://www.freeipa.org/page/Releases/4.2.2 + +* Mon Sep 7 2015 Petr Vobornik - 4.2.1-1 +- Update to upstream 4.2.1 - see http://www.freeipa.org/page/Releases/4.2.1 + +* Wed Jun 17 2015 Fedora Release Engineering - 4.1.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue May 12 2015 Alexander Bokovoy - 4.1.4-4 +- Fix typo in the patch to fix bug #1219834 + +* Mon May 11 2015 Alexander Bokovoy - 4.1.4-3 +- Fix FreeIPA trusts to AD feature with Samba 4.2 (#1219834) + +* Mon Mar 30 2015 Petr Vobornik - 4.1.4-2 +- Replace mod_auth_kerb usage with mod_auth_gssapi + +* Thu Mar 26 2015 Alexander Bokovoy - 4.1.4-1 +- Update to upstream 4.1.4 - see http://www.freeipa.org/page/Releases/4.1.4 +- fix CVE-2015-1827 (#1206047) +- Require slapi-nis 0.54.2 and newer for CVE-2015-0283 fixes + +* Tue Mar 17 2015 Petr Vobornik - 4.1.3-3 +- Timeout ipa-client install if ntp server is unreachable #4842 +- Skip time sync during client install when using --no-ntp #4842 + +* Wed Mar 04 2015 Petr Vobornik - 4.1.3-2 +- Add missing sssd python dependencies +- https://bugzilla.redhat.com/show_bug.cgi?id=1197218 + +* Wed Feb 18 2015 Petr Vobornik - 4.1.3-1 +- Update to upstream 4.1.3 - see http://www.freeipa.org/page/Releases/4.1.3 + +* Mon Jan 19 2015 Alexander Bokovoy - 4.1.2-2 +- Fix broken build after Samba ABI change and rename of libpdb to libsamba-passdb +- Use python-dateutil15 until we validate python-dateutil 2.x + +* Tue Nov 25 2014 Petr Vobornik - 4.1.2-1 +- Update to upstream 4.1.2 - see http://www.freeipa.org/page/Releases/4.1.2 +- fix CVE-2014-7850 + +* Thu Nov 20 2014 Simo Sorce - 4.1.1-2 +- Patch blokers and feature freze exceptions +- Resolves: bz1165674 +- Resolves: bz1165856 (CVE-2014-7850) +- Fixes DNS install issue that prevents the server from working + +* Thu Nov 06 2014 Petr Vobornik - 4.1.1-1 +- Update to upstream 4.1.1 - see http://www.freeipa.org/page/Releases/4.1.1 +- fix CVE-2014-7828 + +* Wed Oct 22 2014 Petr Vobornik - 4.1.0-2 +- fix armv7hl stack oversize build failure +- fix https://fedorahosted.org/freeipa/ticket/4660 + +* Tue Oct 21 2014 Petr Vobornik - 4.1.0-1 +- Update to upstream 4.1.0 - see http://www.freeipa.org/page/Releases/4.1.0 + +* Fri Sep 12 2014 Petr Viktorin - 4.0.3-1 +- Update to upstream 4.0.3 - see http://www.freeipa.org/page/Releases/4.0.3 + +* Fri Sep 05 2014 Petr Viktorin - 4.0.2-1 +- Update to upstream 4.0.1 - see http://www.freeipa.org/page/Releases/4.0.2 + +* Tue Sep 02 2014 Pádraig Brady - 4.0.1-3 +- rebuild for libunistring soname bump + +* Sat Aug 16 2014 Fedora Release Engineering - 4.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 25 2014 Martin Kosek 4.0.1-1 +- Update to upstream 4.0.1 + +* Mon Jul 07 2014 Petr Viktorin 4.0.0-1 +- Update to upstream 4.0.0 +- Remove the server-strict package + +* Sat Jun 07 2014 Fedora Release Engineering - 3.3.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 21 2014 Petr Vobornik 3.3.5-3 +- Increase Java stack size for Web UI build on aarch64 + +* Wed Apr 16 2014 Peter Robinson 3.3.5-2 +- Add rhino as dependency to fix FTBFS + +* Fri Mar 28 2014 Martin Kosek - 3.3.5-1 +- Update to upstream 3.3.5 + +* Tue Feb 11 2014 Martin Kosek - 3.3.4-3 +- Move ipa-otpd socket directory to /var/run/krb5kdc +- Require krb5-server 1.11.5-3 supporting the new directory +- ipa_lockout plugin did not work with users's without krbPwdPolicyReference + +* Wed Jan 29 2014 Martin Kosek - 3.3.4-2 +- Fix hardened build + +* Tue Jan 28 2014 Martin Kosek - 3.3.4-1 +- Update to upstream 3.3.4 +- Install CA anchor into standard location (#928478) +- ipa-client-install part of ipa-server-install fails on reinstall (#1044994) +- Remove mod_ssl workaround (RHEL bug #1029046) +- Enable syncrepl plugin to support bind-dyndb-ldap 4.0 + +* Fri Jan 3 2014 Martin Kosek - 3.3.3-5 +- Build crashed with rhino exception on s390 architectures (#1040576) + +* Thu Dec 12 2013 Martin Kosek - 3.3.3-4 +- Build crashed with rhino exception on PPC architectures (#1040576) + +* Tue Dec 3 2013 Martin Kosek - 3.3.3-3 +- Fix -Werror=format-security errors (#1037070) + +* Mon Nov 4 2013 Martin Kosek - 3.3.3-2 +- ipa-server-install crashed when freeipa-server-trust-ad subpackage was not + installed + +* Fri Nov 1 2013 Martin Kosek - 3.3.3-1 +- Update to upstream 3.3.3 + +* Fri Oct 4 2013 Martin Kosek - 3.3.2-1 +- Update to upstream 3.3.2 + +* Thu Aug 29 2013 Petr Viktorin - 3.3.1-1 +- Bring back Fedora-only changes + +* Thu Aug 29 2013 Petr Viktorin - 3.3.1-0 +- Update to upstream 3.3.1 + +* Wed Aug 14 2013 Alexander Bokovoy - 3.3.0-2 +- Remove freeipa-systemd-upgrade as non-systemd installs are not supported + anymore by Fedora project + +* Wed Aug 7 2013 Martin Kosek - 3.3.0-1 +- Update to upstream 3.3.0 + +* Sat Aug 03 2013 Fedora Release Engineering - 3.2.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 17 2013 Martin Kosek - 3.2.2-1 +- Update to upstream 3.2.2 +- Drop freeipa-server-selinux subpackage +- Drop redundant directory /var/cache/ipa/sessions +- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost +- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency + issues when there are still old parts of software (like entitlements plugin) + +* Fri Jun 7 2013 Martin Kosek - 3.2.1-1 +- Update to upstream 3.2.1 + +* Tue May 14 2013 Rob Crittenden - 3.2.0-2 +- Add OTP patches +- Add patch to set KRB5CCNAME for 389-ds-base + +* Fri May 10 2013 Rob Crittenden - 3.2.0-1 +- Update to upstream 3.2.0 GA +- ipa-client-install fails if /etc/ipa does not exist (#961483) +- Certificate status is not visible in Service and Host page (#956718) +- ipa-client-install removes needed options from ldap.conf (#953991) +- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) +- Add triggerin scriptlet to support OpenSSH 6.2 (#953617) +- Require nss 3.14.3-12.0 to address certutil certificate import + errors (#953485) +- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 + environments. (#953464) +- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) +- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) +- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for + socket based connections (#960222) +- Require libsss_nss_idmap-python +- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to + member is now done automatically and having it in the config file raises + an error. +- Add backup and restore tools, directory. +- require at least systemd 38 which provides the journal (we no longer + need to require syslog.target) +- Update Requires on policycoreutils to 2.1.14-37 +- Update Requires on selinux-policy to 3.12.1-42 +- Update Requires on 389-ds-base to 1.3.1.0 +- Remove a Requires for java-atk-wrapper + +* Tue Apr 23 2013 Rob Crittenden - 3.2.0-0.4.beta1 +- Remove release from krb5-server in strict sub-package to allow for rebuilds. + +* Mon Apr 22 2013 Rob Crittenden - 3.2.0-0.3.beta1 +- Add a Requires for java-atk-wrapper until we can determine which package + should be pulling it in, dogtag or tomcat. + +* Tue Apr 16 2013 Rob Crittenden - 3.2.0-0.2.beta1 +- Update to upstream 3.2.0 Beta 1 + +* Tue Apr 2 2013 Martin Kosek - 3.2.0-0.1.pre1 +- Update to upstream 3.2.0 Prerelease 1 +- Use upstream reference spec file as a base for Fedora spec file + +* Sat Mar 30 2013 Kevin Fenzi 3.1.2-4 +- Rebuild for broken deps +- Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1 + +* Sat Feb 23 2013 Kevin Fenzi - 3.1.2-3 +- Rebuild for broken deps in rawhide +- Fix 389-ds-base strict dep to be 1.3.0.3 + +* Wed Feb 13 2013 Fedora Release Engineering - 3.1.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 23 2013 Rob Crittenden - 3.1.2-1 +- Update to upstream 3.1.2 +- CVE-2012-4546: Incorrect CRLs publishing +- CVE-2012-5484: MITM Attack during Join process +- CVE-2013-0199: Cross-Realm Trust key leak +- Updated strict dependencies to 389-ds-base = 1.3.0.2 and + pki-ca = 10.0.1 + +* Thu Dec 20 2012 Martin Kosek - 3.1.0-2 +- Remove redundat Requires versions that are already in Fedora 17 +- Replace python-crypto Requires with m2crypto +- Add missing Requires(post) for client and server-trust-ad subpackages +- Restart httpd service when server-trust-ad subpackage is installed +- Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes + +* Mon Dec 10 2012 Rob Crittenden - 3.1.0-1 +- Updated to upstream 3.1.0 GA +- Set minimum for sssd to 1.9.2 +- Set minimum for pki-ca to 10.0.0-1 +- Set minimum for 389-ds-base to 1.3.0 +- Set minimum for selinux-policy to 3.11.1-60 +- Remove unneeded dogtag package requires + +* Tue Oct 23 2012 Martin Kosek - 3.0.0-3 +- Update Requires on krb5-server to 1.11 + +* Fri Oct 12 2012 Rob Crittenden - 3.0.0-2 +- Configure CA replication to use TLS instead of SSL + +* Fri Oct 12 2012 Rob Crittenden - 3.0.0-1 +- Updated to upstream 3.0.0 GA +- Set minimum for samba to 4.0.0-153. +- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so + plugin to /dev/null since they cannot be used when trusts are configured +- Restrict krb5-server to 1.10. +- Update BR for 389-ds-base to 1.3.0 +- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca +- Add Requires on zip for generating FF browser extension + +* Fri Oct 5 2012 Rob Crittenden - 3.0.0-0.10 +- Updated to upstream 3.0.0 rc 2 +- Include new FF configuration extension +- Set minimum Requires of selinux-policy to 3.11.1-33 +- Set minimum Requires dogtag to 10.0.0-0.43.b1 +- Add new optional strict sub-package to allow users to limit other + package upgrades. + +* Tue Oct 2 2012 Martin Kosek - 3.0.0-0.9 +- Require samba packages instead of obsoleted samba4 packages + +* Fri Sep 21 2012 Rob Crittenden - 3.0.0-0.8 +- Updated to upstream 3.0.0 rc 1 +- Update BR for 389-ds-base to 1.2.11.14 +- Update BR for krb5 to 1.10 +- Update BR for samba4-devel to 4.0.0-139 (rc1) +- Add BR for python-polib +- Update BR and Requires on sssd to 1.9.0 +- Update Requires on policycoreutils to 2.1.12-5 +- Update Requires on 389-ds-base to 1.2.11.14 +- Update Requires on selinux-policy to 3.11.1-21 +- Update Requires on dogtag to 10.0.0-0.33.a1 +- Update Requires on certmonger to 0.60 +- Update Requires on tomcat to 7.0.29 +- Update minimum version of bind to 9.9.1-10.P3 +- Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 +- Remove Requires on authconfig from python sub-package + +* Wed Sep 5 2012 Rob Crittenden - 3.0.0-0.7 +- Rebuild against samba4 beta8 + +* Fri Aug 31 2012 Rob Crittenden - 3.0.0-0.6 +- Rebuild against samba4 beta7 + +* Wed Aug 22 2012 Alexander Bokovoy - 3.0.0-0.5 +- Adopt to samba4 beta6 (libsecurity -> libsamba-security) +- Add dependency to samba4-winbind + +* Fri Aug 17 2012 Rob Crittenden - 3.0.0-0.4 +- Updated to upstream 3.0.0 beta 2 + +* Mon Aug 6 2012 Martin Kosek - 3.0.0-0.3 +- Updated to current upstream state of 3.0.0 beta 2 development + +* Mon Jul 23 2012 Alexander Bokovoy - 3.0.0-0.2 +- Rebuild against samba4 beta4 + +* Mon Jul 2 2012 Rob Crittenden - 3.0.0-0.1 +- Updated to upstream 3.0.0 beta 1 + +* Thu May 3 2012 Rob Crittenden - 2.2.0-1 +- Updated to upstream 2.2.0 GA +- Update minimum n-v-r of certmonger to 0.53 +- Update minimum n-v-r of slapi-nis to 0.40 +- Add Requires in client to oddjob-mkhomedir and python-krbV +- Update minimum selinux-policy to 3.10.0-110 + +* Mon Mar 19 2012 Rob Crittenden - 2.1.90-0.2 +- Update to upstream 2.2.0 beta 1 (2.1.90.rc1) +- Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. +- Add Conflicts on mod_ssl +- Update minimum n-v-r of 389-ds-base to 1.2.10.4 +- Update minimum n-v-r of sssd to 1.8.0 +- Update minimum n-v-r of slapi-nis to 0.38 +- Update minimum n-v-r of pki-* to 9.0.18 +- Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 +- Update conflicts on bind to < 9.9.0-1 +- Drop requires on krb5-server-ldap +- Add patch to remove escaping arguments to pkisilent + +* Mon Feb 06 2012 Rob Crittenden - 2.1.90-0.1 +- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) + +* Wed Feb 01 2012 Alexander Bokovoy - 2.1.4-5 +- Force to use 389-ds 1.2.10-0.8.a7 or above +- Improve upgrade script to handle systemd 389-ds change +- Fix freeipa to work with python-ldap 2.4.6 + +* Wed Jan 11 2012 Martin Kosek - 2.1.4-4 +- Fix ipa-replica-install crashes +- Fix ipa-server-install and ipa-dns-install logging +- Set minimum version of pki-ca to 9.0.17 to fix sslget problem + caused by FEDORA-2011-17400 update (#771357) + +* Wed Dec 21 2011 Alexander Bokovoy - 2.1.4-3 +- Allow Web-based migration to work with tightened SE Linux policy (#769440) +- Rebuild slapi plugins against re-enterant version of libldap + +* Sun Dec 11 2011 Alexander Bokovoy - 2.1.4-2 +- Allow longer dirsrv startup with systemd: + - IPAdmin class will wait until dirsrv instance is available up to 10 seconds + - Helps with restarts during upgrade for ipa-ldap-updater +- Fix pylint warnings from F16 and Rawhide + +* Tue Dec 6 2011 Rob Crittenden - 2.1.4-1 +- Update to upstream 2.1.4 (CVE-2011-3636) + +* Mon Dec 5 2011 Rob Crittenden - 2.1.3-8 +- Update SELinux policy to allow ipa_kpasswd to connect ldap and + read /dev/urandom. (#759679) + +* Wed Nov 30 2011 Alexander Bokovoy - 2.1.3-7 +- Fix wrong path in packaging freeipa-systemd-upgrade + +* Wed Nov 30 2011 Alexander Bokovoy - 2.1.3-6 +- Introduce upgrade script to recover existing configuration after systemd migration + as user has no means to recover FreeIPA from systemd migration +- Upgrade script: + - recovers symlinks in Dogtag instance install + - recovers systemd configuration for FreeIPA's directory server instances + - recovers freeipa.service + - migrates directory server and KDC configs to use proper keytabs for systemd services + +* Wed Oct 26 2011 Fedora Release Engineering - 2.1.3-5 +- Rebuilt for glibc bug#747377 + +* Wed Oct 19 2011 Alexander Bokovoy - 2.1.3-4 +- clean up spec +- Depend on sssd >= 1.6.2 for better user experience + +* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-3 +- Fix Fedora package changelog after merging systemd changes + +* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-2 +- Fix postin scriplet for F-15/F-16 + +* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-1 +- 2.1.3 + +* Mon Oct 17 2011 Alexander Bokovoy - 2.1.2-1 +- Default to systemd for Fedora 16 and onwards + +* Tue Aug 16 2011 Rob Crittenden - 2.1.0-1 +- Update to upstream 2.1.0 + +* Fri May 6 2011 Simo Sorce - 2.0.1-2 +- Fix bug #702633 + +* Mon May 2 2011 Rob Crittenden - 2.0.1-1 +- Update minimum selinux-policy to 3.9.16-18 +- Update minimum pki-ca and pki-selinux to 9.0.7 +- Update minimum 389-ds-base to 1.2.8.0-1 +- Update to upstream 2.0.1 + +* Thu Mar 24 2011 Rob Crittenden - 2.0.0-1 +- Update to upstream GA release +- Automatically apply updates when the package is upgraded + +* Fri Feb 25 2011 Rob Crittenden - 2.0.0-0.4.rc2 +- Update to upstream freeipa-2.0.0.rc2 +- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in +- Set minimum version of sssd to 1.5.1 +- Patch to include SuiteSpotGroup when setting up 389-ds instances +- Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled + +* Tue Feb 15 2011 Rob Crittenden - 2.0.0-0.3.rc1 +- Set the N-V-R so rc1 is an update to beta2. + +* Mon Feb 14 2011 Rob Crittenden - 2.0.0-0.1.rc1 +- Set minimum version of sssd to 1.5.1 +- Update to upstream freeipa-2.0.0.rc1 +- Move server-only binaries from admintools subpackage to server + +* Tue Feb 08 2011 Fedora Release Engineering - 2.0.0-0.2.beta2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Feb 3 2011 Rob Crittenden - 2.0.0-0.1.beta2 +- Set min version of 389-ds-base to 1.2.8 +- Set min version of mod_nss 1.0.8-10 +- Set min version of selinux-policy to 3.9.7-27 +- Add dogtag themes to Requires +- Update to upstream freeipa-2.0.0.pre2 + +* Thu Jan 27 2011 Rob Crittenden - 2.0.0-0.2.beta.git80e87e7 +- Remove unnecessary moving of v1 CA serial number file in post script +- Add Obsoletes for server-selinxu subpackage +- Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da + +* Wed Jan 26 2011 Rob Crittenden - 2.0.0-0.1.beta.git80e87e7 +- Prepare spec file for release +- Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503 + +* Tue Jan 25 2011 Rob Crittenden - 1.99-41 +- Re-arrange doc and defattr to clean up rpmlint warnings +- Remove conditionals on older releases +- Move some man pages into admintools subpackage +- Remove some explicit Requires in client that aren't needed +- Consistent use of buildroot vs RPM_BUILD_ROOT + +* Wed Jan 19 2011 Adam Young - 1.99-40 +- Moved directory install/static to install/ui + +* Thu Jan 13 2011 Simo Sorce - 1.99-39 +- Remove dependency on nss_ldap/nss-pam-ldapd +- The official client is sssd and that's what we use by default. + +* Thu Jan 13 2011 Simo Sorce - 1.99-38 +- Remove radius subpackages + +* Thu Jan 13 2011 Rob Crittenden - 1.99-37 +- Set minimum pki-ca and pki-silent versions to 9.0.0 + +* Wed Jan 12 2011 Rob Crittenden - 1.99-36 +- Drop BuildRequires on mozldap-devel + +* Mon Dec 13 2010 Rob Crittenden - 1.99-35 +- Add Requires on krb5-pkinit-openssl + +* Fri Dec 10 2010 Jr Aquino - 1.99-34 +- Add ipa-host-net-manage script + +* Tue Dec 7 2010 Simo Sorce - 1.99-33 +- Add ipa init script + +* Fri Nov 19 2010 Rob Crittenden - 1.99-32 +- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin + +* Wed Nov 3 2010 Rob Crittenden - 1.99-31 +- remove ipa-fix-CVE-2008-3274 + +* Wed Oct 6 2010 Rob Crittenden - 1.99-30 +- Remove duplicate %%files entries on share/ipa/static +- Add python default encoding shared library + +* Mon Sep 20 2010 Rob Crittenden - 1.99-29 +- Drop requires on python-configobj (not used any more) +- Drop ipa-ldap-updater message, upgrades are done differently now + +* Wed Sep 8 2010 Rob Crittenden - 1.99-28 +- Drop conflicts on mod_nss +- Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) +- Drop a slew of conditionals on older Fedora releases (< 12) +- Add a few conditionals against RHEL 6 +- Add Requires of nss-tools on ipa-client + +* Fri Aug 13 2010 Rob Crittenden - 1.99-27 +- Set minimum version of certmonger to 0.26 (to pck up #621670) +- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) +- Set minimum version of pki-ca to 1.3.6 +- Set minimum version of sssd to 1.2.1 + +* Tue Aug 10 2010 Rob Crittenden - 1.99-26 +- Add BuildRequires for authconfig + +* Mon Jul 19 2010 Rob Crittenden - 1.99-25 +- Bump up minimum version of python-nss to pick up nss_is_initialize() API + +* Thu Jun 24 2010 Adam Young - 1.99-24 +- Removed python-asset based webui + +* Thu Jun 24 2010 Rob Crittenden - 1.99-23 +- Change Requires from fedora-ds-base to 389-ds-base +- Set minimum level of 389-ds-base to 1.2.6 for the replication + version plugin. + +* Tue Jun 1 2010 Rob Crittenden - 1.99-22 +- Drop Requires of python-krbV on ipa-client + +* Mon May 17 2010 Rob Crittenden - 1.99-21 +- Load ipa_dogtag.pp in post install + +* Mon Apr 26 2010 Rob Crittenden - 1.99-20 +- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. + +* Thu Mar 4 2010 Rob Crittenden - 1.99-19 +- No need to create /var/log/ipa_error.log since we aren't using + TurboGears any more. + +* Mon Mar 1 2010 Jason Gerard DeRose - 1.99-18 +- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included + +* Wed Feb 24 2010 Jason Gerard DeRose - 1.99-17 +- Added Require mod_wsgi, added share/ipa/wsgi.py + +* Thu Feb 11 2010 Jason Gerard DeRose - 1.99-16 +- Require python-wehjit >= 0.2.2 + +* Wed Feb 3 2010 Rob Crittenden - 1.99-15 +- Add sssd and certmonger as a Requires on ipa-client + +* Wed Jan 27 2010 Jason Gerard DeRose - 1.99-14 +- Require python-wehjit >= 0.2.0 + +* Fri Dec 4 2009 Rob Crittenden - 1.99-13 +- Add ipa-rmkeytab tool + +* Tue Dec 1 2009 Rob Crittenden - 1.99-12 +- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 + Any type + +* Wed Nov 25 2009 Rob Crittenden - 1.99-11 +- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf + +* Fri Nov 13 2009 Rob Crittenden - 1.99-10 +- Add bash completion script and own /etc/bash_completion.d in case it + doesn't already exist + +* Tue Nov 3 2009 Rob Crittenden - 1.99-9 +- Remove ipa_webgui, its functions rolled into ipa_httpd + +* Mon Oct 12 2009 Jason Gerard DeRose - 1.99-8 +- Removed python-cherrypy from BuildRequires and Requires +- Added Requires python-assets, python-wehjit + +* Mon Aug 24 2009 Rob Crittenden - 1.99-7 +- Added httpd SELinux policy so CRLs can be read + +* Thu May 21 2009 Rob Crittenden - 1.99-6 +- Move ipalib to ipa-python subpackage +- Bump minimum version of slapi-nis to 0.15 + +* Wed May 6 2009 Rob Crittenden - 1.99-5 +- Set 0.14 as minimum version for slapi-nis + +* Wed Apr 22 2009 Rob Crittenden - 1.99-4 +- Add Requires: python-nss to ipa-python sub-package + +* Thu Mar 5 2009 Rob Crittenden - 1.99-3 +- Remove the IPA DNA plugin, use the DS one + +* Wed Mar 4 2009 Rob Crittenden - 1.99-2 +- Build radius separately +- Fix a few minor issues + +* Tue Feb 3 2009 Rob Crittenden - 1.99-1 +- Replace TurboGears requirement with python-cherrypy + +* Sat Jan 17 2009 Tomas Mraz - 1.2.1-3 +- rebuild with new openssl + +* Fri Dec 19 2008 Dan Walsh - 1.2.1-2 +- Fix SELinux code + +* Mon Dec 15 2008 Simo Sorce - 1.2.1-1 +- Fix breakage caused by python-kerberos update to 1.1 + +* Fri Dec 5 2008 Simo Sorce - 1.2.1-0 +- New upstream release 1.2.1 + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 1.2.0-4 +- Rebuild for Python 2.6 + +* Fri Nov 14 2008 Simo Sorce - 1.2.0-3 +- Respin after the tarball has been re-released upstream + New hash is 506c9c92dcaf9f227cba5030e999f177 + +* Thu Nov 13 2008 Simo Sorce - 1.2.0-2 +- Conditionally restart also dirsrv and httpd when upgrading + +* Wed Oct 29 2008 Rob Crittenden - 1.2.0-1 +- Update to upstream version 1.2.0 +- Set fedora-ds-base minimum version to 1.1.3 for winsync header +- Set the minimum version for SELinux policy +- Remove references to Fedora 7 + +* Wed Jul 23 2008 Simo Sorce - 1.1.0-3 +- Fix for CVE-2008-3274 +- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface +- Add fix for bug #453185 +- Rebuild against openldap libraries, mozldap ones do not work properly +- TurboGears is currently broken in rawhide. Added patch to not build + the UI locales and removed them from the ipa-server files section. + +* Wed Jun 18 2008 Rob Crittenden - 1.1.0-2 +- Add call to /usr/sbin/upgradeconfig to post install + +* Wed Jun 11 2008 Rob Crittenden - 1.1.0-1 +- Update to upstream version 1.1.0 +- Patch for indexing memberof attribute +- Patch for indexing uidnumber and gidnumber +- Patch to change DNA default values for replicas +- Patch to fix uninitialized variable in ipa-getkeytab + +* Fri May 16 2008 Rob Crittenden - 1.0.0-5 +- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum + version to 1.0.7-4 so we pick up the NSS fixes. +- Add selinux-policy-base(post) to Requires (446496) + +* Tue Apr 29 2008 Rob Crittenden - 1.0.0-4 +- Add missing entry for /var/cache/ipa/kpasswd (444624) +- Added patch to fix permissions problems with the Apache NSS database. +- Added patch to fix problem with DNS querying where the query could be + returned as the answer. +- Fix spec error where patch1 was in the wrong section + +* Fri Apr 25 2008 Rob Crittenden - 1.0.0-3 +- Added patch to fix problem reported by ldapmodify + +* Fri Apr 25 2008 Rob Crittenden - 1.0.0-2 +- Fix Requires for krb5-server that was missing for Fedora versions > 9 +- Remove quotes around test for fedora version to package egg-info + +* Fri Apr 18 2008 Rob Crittenden - 1.0.0-1 +- Update to upstream version 1.0.0 + +* Tue Mar 18 2008 Rob Crittenden 0.99-12 +- Pull upstream changelog 722 +- Add Conflicts mod_ssl (435360) + +* Fri Feb 29 2008 Rob Crittenden 0.99-11 +- Pull upstream changelog 698 +- Fix ownership of /var/log/ipa_error.log during install (435119) +- Add pwpolicy command and man page + +* Thu Feb 21 2008 Rob Crittenden 0.99-10 +- Pull upstream changelog 678 +- Add new subpackage, ipa-server-selinux +- Add Requires: authconfig to ipa-python (bz #433747) +- Package i18n files + +* Mon Feb 18 2008 Rob Crittenden 0.99-9 +- Pull upstream changelog 641 +- Require minimum version of krb5-server on F-7 and F-8 +- Package some new files + +* Thu Jan 31 2008 Rob Crittenden 0.99-8 +- Marked with wrong license. IPA is GPLv2. + +* Tue Jan 29 2008 Rob Crittenden 0.99-7 +- Ensure that /etc/ipa exists before moving user-modifiable html files there +- Put html files into /etc/ipa/html instead of /etc/ipa + +* Tue Jan 29 2008 Rob Crittenden 0.99-6 +- Pull upstream changelog 608 which renamed several files + +* Thu Jan 24 2008 Rob Crittenden 0.99-5 +- package the sessions dir /var/cache/ipa/sessions +- Pull upstream changelog 597 + +* Thu Jan 24 2008 Rob Crittenden 0.99-4 +- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the + UI to not start. + +* Thu Jan 24 2008 Rob Crittenden 0.99-3 +- Included LICENSE and README in all packages for documentation +- Move user-modifiable content to /etc/ipa and linked back to + /usr/share/ipa/html +- Changed some references to /usr to the {_usr} macro and /etc + to {_sysconfdir} +- Added popt-devel to BuildRequires for Fedora 8 and higher and + popt for Fedora 7 +- Package the egg-info for Fedora 9 and higher for ipa-python + +* Tue Jan 22 2008 Rob Crittenden 0.99-2 +- Added auto* BuildRequires + +* Mon Jan 21 2008 Rob Crittenden 0.99-1 +- Unified spec file + +* Thu Jan 17 2008 Rob Crittenden - 0.6.0-2 +- Fixed License in specfile +- Include files from /usr/lib/python*/site-packages/ipaserver + +* Fri Dec 21 2007 Karl MacMillan - 0.6.0-1 +- Version bump for release + +* Wed Nov 21 2007 Karl MacMillan - 0.5.0-1 +- Preverse mode on ipa-keytab-util +- Version bump for relase and rpm name change + +* Thu Nov 15 2007 Rob Crittenden - 0.4.1-2 +- Broke invididual Requires and BuildRequires onto separate lines and + reordered them +- Added python-tgexpandingformwidget as a dependency +- Require at least fedora-ds-base 1.1 + +* Thu Nov 1 2007 Karl MacMillan - 0.4.1-1 +- Version bump for release + +* Wed Oct 31 2007 Karl MacMillan - 0.4.0-6 +- Add dep for freeipa-admintools and acl + +* Wed Oct 24 2007 Rob Crittenden - 0.4.0-5 +- Add dependency for python-krbV + +* Fri Oct 19 2007 Rob Crittenden - 0.4.0-4 +- Require mod_nss-1.0.7-2 for mod_proxy fixes + +* Thu Oct 18 2007 Karl MacMillan - 0.4.0-3 +- Convert to autotools-based build + +* Tue Sep 25 2007 Karl MacMillan - 0.4.0-2 + +* Fri Sep 7 2007 Karl MacMillan - 0.3.0-1 +- Added support for libipa-dna-plugin + +* Fri Aug 10 2007 Karl MacMillan - 0.2.0-1 +- Added support for ipa_kpasswd and ipa_pwd_extop + +* Sun Aug 5 2007 Rob Crittenden - 0.1.0-3 +- Abstracted client class to work directly or over RPC + +* Wed Aug 1 2007 Rob Crittenden - 0.1.0-2 +- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires +- Remove references to admin server in ipa-server-setupssl +- Generate a client certificate for the XML-RPC server to connect to LDAP with +- Create a keytab for Apache +- Create an ldif with a test user +- Provide a certmap.conf for doing SSL client authentication + +* Fri Jul 27 2007 Karl MacMillan - 0.1.0-1 +- Initial rpm version diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..6ab516d --- /dev/null +++ b/gating.yaml @@ -0,0 +1,7 @@ +# recipients: abokovoy, frenaud, kaleem, ftrivino +--- !Policy +product_versions: + - rhel-9 +decision_context: osci_compose_gate +rules: + - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional} diff --git a/ipa.spec b/ipa.spec new file mode 100644 index 0000000..ec2a8c3 --- /dev/null +++ b/ipa.spec @@ -0,0 +1,5107 @@ +# ipatests enabled by default, can be disabled with --without ipatests +%bcond_without ipatests +# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml +# On RHEL 8 we should use --with ipa_join_xml +%bcond_with ipa_join_xml + +# Linting is disabled by default, needed for upstream testing +%bcond_with lint + +# Build documentation with sphinx +%bcond_with doc + +# Build Python wheels +%bcond_with wheels + +# 389-ds-base 1.4 no longer supports i686 platform, build only client +# packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386 +%ifarch %{ix86} + %{!?ONLY_CLIENT:%global ONLY_CLIENT 1} +%endif + +# Define ONLY_CLIENT to only make the ipa-client and ipa-python +# subpackages +%{!?ONLY_CLIENT:%global ONLY_CLIENT 0} +%if %{ONLY_CLIENT} + %global enable_server_option --disable-server +%else + %global enable_server_option --enable-server +%endif + +%if %{ONLY_CLIENT} + %global with_ipatests 0 +%endif + +# Whether to build ipatests +%if %{with ipatests} + %global with_ipatests_option --with-ipatests +%else + %global with_ipatests_option --without-ipatests +%endif + +# Whether to use XML-RPC with ipa-join +%if %{with ipa_join_xml} + %global with_ipa_join_xml_option --with-ipa-join-xml +%else + %global with_ipa_join_xml_option --without-ipa-join-xml +%endif + +# lint is not executed during rpmbuild +# %%global with_lint 1 +%if %{with lint} + %global linter_options --enable-pylint --without-jslint --enable-rpmlint +%else + %global linter_options --disable-pylint --without-jslint --disable-rpmlint +%endif + +# Include SELinux subpackage +%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8 + %global with_selinux 1 + %global selinuxtype targeted + %global modulename ipa +%endif + +%if 0%{?rhel} +%global package_name ipa +%global alt_name freeipa +%global krb5_version 1.18.2-2 +%global krb5_kdb_version 8.0 +# 0.7.16: https://github.com/drkjam/netaddr/issues/71 +%global python_netaddr_version 0.7.19 +# Require 4.14.5-13 which brings CVE-2020-25717 fixes +%global samba_version 4.14.5-13 +%global selinux_policy_version 3.14.3-52 +%global slapi_nis_version 0.56.4 +%global python_ldap_version 3.1.0-1 +%if 0%{?rhel} < 9 +# Bug 1929067 - PKI instance creation failed with new 389-ds-base build +%global ds_version 1.4.3.16-12 +%else +%global ds_version 2.0.3-3 +%endif + +# Fix for TLS 1.3 PHA, RHBZ#1775158 +%global httpd_version 2.4.37-21 +%global bind_version 9.11.20-6 + +%else +# Fedora +%global package_name freeipa +%global alt_name ipa +# Fix for CVE-2020-28196 +%global krb5_version 1.18.2-29 +# 0.7.16: https://github.com/drkjam/netaddr/issues/71 +%global python_netaddr_version 0.7.16 + +# Require 4.14.6 which brings CVE-2020-25717 fixes +%global samba_version 2:4.14.6 + +# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface +%global selinux_policy_version 3.14.5-45 +%global slapi_nis_version 0.56.5 + +%global krb5_kdb_version 8.0 + +# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324 +%global python_ldap_version 3.1.0-1 + +# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4609 +%if 0%{?fedora} < 34 +%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.13-2'; print(v[rpm.expand('%{fedora}')])} +%else +%global ds_version 2.0.4-1 +%endif + +# Fix for TLS 1.3 PHA, RHBZ#1775146 +%global httpd_version 2.4.41-9 + +%global bind_version 9.11.24-1 +# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet. +# Some packages don't provide new dist aliases. +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ +%{?python_disable_dependency_generator} +# Fedora +%endif + +# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11 +# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9) +%if 0%{?fedora} || 0%{?rhel} >= 9 + %global openssl_pkcs11_version 0.4.10-6 + %global softhsm_version 2.5.0-4 +%else + %global with_bind_pkcs11 1 +%endif + +%if 0%{?rhel} == 8 +# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 +%global pki_version 10.10.5 +%else +# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 +%global pki_version 10.10.5 +%endif + +# RHEL 8.3+, F32+ has 0.79.13 +%global certmonger_version 0.79.7-3 + +# RHEL 8.2+, F32+ has 3.58 +%global nss_version 3.44.0-4 + +# RHEL 8.3+, F32+ +%global sssd_version 2.4.0 + +%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version) +%global kdcproxy_version 0.4-3 + +%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9 +# systemd with resolved enabled +# see https://pagure.io/freeipa/issue/8275 +%global systemd_version 246.6-3 +%else +%global systemd_version 239 +%endif + +# augeas support for new chrony options +# see https://pagure.io/freeipa/issue/8676 +# Note: will need to be updated for RHEL9 when a fix is available for +# https://bugzilla.redhat.com/show_bug.cgi?id=1931787 +%if 0%{?fedora} >= 33 +%global augeas_version 1.12.0-6 +%else +%global augeas_version 1.12.0-3 +%endif + +%global plugin_dir %{_libdir}/dirsrv/plugins +%global etc_systemd_dir %{_sysconfdir}/systemd/system +%global gettext_domain ipa + +%define _hardened_build 1 + +# Work-around fact that RPM SPEC parser does not accept +# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement +%define IPA_VERSION 4.9.8 +# Release candidate version -- uncomment with one percent for RC versions +#%%global rc_version %%nil +%define AT_SIGN @ +# redefine IPA_VERSION only if its value matches the Autoconf placeholder +%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}" + %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser +%endif + +%define NON_DEVELOPER_BUILD ("%{lua: print(rpm.expand('%{suffix:%IPA_VERSION}'):find('^dev'))}" == "nil") + +Name: %{package_name} +Version: %{IPA_VERSION} +Release: 7%{?rc_version:.%rc_version}%{?dist} +Summary: The Identity, Policy and Audit system + +License: GPLv3+ +URL: http://www.freeipa.org/ +Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz +# Only use detached signature for the distribution builds. If it is a developer build, skip it +%if %{NON_DEVELOPER_BUILD} +Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc +%endif + +# RHEL spec file only: START: Change branding to IPA and Identity Management +# Moved branding logos and background to redhat-logos-ipa-80.4: +# header-logo.png, login-screen-background.jpg, login-screen-logo.png, +# product-name.png +# RHEL spec file only: END: Change branding to IPA and Identity Management + +# RHEL spec file only: START +%if %{NON_DEVELOPER_BUILD} +%if 0%{?rhel} >= 8 +Patch0001: 0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch +Patch0002: 0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch +Patch0003: 0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch +Patch0004: 0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch +Patch0005: 0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch +Patch0006: 0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch +Patch0007: 0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch +Patch0008: 0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch +Patch0009: 0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch +Patch0010: 0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch +Patch0011: 0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch +Patch0012: 0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch +Patch0013: 0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch +Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch +%endif +%endif +# RHEL spec file only: END +Patch1101: 1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch + +# For the timestamp trick in patch application +BuildRequires: diffstat + +BuildRequires: openldap-devel +# For KDB DAL version, make explicit dependency so that increase of version +# will cause the build to fail due to unsatisfied dependencies. +# DAL version change may cause code crash or memory leaks, it is better to fail early. +BuildRequires: krb5-kdb-version = %{krb5_kdb_version} +BuildRequires: krb5-kdb-devel-version = %{krb5_kdb_version} +BuildRequires: krb5-devel >= %{krb5_version} +BuildRequires: pkgconfig(krb5) +%if %{with ipa_join_xml} +# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation +BuildRequires: xmlrpc-c-devel >= 1.27.4 +%else +BuildRequires: libcurl-devel +BuildRequires: jansson-devel +%endif +BuildRequires: popt-devel +BuildRequires: gcc +BuildRequires: make +BuildRequires: pkgconfig +BuildRequires: pkgconf +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: make +BuildRequires: libtool +BuildRequires: gettext +BuildRequires: gettext-devel +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: systemd >= %{systemd_version} +# systemd-tmpfiles which is executed from make install requires apache user +BuildRequires: httpd +BuildRequires: nspr-devel +BuildRequires: openssl-devel +BuildRequires: libini_config-devel +BuildRequires: cyrus-sasl-devel +%if ! %{ONLY_CLIENT} +BuildRequires: 389-ds-base-devel >= %{ds_version} +BuildRequires: samba-devel >= %{samba_version} +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +BuildRequires: libuuid-devel +BuildRequires: libpwquality-devel +BuildRequires: libsss_idmap-devel +BuildRequires: libsss_certmap-devel +BuildRequires: libsss_nss_idmap-devel >= %{sssd_version} +BuildRequires: nodejs(abi) +# use old dependency on RHEL 8 for now +%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9 +BuildRequires: python3-rjsmin +%else +BuildRequires: uglify-js +%endif +BuildRequires: libverto-devel +BuildRequires: libunistring-devel +# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773 +# 0.13.0-2: fix for missing dependency on python-six +BuildRequires: python3-lesscpy >= 0.13.0-2 +BuildRequires: cracklib-dicts +# ONLY_CLIENT +%endif + +# +# Build dependencies for makeapi/makeaci +# +BuildRequires: python3-cffi +BuildRequires: python3-dns +BuildRequires: python3-ldap >= %{python_ldap_version} +BuildRequires: python3-libsss_nss_idmap +BuildRequires: python3-netaddr >= %{python_netaddr_version} +BuildRequires: python3-pyasn1 +BuildRequires: python3-pyasn1-modules +BuildRequires: python3-six +BuildRequires: python3-psutil + +# +# Build dependencies for wheel packaging and PyPI upload +# +%if %{with wheels} +BuildRequires: dbus-glib-devel +BuildRequires: libffi-devel +BuildRequires: python3-tox +%if 0%{?fedora} <= 28 +BuildRequires: python3-twine +%else +BuildRequires: twine +%endif +BuildRequires: python3-wheel +# with_wheels +%endif + +%if %{with doc} +BuildRequires: python3-sphinx +BuildRequires: python3-m2r +%endif + +# +# Build dependencies for lint and fastcheck +# +%if %{with lint} +BuildRequires: git +%if 0%{?fedora} < 34 +# jsl is orphaned in Fedora 34+ +BuildRequires: jsl +%endif +BuildRequires: nss-tools +BuildRequires: rpmlint +BuildRequires: softhsm + +BuildRequires: keyutils +BuildRequires: python3-augeas +BuildRequires: python3-cffi +BuildRequires: python3-cryptography >= 1.6 +BuildRequires: python3-custodia >= 0.3.1 +BuildRequires: python3-dateutil +BuildRequires: python3-dbus +BuildRequires: python3-dns >= 1.15 +BuildRequires: python3-docker +BuildRequires: python3-gssapi >= 1.2.0 +BuildRequires: python3-jinja2 +BuildRequires: python3-jwcrypto >= 0.4.2 +BuildRequires: python3-ldap >= %{python_ldap_version} +BuildRequires: python3-ldap >= %{python_ldap_version} +BuildRequires: python3-lib389 >= %{ds_version} +BuildRequires: python3-libipa_hbac +BuildRequires: python3-libsss_nss_idmap +BuildRequires: python3-lxml +BuildRequires: python3-netaddr >= %{python_netaddr_version} +BuildRequires: python3-netifaces +BuildRequires: python3-paste +BuildRequires: python3-pexpect +BuildRequires: python3-pki >= %{pki_version} +BuildRequires: python3-polib +BuildRequires: python3-pyasn1 +BuildRequires: python3-pyasn1-modules +BuildRequires: python3-pycodestyle +# .wheelconstraints.in limits pylint version in Azure and tox tests +BuildRequires: python3-pylint +BuildRequires: python3-pytest-multihost +BuildRequires: python3-pytest-sourceorder +BuildRequires: python3-qrcode-core >= 5.0.0 +BuildRequires: python3-samba +BuildRequires: python3-six +BuildRequires: python3-sss +BuildRequires: python3-sss-murmur +BuildRequires: python3-sssdconfig >= %{sssd_version} +BuildRequires: python3-systemd +BuildRequires: python3-yaml +BuildRequires: python3-yubico +# with_lint +%endif + +# +# Build dependencies for unit tests +# +%if ! %{ONLY_CLIENT} +BuildRequires: libcmocka-devel +# Required by ipa_kdb_tests +BuildRequires: krb5-server >= %{krb5_version} +# ONLY_CLIENT +%endif + +# Build dependencies for SELinux policy +%if %{with selinux} +BuildRequires: selinux-policy-devel >= %{selinux_policy_version} +%endif + +%description +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). + + +%if ! %{ONLY_CLIENT} + +%package server +Summary: The IPA authentication server +Requires: %{name}-server-common = %{version}-%{release} +Requires: %{name}-client = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipaserver = %{version}-%{release} +Requires: python3-ldap >= %{python_ldap_version} +Requires: 389-ds-base >= %{ds_version} +Requires: openldap-clients > 2.4.35-4 +Requires: nss-tools >= %{nss_version} +Requires(post): krb5-server >= %{krb5_version} +Requires(post): krb5-server >= %{krb5_base_version} +Requires: krb5-kdb-version = %{krb5_kdb_version} +Requires: krb5-pkinit-openssl >= %{krb5_version} +Requires: cyrus-sasl-gssapi%{?_isa} +Requires: chrony +Requires: httpd >= %{httpd_version} +Requires(preun): python3 +Requires(postun): python3 +Requires: python3-gssapi >= 1.2.0-5 +Requires: python3-systemd +Requires: python3-mod_wsgi +Requires: mod_auth_gssapi >= 1.5.0 +Requires: mod_ssl >= %{httpd_version} +Requires: mod_session >= %{httpd_version} +# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3 +Requires: mod_lookup_identity >= 0.9.9 +Requires: acl +Requires: systemd-units >= %{systemd_version} +Requires(pre): systemd-units >= %{systemd_version} +Requires(post): systemd-units >= %{systemd_version} +Requires(preun): systemd-units >= %{systemd_version} +Requires(postun): systemd-units >= %{systemd_version} +Requires(pre): shadow-utils +Requires: selinux-policy >= %{selinux_policy_version} +Requires(post): selinux-policy-base >= %{selinux_policy_version} +Requires: slapi-nis >= %{slapi_nis_version} +Requires: pki-ca >= %{pki_version} +Requires: pki-kra >= %{pki_version} +# pki-acme package was split out in pki-10.10.0 +Requires: (pki-acme >= %{pki_version} if pki-ca >= 10.10.0) +Requires: policycoreutils >= 2.1.12-5 +Requires: tar +Requires(pre): certmonger >= %{certmonger_version} +Requires(pre): 389-ds-base >= %{ds_version} +Requires: fontawesome-fonts +Requires: open-sans-fonts +%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9 +# https://pagure.io/freeipa/issue/8632 +Requires: openssl > 1.1.1i +%else +Requires: openssl +%endif +Requires: softhsm >= 2.0.0rc1-1 +Requires: p11-kit +Requires: %{etc_systemd_dir} +Requires: gzip +Requires: oddjob +# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 +Requires: gssproxy >= 0.7.0-2 +Requires: sssd-dbus >= %{sssd_version} +Requires: libpwquality +Requires: cracklib-dicts +# NDR libraries are internal in Samba and change with version without changing SONAME +Requires: samba-client-libs >= %{samba_version} + +Provides: %{alt_name}-server = %{version} +Conflicts: %{alt_name}-server +Obsoletes: %{alt_name}-server < %{version} + +# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the +# entire SELinux policy is stored in the system policy +Obsoletes: freeipa-server-selinux < 3.3.0 + +# upgrade path from monolithic -server to -server + -server-dns +Obsoletes: %{name}-server <= 4.2.0 + +# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to +# member. +Conflicts: nss-pam-ldapd < 0.8.4 + +# RHEL spec file only: START: Do not build tests +%if 0%{?rhel} == 8 +# ipa-tests subpackage was moved to separate srpm +Conflicts: ipa-tests < 3.3.3-9 +%endif +# RHEL spec file only: END: Do not build tests + +%description server +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + + +%package -n python3-ipaserver +Summary: Python libraries used by IPA server +BuildArch: noarch +%{?python_provide:%python_provide python3-ipaserver} +Requires: %{name}-server-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +# we need pre-requires since earlier versions may break upgrade +Requires(pre): python3-ldap >= %{python_ldap_version} +Requires: python3-augeas +Requires: augeas-libs >= %{augeas_version} +Requires: python3-custodia >= 0.3.1 +Requires: python3-dbus +Requires: python3-dns >= 1.15 +Requires: python3-gssapi >= 1.2.0 +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-kdcproxy >= %{kdcproxy_version} +Requires: python3-lxml +Requires: python3-pki >= %{pki_version} +Requires: python3-pyasn1 >= 0.3.2-2 +Requires: python3-sssdconfig >= %{sssd_version} +Requires: python3-psutil +Requires: rpm-libs +# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support +%if 0%{?rhel} +Requires: python3-urllib3 >= 1.24.2-3 +%else +Requires: python3-urllib3 >= 1.25.7 +%endif + +%description -n python3-ipaserver +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + + +%package server-common +Summary: Common files used by IPA server +BuildArch: noarch +Requires: %{name}-client-common = %{version}-%{release} +Requires: httpd >= %{httpd_version} +Requires: systemd-units >= %{systemd_version} +Requires: custodia >= 0.3.1 +%if 0%{?rhel} >= 8 && ! 0%{?eln} +Requires: system-logos-ipa >= 80.4 +%endif + +Provides: %{alt_name}-server-common = %{version} +Conflicts: %{alt_name}-server-common +Obsoletes: %{alt_name}-server-common < %{version} + +%description server-common +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + + +%package server-dns +Summary: IPA integrated DNS server with support for automatic DNSSEC signing +BuildArch: noarch +Requires: %{name}-server = %{version}-%{release} +Requires: bind-dyndb-ldap >= 11.2-2 +Requires: bind >= %{bind_version} +Requires: bind-utils >= %{bind_version} +%if %{with bind_pkcs11} +Requires: bind-pkcs11 >= %{bind_version} +Requires: bind-pkcs11-utils >= %{bind_version} +%else +Requires: softhsm >= %{softhsm_version} +Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} +%endif +# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812 +# RHEL 8.3+ and Fedora 32+ have 2.1 +Requires: opendnssec >= 2.1.6-5 +%{?systemd_requires} + +Provides: %{alt_name}-server-dns = %{version} +Conflicts: %{alt_name}-server-dns +Obsoletes: %{alt_name}-server-dns < %{version} + +# upgrade path from monolithic -server to -server + -server-dns +Obsoletes: %{name}-server <= 4.2.0 + +%description server-dns +IPA integrated DNS server with support for automatic DNSSEC signing. +Integrated DNS server is BIND 9. OpenDNSSEC provides key management. + + +%package server-trust-ad +Summary: Virtual package to install packages required for Active Directory trusts +Requires: %{name}-server = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} + +Requires: samba >= %{samba_version} +Requires: samba-winbind +Requires: sssd-winbind-idmap +Requires: libsss_idmap +%if 0%{?rhel} +Obsoletes: ipa-idoverride-memberof-plugin <= 0.1 +%endif +Requires(post): python3 +Requires: python3-samba +Requires: python3-libsss_nss_idmap +Requires: python3-sss + +# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 +# on the installes where server-trust-ad subpackage is installed because +# IPA AD trusts cannot be used at the same time with the locator plugin +# since Winbindd will be configured in a different mode +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Requires(preun): %{_sbindir}/update-alternatives + +Provides: %{alt_name}-server-trust-ad = %{version} +Conflicts: %{alt_name}-server-trust-ad +Obsoletes: %{alt_name}-server-trust-ad < %{version} + +%description server-trust-ad +Cross-realm trusts with Active Directory in IPA require working Samba 4 +installation. This package is provided for convenience to install all required +dependencies at once. + +# ONLY_CLIENT +%endif + + +%package client +Summary: IPA authentication for use on clients +Requires: %{name}-client-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-gssapi >= 1.2.0-5 +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-ldap >= %{python_ldap_version} +Requires: python3-sssdconfig >= %{sssd_version} +Requires: cyrus-sasl-gssapi%{?_isa} +Requires: chrony +Requires: krb5-workstation >= %{krb5_version} +Requires: authselect >= 0.4-2 +Requires: curl +# NIS domain name config: /usr/lib/systemd/system/*-domainname.service +# All Fedora 28+ and RHEL8+ contain the service in hostname package +Requires: hostname +Requires: libcurl >= 7.21.7-2 +%if %{with ipa_join_xml} +Requires: xmlrpc-c >= 1.27.4 +%else +Requires: jansson +%endif +Requires: sssd-ipa >= %{sssd_version} +Requires: certmonger >= %{certmonger_version} +Requires: nss-tools >= %{nss_version} +Requires: bind-utils +Requires: oddjob-mkhomedir +Requires: libsss_autofs +Requires: autofs +Requires: libnfsidmap +Requires: nfs-utils +Requires: sssd-tools >= %{sssd_version} +Requires(post): policycoreutils + +# https://pagure.io/freeipa/issue/8530 +Recommends: libsss_sudo +Recommends: sudo +Requires: (libsss_sudo if sudo) + +Provides: %{alt_name}-client = %{version} +Conflicts: %{alt_name}-client +Obsoletes: %{alt_name}-client < %{version} + +Provides: %{alt_name}-admintools = %{version} +Conflicts: %{alt_name}-admintools +Obsoletes: %{alt_name}-admintools < 4.4.1 + +Obsoletes: %{name}-admintools < 4.4.1 +Provides: %{name}-admintools = %{version}-%{release} + +%if 0%{?rhel} == 8 +# Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module +Conflicts: crypto-policies < 20200629-1 +%endif + +%description client +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If your network uses IPA for authentication, this package should be +installed on every client machine. +This package provides command-line tools for IPA administrators. + +%package client-samba +Summary: Tools to configure Samba on IPA client +Group: System Environment/Base +Requires: %{name}-client = %{version}-%{release} +Requires: python3-samba +Requires: samba-client +Requires: samba-winbind +Requires: samba-common-tools +Requires: samba +Requires: sssd-winbind-idmap +Requires: tdb-tools +Requires: cifs-utils + +%description client-samba +This package provides command-line tools to deploy Samba domain member +on the machine enrolled into a FreeIPA environment + +%package client-epn +Summary: Tools to configure Expiring Password Notification in IPA +Group: System Environment/Base +Requires: %{name}-client = %{version}-%{release} +Requires: systemd-units >= %{systemd_version} +Requires(post): systemd-units >= %{systemd_version} +Requires(preun): systemd-units >= %{systemd_version} +Requires(postun): systemd-units >= %{systemd_version} + +%description client-epn +This package provides a service to collect and send expiring password +notifications via email (SMTP). + +%package -n python3-ipaclient +Summary: Python libraries used by IPA client +BuildArch: noarch +%{?python_provide:%python_provide python3-ipaclient} +Requires: %{name}-client-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipalib = %{version}-%{release} +Requires: python3-augeas +Requires: augeas-libs >= %{augeas_version} +Requires: python3-dns >= 1.15 +Requires: python3-jinja2 + +%description -n python3-ipaclient +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If your network uses IPA for authentication, this package should be +installed on every client machine. + +%package client-common +Summary: Common files used by IPA client +BuildArch: noarch + +Provides: %{alt_name}-client-common = %{version} +Conflicts: %{alt_name}-client-common +Obsoletes: %{alt_name}-client-common < %{version} +# python2-ipa* packages are no longer available in 4.8. +Obsoletes: python2-ipaclient < 4.8.0-1 +Obsoletes: python2-ipalib < 4.8.0-1 +Obsoletes: python2-ipaserver < 4.8.0-1 +Obsoletes: python2-ipatests < 4.8.0-1 + + +%description client-common +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If your network uses IPA for authentication, this package should be +installed on every client machine. + + +%package python-compat +Summary: Compatiblity package for Python libraries used by IPA +BuildArch: noarch +Obsoletes: %{name}-python < 4.2.91 +Provides: %{name}-python = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipalib = %{version}-%{release} + +Provides: %{alt_name}-python-compat = %{version} +Conflicts: %{alt_name}-python-compat +Obsoletes: %{alt_name}-python-compat < %{version} + +Obsoletes: %{alt_name}-python < 4.2.91 +Provides: %{alt_name}-python = %{version} + +%description python-compat +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +This is a compatibility package to accommodate %{name}-python split into +python3-ipalib and %{name}-common. Packages still depending on +%{name}-python should be fixed to depend on python2-ipaclient or +%{name}-common instead. + + +%package -n python3-ipalib +Summary: Python3 libraries used by IPA +BuildArch: noarch +%{?python_provide:%python_provide python3-ipalib} +Provides: python3-ipapython = %{version}-%{release} +%{?python_provide:%python_provide python3-ipapython} +Provides: python3-ipaplatform = %{version}-%{release} +%{?python_provide:%python_provide python3-ipaplatform} +Requires: %{name}-common = %{version}-%{release} +# we need pre-requires since earlier versions may break upgrade +Requires(pre): python3-ldap >= %{python_ldap_version} +Requires: gnupg2 +Requires: keyutils +Requires: python3-cffi +Requires: python3-cryptography >= 1.6 +Requires: python3-dateutil +Requires: python3-dbus +Requires: python3-dns >= 1.15 +Requires: python3-gssapi >= 1.2.0 +Requires: python3-jwcrypto >= 0.4.2 +Requires: python3-libipa_hbac +Requires: python3-netaddr >= %{python_netaddr_version} +Requires: python3-netifaces >= 0.10.4 +Requires: python3-pyasn1 >= 0.3.2-2 +Requires: python3-pyasn1-modules >= 0.3.2-2 +Requires: python3-pyusb +Requires: python3-qrcode-core >= 5.0.0 +Requires: python3-requests +Requires: python3-six +Requires: python3-sss-murmur +Requires: python3-yubico >= 1.3.2-7 +%if 0%{?rhel} && 0%{?rhel} == 8 +Requires: platform-python-setuptools +%else +Requires: python3-setuptools +%endif + +%description -n python3-ipalib +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are using IPA with Python 3, you need to install this package. + + +%package common +Summary: Common files used by IPA +BuildArch: noarch +Conflicts: %{name}-python < 4.2.91 + +Provides: %{alt_name}-common = %{version} +Conflicts: %{alt_name}-common +Obsoletes: %{alt_name}-common < %{version} + +Conflicts: %{alt_name}-python < %{version} + +%if %{with selinux} +# This ensures that the *-selinux package and all it’s dependencies are not +# pulled into containers and other systems that do not use SELinux. The +# policy defines types and file contexts for client and server. +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif + +%description common +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are using IPA, you need to install this package. + + +%if %{with ipatests} + +%package -n python3-ipatests +Summary: IPA tests and test tools +BuildArch: noarch +%{?python_provide:%python_provide python3-ipatests} +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-ipaserver = %{version}-%{release} +Requires: iptables +Requires: python3-coverage +Requires: python3-cryptography >= 1.6 +Requires: python3-pexpect +%if 0%{?fedora} +# These packages do not exist on RHEL and for ipatests use +# they are installed on the controller through other means +Requires: ldns-utils +# update-crypto-policies +Requires: crypto-policies-scripts +Requires: python3-polib +Requires: python3-pytest >= 3.9.1 +Requires: python3-pytest-multihost >= 0.5 +Requires: python3-pytest-sourceorder +Requires: sshpass +%endif +Requires: python3-sssdconfig >= %{sssd_version} +Requires: tar +Requires: xz +Requires: openssh-clients +%if 0%{?rhel} +AutoReqProv: no +%endif + +%description -n python3-ipatests +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +This package contains tests that verify IPA functionality under Python 3. + +# with ipatests +%endif + + +%if %{with selinux} +# SELinux subpackage +%package selinux +Summary: FreeIPA SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +%{?selinux_requires} + +%description selinux +Custom SELinux policy module for FreeIPA +# with selinux +%endif + + +%prep +# Update timestamps on the files touched by a patch, to avoid non-equal +# .pyc/.pyo files across the multilib peers within a build, where "Level" +# is the patch prefix option (e.g. -p1) +# Taken from specfile for sssd and python-simplejson +UpdateTimestamps() { + Level=$1 + PatchFile=$2 + + # Locate the affected files: + for f in $(diffstat $Level -l $PatchFile); do + # Set the files to have the same timestamp as that of the patch: + touch -c -r $PatchFile $f + done +} + +%setup -n freeipa-%{version}%{?rc_version} -q + +# To allow proper application patches to the stripped po files, strip originals +pushd po +for i in *.po ; do + msgattrib --translated --no-fuzzy --no-location -s $i > $i.tmp || exit 1 + mv $i.tmp $i || exit 1 +done +popd + +for p in %patches ; do + %__patch -p1 -i $p + UpdateTimestamps -p1 $p +done + +%build +# PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 +export PATH=/usr/bin:/usr/sbin:$PATH + +export PYTHON=%{__python3} +autoreconf -ivf +%configure --with-vendor-suffix=-%{release} \ + %{enable_server_option} \ + %{with_ipatests_option} \ + %{with_ipa_join_xml_option} \ + %{linter_options} + +# run build in default dir +# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 +%make_build -Onone + + +%check +make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir} + + +%install +# Please put as much logic as possible into make install. It allows: +# - easier porting to other distributions +# - rapid devel & install cycle using make install +# (instead of full RPM build and installation each time) +# +# All files and directories created by spec install should be marked as ghost. +# (These are typically configuration files created by IPA installer.) +# All other artifacts should be created by make install. + +%make_install + +# don't package ipasphinx for now +rm -rf %{buildroot}%{python3_sitelib}/ipasphinx* + +%if %{with ipatests} +mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} +mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} +mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} +ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3 +ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3 +ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3 +ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests +ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config +ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task +# with_ipatests +%endif + +# remove files which are useful only for make uninstall +find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; + +%if 0%{?rhel} +# RHEL spec file only: START +# Moved branding logos and background to redhat-logos-ipa-80.4: +# header-logo.png, login-screen-background.jpg, login-screen-logo.png, +# product-name.png +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png +%endif +# RHEL spec file only: END + +%find_lang %{gettext_domain} + +%if ! %{ONLY_CLIENT} +# Remove .la files from libtool - we don't want to package +# these files +rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la +rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la +rm %{buildroot}/%{plugin_dir}/libipa_winsync.la +rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la +rm %{buildroot}/%{plugin_dir}/libipa_uuid.la +rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la +rm %{buildroot}/%{plugin_dir}/libipa_lockout.la +rm %{buildroot}/%{plugin_dir}/libipa_cldap.la +rm %{buildroot}/%{plugin_dir}/libipa_dns.la +rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la +rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la +rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la +rm %{buildroot}/%{plugin_dir}/libipa_range_check.la +rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la +rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la +rm %{buildroot}/%{plugin_dir}/libtopology.la +rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la +rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la + +# So we can own our Apache configuration +mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf +/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con + +mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 +touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so + +# ONLY_CLIENT +%endif + +/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf +/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt + +%if ! %{ONLY_CLIENT} +mkdir -p %{buildroot}%{_sysconfdir}/cron.d +# ONLY_CLIENT +%endif + +%if ! %{ONLY_CLIENT} + +%post server +# NOTE: systemd specific section + /bin/systemctl --system daemon-reload 2>&1 || : +# END +if [ $1 -gt 1 ] ; then + /bin/systemctl condrestart certmonger.service 2>&1 || : +fi +/bin/systemctl reload-or-try-restart dbus +/bin/systemctl reload-or-try-restart oddjobd + +%tmpfiles_create ipa.conf + +%posttrans server +# don't execute upgrade and restart of IPA when server is not installed +%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 + +if [ $? -eq 0 ]; then + # This is necessary for Fedora system upgrades which by default + # work with the network being offline + /bin/systemctl start network-online.target + + # Restart IPA processes. This must be also run in postrans so that plugins + # and software is in consistent state. This will also perform the + # system upgrade. + # NOTE: systemd specific section + + /bin/systemctl is-enabled ipa.service >/dev/null 2>&1 + if [ $? -eq 0 ]; then + /bin/systemctl restart ipa.service >/dev/null + fi + + /bin/systemctl is-enabled ipa-ccache-sweep.timer >/dev/null 2>&1 + if [ $? -eq 1 ]; then + /bin/systemctl enable ipa-ccache-sweep.timer>/dev/null + fi +fi +# END + + +%preun server +if [ $1 = 0 ]; then +# NOTE: systemd specific section + /bin/systemctl --quiet stop ipa.service || : + /bin/systemctl --quiet disable ipa.service || : + /bin/systemctl reload-or-try-restart dbus + /bin/systemctl reload-or-try-restart oddjobd +# END +fi + + +%pre server +# Stop ipa_kpasswd if it exists before upgrading so we don't have a +# zombie process when we're done. +if [ -e /usr/sbin/ipa_kpasswd ]; then +# NOTE: systemd specific section + /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || : +# END +fi + + +%pre server-common +# create users and groups +# create kdcproxy group and user +getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy +getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy +# create ipaapi group and user +getent group ipaapi >/dev/null || groupadd -f -r ipaapi +getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi +# add apache to ipaaapi group +id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi + + +%post server-dns +%systemd_post ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service + +%preun server-dns +%systemd_preun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service + +%postun server-dns +%systemd_postun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service + + +%postun server-trust-ad +if [ "$1" -ge "1" ]; then + if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then + %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null + fi +fi + + +%post server-trust-ad +%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ + winbind_krb5_locator.so /dev/null 90 +/bin/systemctl reload-or-try-restart dbus +/bin/systemctl reload-or-try-restart oddjobd + + +%posttrans server-trust-ad +%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 +if [ $? -eq 0 ]; then +# NOTE: systemd specific section + /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : +# END +fi + + +%preun server-trust-ad +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null + /bin/systemctl reload-or-try-restart dbus + /bin/systemctl reload-or-try-restart oddjobd +fi + +# ONLY_CLIENT +%endif + +%preun client-epn +%systemd_preun ipa-epn.service +%systemd_preun ipa-epn.timer + +%postun client-epn +%systemd_postun ipa-epn.service +%systemd_postun ipa-epn.timer + +%post client-epn +%systemd_post ipa-epn.service +%systemd_post ipa-epn.timer + +%post client +if [ $1 -gt 1 ] ; then + # Has the client been configured? + restore=0 + test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + + if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then + if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then + echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew + cat /etc/krb5.conf >> /etc/krb5.conf.ipanew + mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf + fi + fi + + if [ $restore -ge 2 ]; then + if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then + sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew + mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf + cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem + cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem + fi + + %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 + %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 + SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" + if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then + sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" + fi + fi +fi + + +%if %{with selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +semodule -d ipa_custodia &> /dev/null || true; +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} + semodule -e ipa_custodia &> /dev/null || true; +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} +# with_selinux +%endif + + +%triggerin client -- openssh-server < 8.2 +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then + sed -r ' + /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d + ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew + + if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then + sed -ri ' + s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/ + s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + fi + + mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config + chmod 600 /etc/ssh/sshd_config + + /bin/systemctl condrestart sshd.service 2>&1 || : + fi +fi + + +%triggerin client -- openssh-server >= 8.2 +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + # If the snippet already exists, skip + if [ ! -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then + # Take the values from /etc/ssh/sshd_config and put them in 04-ipa.conf + grep -E '^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)' /etc/ssh/sshd_config 2>/dev/null > /etc/ssh/sshd_config.d/04-ipa.conf + # Remove the values from sshd_conf + sed -ri ' + /^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)[ \t]/ d + ' /etc/ssh/sshd_config + + /bin/systemctl condrestart sshd.service 2>&1 || : + fi + # If the snippet has been created, ensure that it is included + # either by /etc/ssh/sshd_config.d/*.conf or directly + if [ -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then + if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/\*\.conf' /etc/ssh/sshd_config 2> /dev/null ; then + if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/04-ipa\.conf' /etc/ssh/sshd_config 2> /dev/null ; then + # Include the snippet + echo "Include /etc/ssh/sshd_config.d/04-ipa.conf" > /etc/ssh/sshd_config.ipanew + cat /etc/ssh/sshd_config >> /etc/ssh/sshd_config.ipanew + mv -fZ --backup=existing --suffix .ipaold /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config + fi + fi + fi +fi + + +%if ! %{ONLY_CLIENT} + +%files server +%doc README.md Contributors.txt +%license COPYING +%{_sbindir}/ipa-backup +%{_sbindir}/ipa-restore +%{_sbindir}/ipa-ca-install +%{_sbindir}/ipa-kra-install +%{_sbindir}/ipa-server-install +%{_sbindir}/ipa-replica-conncheck +%{_sbindir}/ipa-replica-install +%{_sbindir}/ipa-replica-manage +%{_sbindir}/ipa-csreplica-manage +%{_sbindir}/ipa-server-certinstall +%{_sbindir}/ipa-server-upgrade +%{_sbindir}/ipa-ldap-updater +%{_sbindir}/ipa-otptoken-import +%{_sbindir}/ipa-compat-manage +%{_sbindir}/ipa-nis-manage +%{_sbindir}/ipa-managed-entries +%{_sbindir}/ipactl +%{_sbindir}/ipa-advise +%{_sbindir}/ipa-cacert-manage +%{_sbindir}/ipa-winsync-migrate +%{_sbindir}/ipa-pkinit-manage +%{_sbindir}/ipa-crlgen-manage +%{_sbindir}/ipa-cert-fix +%{_sbindir}/ipa-acme-manage +%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit +%{_libexecdir}/certmonger/ipa-server-guard +%dir %{_libexecdir}/ipa +%{_libexecdir}/ipa/ipa-ccache-sweeper +%{_libexecdir}/ipa/ipa-custodia +%{_libexecdir}/ipa/ipa-custodia-check +%{_libexecdir}/ipa/ipa-httpd-kdcproxy +%{_libexecdir}/ipa/ipa-httpd-pwdreader +%{_libexecdir}/ipa/ipa-pki-retrieve-key +%{_libexecdir}/ipa/ipa-pki-wait-running +%{_libexecdir}/ipa/ipa-otpd +%{_libexecdir}/ipa/ipa-print-pac +%{_libexecdir}/ipa/ipa-subids +%dir %{_libexecdir}/ipa/custodia +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent +%dir %{_libexecdir}/ipa/oddjob +%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck +%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid +%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf +%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf +%dir %{_libexecdir}/ipa/certmonger +%attr(755,root,root) %{_libexecdir}/ipa/certmonger/* +# NOTE: systemd specific section +%attr(644,root,root) %{_unitdir}/ipa.service +%attr(644,root,root) %{_unitdir}/ipa-otpd.socket +%attr(644,root,root) %{_unitdir}/ipa-otpd@.service +%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service +%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer +# END +%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so +%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so +%attr(755,root,root) %{plugin_dir}/libipa_winsync.so +%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so +%attr(755,root,root) %{plugin_dir}/libipa_uuid.so +%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so +%attr(755,root,root) %{plugin_dir}/libipa_lockout.so +%attr(755,root,root) %{plugin_dir}/libipa_dns.so +%attr(755,root,root) %{plugin_dir}/libipa_range_check.so +%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so +%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so +%attr(755,root,root) %{plugin_dir}/libtopology.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so +%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so +%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so +%{_mandir}/man1/ipa-replica-conncheck.1* +%{_mandir}/man1/ipa-replica-install.1* +%{_mandir}/man1/ipa-replica-manage.1* +%{_mandir}/man1/ipa-csreplica-manage.1* +%{_mandir}/man1/ipa-server-certinstall.1* +%{_mandir}/man1/ipa-server-install.1* +%{_mandir}/man1/ipa-server-upgrade.1* +%{_mandir}/man1/ipa-ca-install.1* +%{_mandir}/man1/ipa-kra-install.1* +%{_mandir}/man1/ipa-compat-manage.1* +%{_mandir}/man1/ipa-nis-manage.1* +%{_mandir}/man1/ipa-managed-entries.1* +%{_mandir}/man1/ipa-ldap-updater.1* +%{_mandir}/man8/ipactl.8* +%{_mandir}/man1/ipa-backup.1* +%{_mandir}/man1/ipa-restore.1* +%{_mandir}/man1/ipa-advise.1* +%{_mandir}/man1/ipa-otptoken-import.1* +%{_mandir}/man1/ipa-cacert-manage.1* +%{_mandir}/man1/ipa-winsync-migrate.1* +%{_mandir}/man1/ipa-pkinit-manage.1* +%{_mandir}/man1/ipa-crlgen-manage.1* +%{_mandir}/man1/ipa-cert-fix.1* +%{_mandir}/man1/ipa-acme-manage.1* + + +%files -n python3-ipaserver +%doc README.md Contributors.txt +%license COPYING +%{python3_sitelib}/ipaserver +%{python3_sitelib}/ipaserver-*.egg-info + + +%files server-common +%doc README.md Contributors.txt +%license COPYING +%ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy +%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf +# NOTE: systemd specific section +%{_tmpfilesdir}/ipa.conf +%attr(644,root,root) %{_unitdir}/ipa-custodia.service +%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf +# END +%{_usr}/share/ipa/wsgi.py* +%{_usr}/share/ipa/kdcproxy.wsgi +%{_usr}/share/ipa/ipaca*.ini +%{_usr}/share/ipa/*.ldif +%exclude %{_datadir}/ipa/ipa-cldap-conf.ldif +%{_usr}/share/ipa/*.uldif +%{_usr}/share/ipa/*.template +%dir %{_usr}/share/ipa/advise +%dir %{_usr}/share/ipa/advise/legacy +%{_usr}/share/ipa/advise/legacy/*.template +%dir %{_usr}/share/ipa/profiles +%{_usr}/share/ipa/profiles/README +%{_usr}/share/ipa/profiles/*.cfg +%dir %{_usr}/share/ipa/html +%{_usr}/share/ipa/html/ssbrowser.html +%{_usr}/share/ipa/html/unauthorized.html +%dir %{_usr}/share/ipa/migration +%{_usr}/share/ipa/migration/index.html +%{_usr}/share/ipa/migration/migration.py* +%dir %{_usr}/share/ipa/ui +%{_usr}/share/ipa/ui/index.html +%{_usr}/share/ipa/ui/reset_password.html +%{_usr}/share/ipa/ui/sync_otp.html +%{_usr}/share/ipa/ui/*.ico +%{_usr}/share/ipa/ui/*.css +%dir %{_usr}/share/ipa/ui/css +%{_usr}/share/ipa/ui/css/*.css +%dir %{_usr}/share/ipa/ui/js +%dir %{_usr}/share/ipa/ui/js/dojo +%{_usr}/share/ipa/ui/js/dojo/dojo.js +%dir %{_usr}/share/ipa/ui/js/libs +%{_usr}/share/ipa/ui/js/libs/*.js +%dir %{_usr}/share/ipa/ui/js/freeipa +%{_usr}/share/ipa/ui/js/freeipa/app.js +%{_usr}/share/ipa/ui/js/freeipa/core.js +%dir %{_usr}/share/ipa/ui/js/plugins +%dir %{_usr}/share/ipa/ui/images +%if 0%{?rhel} +%{_usr}/share/ipa/ui/images/facet-*.png +# Moved branding logos and background to redhat-logos-ipa-80.4: +# header-logo.png, login-screen-background.jpg, login-screen-logo.png, +# product-name.png +%else +%{_usr}/share/ipa/ui/images/*.jpg +%{_usr}/share/ipa/ui/images/*.png +%endif +%dir %{_usr}/share/ipa/wsgi +%{_usr}/share/ipa/wsgi/plugins.py* +%dir %{_sysconfdir}/ipa +%dir %{_sysconfdir}/ipa/html +%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html +%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf +%ghost %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt +%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf +%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-options-ext.conf +%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con +%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini +%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con +%dir %{_usr}/share/ipa/updates/ +%{_usr}/share/ipa/updates/* +%dir %{_localstatedir}/lib/ipa +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy +%attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade +%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca +%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds +%ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish +%ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa +%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia +%dir %{_usr}/share/ipa/schema.d +%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README +%attr(0644,root,root) %{_usr}/share/ipa/gssapi.login +%{_usr}/share/ipa/ipakrb5.aug + +%files server-dns +%doc README.md Contributors.txt +%license COPYING +%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd +%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec +%{_libexecdir}/ipa/ipa-dnskeysyncd +%{_libexecdir}/ipa/ipa-dnskeysync-replica +%{_libexecdir}/ipa/ipa-ods-exporter +%{_sbindir}/ipa-dns-install +%{_mandir}/man1/ipa-dns-install.1* +%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service +%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket +%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service + +%files server-trust-ad +%doc README.md Contributors.txt +%license COPYING +%{_sbindir}/ipa-adtrust-install +%{_usr}/share/ipa/smb.conf.empty +%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so +%attr(755,root,root) %{plugin_dir}/libipa_cldap.so +%{_datadir}/ipa/ipa-cldap-conf.ldif +%{_mandir}/man1/ipa-adtrust-install.1* +%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so +%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf +%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf +%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains + +# ONLY_CLIENT +%endif + + +%files client +%doc README.md Contributors.txt +%license COPYING +%{_sbindir}/ipa-client-install +%{_sbindir}/ipa-client-automount +%{_sbindir}/ipa-certupdate +%{_sbindir}/ipa-getkeytab +%{_sbindir}/ipa-rmkeytab +%{_sbindir}/ipa-join +%{_bindir}/ipa +%config %{_sysconfdir}/bash_completion.d +%config %{_sysconfdir}/sysconfig/certmonger +%{_mandir}/man1/ipa.1* +%{_mandir}/man1/ipa-getkeytab.1* +%{_mandir}/man1/ipa-rmkeytab.1* +%{_mandir}/man1/ipa-client-install.1* +%{_mandir}/man1/ipa-client-automount.1* +%{_mandir}/man1/ipa-certupdate.1* +%{_mandir}/man1/ipa-join.1* +%dir %{_libexecdir}/ipa/acme +%{_libexecdir}/ipa/acme/certbot-dns-ipa + +%files client-samba +%doc README.md Contributors.txt +%license COPYING +%{_sbindir}/ipa-client-samba +%{_mandir}/man1/ipa-client-samba.1* + + +%files client-epn +%doc README.md Contributors.txt +%dir %{_sysconfdir}/ipa/epn +%license COPYING +%{_sbindir}/ipa-epn +%{_mandir}/man1/ipa-epn.1* +%{_mandir}/man5/epn.conf.5* +%attr(644,root,root) %{_unitdir}/ipa-epn.service +%attr(644,root,root) %{_unitdir}/ipa-epn.timer +%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf +%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template + + +%files -n python3-ipaclient +%doc README.md Contributors.txt +%license COPYING +%dir %{python3_sitelib}/ipaclient +%{python3_sitelib}/ipaclient/*.py +%{python3_sitelib}/ipaclient/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/install +%{python3_sitelib}/ipaclient/install/*.py +%{python3_sitelib}/ipaclient/install/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/plugins +%{python3_sitelib}/ipaclient/plugins/*.py +%{python3_sitelib}/ipaclient/plugins/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/remote_plugins +%{python3_sitelib}/ipaclient/remote_plugins/*.py +%{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/remote_plugins/2_* +%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py +%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py* +%{python3_sitelib}/ipaclient-*.egg-info + + +%files client-common +%doc README.md Contributors.txt +%license COPYING +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/ +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb +# old dbm format +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db +# new sql format +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt +%ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit +%dir %{_localstatedir}/lib/ipa-client +%dir %{_localstatedir}/lib/ipa-client/pki +%dir %{_localstatedir}/lib/ipa-client/sysrestore +%{_mandir}/man5/default.conf.5* +%dir %{_usr}/share/ipa/client +%{_usr}/share/ipa/client/*.template + + +%files python-compat +%doc README.md Contributors.txt +%license COPYING + + +%files common -f %{gettext_domain}.lang +%doc README.md Contributors.txt +%license COPYING +%dir %{_usr}/share/ipa +%dir %{_libexecdir}/ipa + +%files -n python3-ipalib +%doc README.md Contributors.txt +%license COPYING + +%{python3_sitelib}/ipapython/ +%{python3_sitelib}/ipalib/ +%{python3_sitelib}/ipaplatform/ +%{python3_sitelib}/ipapython-*.egg-info +%{python3_sitelib}/ipalib-*.egg-info +%{python3_sitelib}/ipaplatform-*.egg-info + + +%if %{with ipatests} + + +%files -n python3-ipatests +%doc README.md Contributors.txt +%license COPYING +%{python3_sitelib}/ipatests +%{python3_sitelib}/ipatests-*.egg-info +%{_bindir}/ipa-run-tests-3 +%{_bindir}/ipa-test-config-3 +%{_bindir}/ipa-test-task-3 +%{_bindir}/ipa-run-tests-%{python3_version} +%{_bindir}/ipa-test-config-%{python3_version} +%{_bindir}/ipa-test-task-%{python3_version} +%{_bindir}/ipa-run-tests +%{_bindir}/ipa-test-config +%{_bindir}/ipa-test-task +%{_mandir}/man1/ipa-run-tests.1* +%{_mandir}/man1/ipa-test-config.1* +%{_mandir}/man1/ipa-test-task.1* + +# with ipatests +%endif + + +%if %{with selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +# with selinux +%endif + + +%changelog +* Thu Feb 24 2022 Rafael Jeffman - 4.9.8-7 +- ipatests: Backport test fixes in python3-ipatests. + Resolves: RHBZ#2057505 + +* Mon Feb 14 2022 Rafael Jeffman - 4.9.8-6 +- ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout + Related: RHBZ#2053024 + +* Mon Feb 14 2022 Rafael Jeffman - 4.9.8-5 +- ipatests: remove additional check for failed units. + Resolves: RHBZ#2053024 +- ipa-cldap: fix memory leak. + Resolves: RHBZ#2032738 + +* Thu Feb 10 2022 Rafael Jeffman - 4.9.8-4 +- Don't always override the port in import_included_profiles + Fixes: RHBZ#2022483 +- Remove ipa-join errors from behind the debug option + Fixes: RHBZ#2048558 +- Enable the ccache sweep timer during installation + Fixes: RHBZ#2051575 + +* Thu Feb 3 2022 Rafael Jeffman - 4.9.8-3 +- Config plugin: return EmptyModlist when no change is applied. + Resolves: RHBZ#2031825 +- Custodia: use a stronger encryption algo when exporting keys. + Resolves: RHBZ#2032806 +- ipa-kdb: do not remove keys for hardened auth-enabled users. + Resolves: RHBZ#2033342 +- ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus + Resolves: RHBZ#2049167 +- Backport latest test fxes in python3 ipatests. + Resolves: RHBZ#2048509 +- Removed unused patch files that were part of 4.9.8 rebase. + +* Fri Dec 10 2021 Rafael Jeffman - 4.9.8-2 +- Revert bind-pkcs11-utils configuration in freeipa.spec. + Resolves: RHBZ#2026732 + +* Tue Nov 30 2021 Rafael Jeffman - 4.9.8-1 +- Upstream release FreeIPA 4.9.8 + Related: RHBZ#2015607 +- Hardening for CVE-2020-25717 + +* Fri Nov 12 2021 Alexander Bokovoy - 4.9.6-9.1 +- Fix S4U2Self regression for cross-realm requester SID buffer +- Related: RHBZ#2021443 + +* Fri Nov 12 2021 Alexander Bokovoy - 4.9.6-9 +- Require samba 4.14.5-13 with IPA DC server role fixes +- Related: RHBZ#2021443 + +* Fri Nov 12 2021 Alexander Bokovoy - 4.9.6-8 +- Add versioned dependency of samba-client-libs to ipa-server +- Related: RHBZ#2021443 + +* Thu Nov 11 2021 Alexander Bokovoy - 4.9.6-7 +- Hardening for CVE-2020-25717 +- Harden processing of trusted domains' users in S4U operations +- Resolves: RHBZ#2021443 + +* Wed Nov 10 2021 Alexander Bokovoy - 4.9.6-6 +- Hardening for CVE-2020-25717 +- Rebuild against samba-4.14.5-11.el8 +- Resolves: RHBZ#2021443 + +* Sun Nov 07 2021 Alexander Bokovoy - 4.9.6-5 +- Hardening for CVE-2020-25717 +- Related: RHBZ#2019668 + +* Thu Jul 22 2021 Thomas Woerner - 4.9.6-4 +- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL + Resolves: RHBZ#1982956 + +* Thu Jul 15 2021 Thomas Woerner - 4.9.6-3 +- man page: update ipa-server-upgrade.1 + Resolves: RHBZ#1973273 +- Fall back to krbprincipalname when validating host auth indicators + Resolves: RHBZ#1979625 +- Add dependency for sssd-winbind-idmap to server-trust-ad + Resolves: RHBZ#1982211 + +* Thu Jul 8 2021 Thomas Woerner - 4.9.6-2 +- IPA server in debug mode fails to run because time.perf_counter_ns is + Python 3.7+ + Resolves: RHBZ#1974822 +- Add checks to prevent assigning authentication indicators to internal IPA + services + Resolves: RHBZ#1979625 +- Unable to set ipaUserAuthType with stageuser-add + Resolves: RHBZ#1979605 + +* Thu Jul 1 2021 Thomas Woerner - 4.9.6-1 +- Upstream release FreeIPA 4.9.6 + Related: RHBZ#1945038 +- Revise PKINIT upgrade code + Resolves: RHBZ#1886837 +- ipa-cert-fix man page: add note about certmonger renewal + Resolves: RHBZ#1780317 +- Certificate Serial Number issue + Resolves: RHBZ#1919384 + +* Mon Jun 14 2021 Thomas Woerner - 4.9.5-1 +- Upstream release FreeIPA 4.9.5 + Related: RHBZ#1945038 +- IPA to allow setting a new range type + Resolves: RHBZ#1688267 +- ipa-server-install displays debug output when --debug output is not + specified. + Resolves: RHBZ#1943151 +- ACME fails to generate a cert on migrated RHEL8.4 server + Resolves: RHBZ#1934991 +- Switch ipa-client to use the JSON API + Resolves: RHBZ#1937856 +- IDM - Allow specifying permanent logging settings for BIND + Resolves: RHBZ#1951511 +- Cache LDAP data within a request + Resolves: RHBZ#1953656 +- ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4 + Resolves: RHBZ#1957768 + +* Wed Mar 31 2021 Thomas Woerner - 4.9.3-1 +- Upstream release FreeIPA 4.9.3 + Resolves: RHBZ#1945038 + +* Mon Feb 15 2021 Alexander Bokovoy - 4.9.2-1 +- Upstream release FreeIPA 4.9.2 + Related: RHBZ#1891832 + +* Wed Jan 27 2021 Alexander Bokovoy - 4.9.1-1 +- Upstream release FreeIPA 4.9.1 + Related: RHBZ#1891832 + +* Mon Jan 4 2021 Thomas Woerner - 4.9.0-1 +- Upstream final release FreeIPA 4.9.0 + Related: RHBZ#1891832 + +* Fri Dec 11 2020 Thomas Woerner - 4.9.0-0.5.rc3 +- Upstream pre release FreeIPA 4.9.0rc3 + Related: RHBZ#1891832 + +* Fri Dec 4 2020 Alexander Bokovoy - 4.9.0-0.3.rc2 +- Remove ipa-server dependency from ipa-selinux subpackage +- Related: RHBZ#1891832 + +* Fri Dec 4 2020 Thomas Woerner - 4.9.0-0.2.rc2 +- Upstream pre release FreeIPA 4.9.0rc2 + Related: RHBZ#1891832 +- Synchronize spec file with upstream and Fedora + Related: RHBZ#1891832 +- Traceback while doing ipa-backup + Resolves: RHBZ#1901068 +- ipa-client-install changes system wide ssh configuration + Resolves: RRBZ#1544379 +- ipa-kdb: support subordinate/superior UPN suffixes + Resolves: RHBZ#1891056 +- KRA Transport and Storage Certificates do not renew + Resolves: RHBZ#1872603 +- Move where the restore state is marked during IPA server upgrade + Resolves: RHBZ#1569011 +- Intermittent IdM Client Registration Failures + Resolves: RHBZ#1812871 +- Nightly test failure in test_acme.py::TestACME::test_third_party_certs + (updates-testing) + Resolves: RHBZ#1903025 +- Add IPA RA Agent to ACME group on the CA + Resolves: RHBZ#1902727 + +* Mon Nov 23 2020 Thomas Woerner - 4.9.0-0.1.rc1 +- Fix requirement for python3-kdcproxy, add no autoreqprov for ipatests sub + package + Related: RHBZ#1891832 + +* Mon Nov 23 2020 Thomas Woerner - 4.9.0-0.rc1 +- Upstream pre release FreeIPA 4.9.0rc1 + Resolves: RHBZ#1891832 +- Requirements and design for libpwquality integration + Resolves: RHBZ#1340463 +- When parsing options require name/value pairs + Resolves: RHBZ#1357495 +- WebUI: Fix issue with opening links in new tab/window + Resolves: RHBZ#1484088 +- Use a state to determine if a 389-ds upgrade is in progress + Resolves: RHBZ#1569011 +- Unlock user accounts after a password reset and replicate that unlock to + all IdM servers + Resolves: RHBZ#1784657 +- Set the certmonger subject with a string, not an object + Resolves: RHBZ#1810148 +- Implement ACME certificate enrolment + Resolves: RHBZ#1851835 +- [WebUI] Backport jQuery patches from newer versions of the library (e.g. + 3.5.0) + Resolves: RHBZ#1859249 +- It is not possible to edit KDC database when the FreeIPA server is running + Resolves: RHBZ#1875001 +- Fix nsslapd-db-lock tuning of BDB backend + Resolves: RHBZ#1882340 +- ipa-kdb: support subordinate/superior UPN suffixes + Resolves: RHBZ#1891056 +- wgi/plugins.py: ignore empty plugin directories + Resolves: RHBZ#1894800 + +* Thu Sep 10 2020 Thomas Woerner - 4.8.7-11 +- SELinux Policy: let custodia replicate keys + Resolves: RHBZ#1868432 + +* Wed Aug 19 2020 Thomas Woerner - 4.8.7-10 +- Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations + Resolves: RHBZ#1870202 + +* Mon Aug 17 2020 Thomas Woerner - 4.8.7-9 +- CAless installation: set the perms on KDC cert file + Resolves: RHBZ#1863616 +- EPN: handle empty attributes + Resolves: RHBZ#1866938 +- IPA-EPN: enhance input validation + Resolves: RHBZ#1866291 +- EPN: enhance input validation + Resolves: RHBZ#1863079 +- Require new samba build 4.12.3-52 + Related: RHBZ#1868558 +- Require new selinux-policy build 3.14.3-52 + Related: RHBZ#1869311 + +* Fri Jul 31 2020 Thomas Woerner - 4.8.7-8 +- [WebUI] IPA Error 3007: RequirmentError" while adding members in + "User ID overrides" tab (updated) + Resolves: RHBZ#1757045 +- ipa-client-install: use the authselect backup during uninstall + Resolves: RHBZ#1810179 +- Replace SSLCertVerificationError with CertificateError for py36 + Resolves: RHBZ#1858318 +- Fix AVC denial during ipa-adtrust-install --add-agents + Resolves: RHBZ#1859213 + +* Wed Jul 15 2020 Thomas Woerner - 4.8.7-7 +- replica install failing with avc denial for custodia component + Resolves: RHBZ#1857157 + +* Tue Jul 14 2020 Thomas Woerner - 4.8.7-6 +- selinux don't audit rules deny fetching trust topology + Resolves: RHBZ#1845596 +- fix iPAddress cert issuance for >1 host/service + Resolves: RHBZ#1846352 +- Specify cert_paths when calling PKIConnection + Resolves: RHBZ#1849155 +- Update crypto policy to allow AD-SUPPORT when installing IPA + Resolves: RHBZ#1851139 +- Add version to ipa-idoverride-memberof obsoletes + Related: RHBZ#1846434 + +* Thu Jul 02 2020 Thomas Woerner - 4.8.7-5 +- Add missing ipa-selinux package + Resolves: RHBZ#1853263 + +* Mon Jun 29 2020 Thomas Woerner - 4.8.7-4 +- Remove client-epn left over files for ONLY_CLIENT + Related: RHBZ#1847999 + +* Mon Jun 29 2020 Thomas Woerner - 4.8.7-3 +- [WebUI] IPA Error 3007: RequirmentError" while adding members in + "User ID overrides" tab + Resolves: RHBZ#1757045 +- EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in + freeipa-client-epn + Resolves: RHBZ#1847999 +- FreeIPA - Utilize 256-bit AJP connector passwords + Resolves: RHBZ#1849914 +- ipa: typo issue in ipanthomedirectoryrive deffinition + Resolves: RHBZ#1851411 + +* Thu Jun 11 2020 Thomas Woerner - 4.8.7-2 +- Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 + Resolves: RHBZ#1846434 + +* Thu Jun 11 2020 Thomas Woerner - 4.8.7-1 +- Upstream release FreeIPA 4.8.7 +- Require new samba build 4.12.3-0 + Related: RHBZ#1818765 +- New client-epn sub package + Resolves: RHBZ#913799 + +* Tue Jun 02 2020 Thomas Woerner - 4.8.6-2 +- Support krb5 1.18 + Resolves: RHBZ#1817579 + +* Tue Apr 28 2020 Thomas Woerner - 4.8.6-1 +- Upstream release FreeIPA 4.8.6 +- New SELinux sub package to provide own module +- Depend on selinux-policy-devel 3.14.3-43 for build due to a makefile issue in + SELinux external policy support + Related: RHBZ#1818765 + +* Mon Feb 17 2020 Thomas Woerner - 4.8.4-6 +- Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit + Resolves: RHBZ#1790663 + +* Mon Feb 17 2020 Thomas Woerner - 4.8.4-5 +- Fixed weekday in 4.8.4-2 changelog date + Related: RHBZ#1784003 +- adtrust: print DNS records for external DNS case after role is enabled + Resolves: RHBZ#1665051 +- AD user without override receive InternalServerError with API + Resolves: RHBZ#1782572 +- ipa-client-automount fails after repeated installation/uninstallation + Resolves: RHBZ#1790886 +- install/updates: move external members past schema compat update + Resolves: RHBZ#1803165 +- kdb: make sure audit_as_req callback signature change is preserved + Resolves: RHBZ#1803786 + +* Wed Jan 29 2020 Thomas Woerner - 4.8.4-4 +- Update dependencies for samba, 389-ds and sssd + Resolves: RHBZ#1792848 + +* Fri Jan 17 2020 Alexander Bokovoy - 4.8.4-3 +- Depend on krb5-kdb-version-devel for BuildRequires +- Update nss dependency to 3.44.0-4 +- Reset per-indicator Kebreros policy + Resolves: RHBZ#1784761 + +* Sat Dec 14 2019 Thomas Woerner - 4.8.4-2 +- DNS install check: Fix overlapping DNS zone from the master itself + Resolves: RHBZ#1784003 + +* Sat Dec 14 2019 Thomas Woerner - 4.8.4-1 +- Rebase to upstream release 4.8.4 + - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3 + Resolves: RHBZ#1782658 + Resolves: RHBZ#1782169 + Resolves: RHBZ#1783046 + Related: RHBZ#1748987 + +* Mon Dec 2 2019 Thomas Woerner - 4.8.3-3 +- Fix otptoken_sync plugin + Resolves: RHBZ#1777811 + +* Mon Dec 2 2019 Thomas Woerner - 4.8.3-2 +- Use default crypto policy for TLS and enable TLS 1.3 support + Resolves: RHBZ#1777809 +- Covscan fixes + Resolves: RHBZ#1777920 +- Change pki_version to 10.8.0 + Related: RHBZ#1748987 + +* Thu Nov 28 2019 Alexander Bokovoy - 4.8.3-1 +- Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195) + Resolves: RHBZ#1767304 + Resolves: RHBZ#1776939 +- Support KDC ticket policies for authentication indicators + Resolves: RHBZ#1777564 + +* Tue Nov 26 2019 Alexander Bokovoy - 4.8.2-4 +- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() + Resolves: RHBZ#1767304 +- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch + Resolves: RHBZ#1776939 + +* Fri Nov 22 2019 Thomas Woerner - 4.8.2-3 +- Use default ssh host key algorithms + Resolves: RHBZ#1756432 +- Do not run trust upgrade code if master lacks Samba bindings + Resolves: RHBZ#1757064 +- Finish group membership management UI + Resolves: RHBZ#1773528 + +* Mon Nov 18 2019 Thomas Woerner - 4.8.2-2 +- Update dependency for bind-dndb-ldap to 11.2-2 + Related: RHBZ#1762813 + +* Thu Nov 14 2019 Thomas Woerner - 4.8.2-1 +- Rebase to upstream release 4.8.2 + - Removed upstream patches 0001 to 0010 that are part of version 4.8.2 + - Updated branding patch + Resolves: RHBZ#1748987 + +* Thu Aug 29 2019 Thomas Woerner - 4.8.0-10 +- Fix automount behavior with authselect + Resolves: RHBZ#1740167 + +* Mon Aug 19 2019 Thomas Woerner - 4.8.0-9 +- extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT + Resolves: RHBZ#1741530 + +* Thu Aug 15 2019 Thomas Woerner - 4.8.0-8 +- FreeIPA 4.8.0 tarball lacks two update files that are in git + Resolves: RHBZ#1741170 + +* Tue Aug 13 2019 Thomas Woerner - 4.8.0-7 +- Allow insecure binds for migration + Resolves: RHBZ#1731963 + +* Fri Aug 2 2019 Thomas Woerner - 4.8.0-6 +- Fix --external-ca-profile not passed to CSR + Resolves: RHBZ#1731813 + +* Tue Jul 30 2019 Thomas Woerner - 4.8.0-5 +- Remove posixAccount from service_find search filter + Resolves: RHBZ#1731437 +- Fix repeated uninstallation of ipa-client-samba crashes + Resolves: RHBZ#1732529 +- WebUI: Add PKINIT status field to 'Configuration' page + Resolves: RHBZ#1518153 + +* Tue Jul 16 2019 Alexander Bokovoy - 4.8.0-4 +- Fix krb5-kdb-server -> krb5-kdb-version + Related: RHBZ#1700121 + +* Mon Jul 15 2019 Alexander Bokovoy - 4.8.0-3 +- Make sure ipa-server depends on krb5-kdb-version to pick up + right MIT Kerberos KDB ABI + Related: RHBZ#1700121 +- User field separator uses '$$' within ipaSELInuxUserMapOrder + Fixes: RHBZ#1729099 + +* Wed Jul 3 2019 Thomas Woerner - 4.8.0-2 +- Fixed kdcproxy_version to 0.4-3 +- Fixed krb5_version to 1.17-7 + Related: RHBZ#1684528 + +* Wed Jul 3 2019 Thomas Woerner - 4.8.0-1 +- New upstream release 4.8.0 + - New subpackage: freeipa-client-samba + - Added command ipa-cert-fix with man page + - New sysconfdir sysconfig/certmonger +- Updated pki_version, certmonger_version, sssd_version and kdcproxy_version + Related: RHBZ#1684528 + +* Tue May 21 2019 Alexander Bokovoy - 4.7.90-3 +- Fix upgrade issue with AD trust when no trust yet established + Fixes: RHBZ#1708874 + Related: RHBZ#1684528 + +* Thu May 9 2019 Alexander Bokovoy - 4.7.90-2 +- Require certmonger 0.79.7-1 + Related: RHBZ#1708095 + +* Mon May 6 2019 Thomas Woerner - 4.7.90-1 +- Update to 4.7.90-pre1 + Related: RHBZ#1684528 +- Removed patches 0002 to 0031 as these are upsteram and part of 4.7.90-pre1 +- Added new patches 0001-revert-minssf-defaults.patch and + 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch + +* Tue Apr 16 2019 Alexander Bokovoy - 4.7.1-12 +- Remove strict dependencies to krb5-server version in order to allow + update of krb5 to 1.17 and change dependency to KDB DAL version. + Resolves: RHBZ#1700121 + +* Wed Feb 27 2019 Rob Crittenden - 4.7.1-11 +- Handle NFS configuration file changes. nfs-utils moved the + configuration file from /etc/sysconfig/nfs to /etc/nfs.conf. + Resolves: RHBZ#1676981 + +* Tue Jan 15 2019 Christian Heimes - 4.7.1-10 +- Fix systemd-user HBAC rule + Resolves: RHBZ#1664974 + +* Mon Jan 14 2019 Thomas Woerner - 4.7.1-9 +- Resolve user/group names in idoverride*-find + Resolves: RHBZ#1657745 + +* Mon Jan 14 2019 Christian Heimes - 4.7.1-8 +- Create systemd-user HBAC service and rule + Resolves: RHBZ#1664974 +- ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned + Resolves: RHBZ#1664023 + +* Fri Dec 14 2018 Thomas Woerner - 4.7.1-7.el8 +- Fix misleading errors during client install rollback + Resolves: RHBZ#1658283 +- ipa-advise: update url of cacerdir_rehash tool + Resolves: RHBZ#1658287 +- Handle NTP configuration in a replica server installation + Resolves: RHBZ#1651679 +- Fix defects found by static analysis + Resolves: RHBZ#1658182 +- ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad + Resolves: RHBZ#1658294 +- ipaldap: invalid modlist when attribute encoding can vary + Resolves: RHBZ#1658302 +- Allow ipaapi and Apache user to access SSSD IFP + Resolves: RHBZ#1639910 +- Add sysadm_r to default SELinux user map order + Resolves: RHBZ#1658303 +- certdb: ensure non-empty Subject Key Identifier and validate server cert sig + Resolves: RHBZ#1641988 +- ipa-replica-install: password and admin-password options mutually exclusive + Resolves: RHBZ#1658309 +- ipa upgrade: handle double-encoded certificates + Resolves: RHBZ#1658310 +- PKINIT: fix ipa-pkinit-manage enable|disable + Resolves: RHBZ#1658313 +- Enable LDAP debug output in client to display TLS errors in join + Resolves: RHBZ#1658316 +- rpc: always read response + Resolves: RHBZ#1639890 +- ipa vault-retrieve: fix internal error + Resolves: RHBZ#1658485 +- Move ipa's systemd tmpfiles from /var/run to /run + Resolves: RHBZ#1658487 +- Fix authselect invocations to work with 1.0.2 + Resolves: RHBZ#1654291 +- ipa-client-automount and NFS unit name changes + Resolves: RHBZ#1645501 +- Fix compile issue with new 389-ds + Resolves: RHBZ#1659448 + +* Thu Nov 15 2018 Lumír Balhar - 4.7.1-6.el8 +- Require platform-python-setuptools instead of python3-setuptools +- Resolves: rhbz#1650139 + +* Mon Oct 29 2018 Alexander Bokovoy - 4.7.1-5.el8 +- Fixed: rhbz#1643445 - External CA step 2 fails with pki_client_database_dir is missing +- Fixed: rhbz#1642834 - Smart card advise script uses hard-coded Python interpreter + +* Tue Oct 16 2018 Alexander Bokovoy - 4.7.1-4.el8 +- Fix mapping of BUILTIN\Guests to 'nobody' group during upgrade + to not use generated Samba config at this point +- Related: rhbz#1623895 + +* Mon Oct 15 2018 Thomas Woerner - 4.7.1-3.el8 +- New command automember-find-orphans to find and remove orphan automemeber + rules has been added + Resolves: RHBZ#1638373 +- Moved ipa/idm logos and background to redhat-logos-ipa-80.4: + header-logo.png, login-screen-background.jpg, login-screen-logo.png, + product-name.png + New requirement to redhat-logos-ipa >= 80.4 in ipa-server-common + Resolves: RHBZ#1626507 + +* Wed Oct 10 2018 Alexander Bokovoy - 4.7.1-2.el8 +- Move initialization of Guests mapping after cifs/ principal is created +- Related: rhbz#1623895 + +* Sun Oct 07 2018 Alexander Bokovoy - 4.7.1-1.el8 +- 4.7.1 +- Fixes: rhbz#1633105 - rebase to 4.7.1 + +* Tue Sep 25 2018 Tomas Orsava - 4.7.0-6.el8 +- Require the Python interpreter directly instead of using the package name +- Related: rhbz#1619153 + +* Thu Sep 13 2018 Rob Crittenden - 4.7.0-5.el8 +- sudo rule for "admins" members should be created by default (#1609873) + +* Thu Sep 6 2018 Rob Crittenden - 4.7.0-4.el8 +- ipaclient-install: chmod needs octal permissions (#1609880) + +* Thu Aug 16 2018 Thomas Woerner - 4.7.0-3.1.el8 +- Resolves: #1609883 ipaserver/plugins/cert.py: Add reason to raise of + errors.NotFound +- Resolves: #1615765 do-not-use-RC4-in-FIPS-mode + - Move fips_enabled to a common library to share across different plugins + - ipasam: do not use RC4 in FIPS mode + +* Mon Aug 13 2018 Thomas Woerner - 4.7.0-3.el8 +- Resolves: #1614301 Remove --no-sssd and --noac options +- Resolves: #1613879 Disable Domain Level 0 + - New patch sets to disable domain level 0 + - New adapted patch to disable DL0 specific tests (pytest_ipa vs. + pytest_plugins) + - Adapted branding patch in ipa-replica-install.1 due to DL0 removal + +* Wed Jul 25 2018 Alexander Bokovoy - 4.7.0-2.el8 +- Require 389-ds-base-legacy-tools for setup tools + +* Thu Jul 19 2018 Rob Crittenden - 4.7.0-1.el8 +- Update to upstream 4.7.0 GA + +* Mon May 21 2018 Rob Crittenden - 4.6.90.pre1-2.el8 +- Set krb5 DAL version to 7.0 (#1580711) +- Rebuild aclocal and configure during build + +* Mon Mar 26 2018 Rob Crittenden - 4.6.90.pre1-1.el8 +- Update to upstream 4.6.90.pre1 + +* Mon Jan 29 2018 Troy Dawson - 4.5.4-5.el8.1 +- Use java-1.8.0-openjdk-devel + +* Thu Nov 30 2017 Alexander Bokovoy - 4.5.4-5.el7 +- Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads + +* Fri Nov 3 2017 Pavel Vomacka - 4.5.4-4.el7 +- Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. + - ldap: limit the retro changelog to dns subtree +- Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead + of "CA:FALSE" IPA CA CSR + - Include the CA basic constraint in CSRs when renewing a CA +- Resolves: #1493145 ipa-replica-install might fail because of an already + existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX + - Checks if replica-s4u2proxy.ldif should be applied +- Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default + - ds: ignore time skew during initial replication step + - ipa-replica-manage: implicitly ignore initial time skew in force-sync +- Resolves: #1500218 Replica installation at domain-level 0 fails against + upgraded ipa-server + - Fix ipa-replica-conncheck when called with --principal +- Resolves: #1506188 server-del doesn't remove dns-server configuration + from ldap + +* Thu Oct 26 2017 Rob Crittenden - 4.5.4-3.el7 +- Drop workaround for building on AArch64 (#1482244) +- Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485) + +* Tue Oct 24 2017 Felipe Barreto - 4.5.4-2.el7 +- Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 + parameters! +- Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during + search in cn=ad, cn=trusts,dc=example,dc=com +- Resolves: #1467887 iommu platform support for ipxe +- Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to + validate message: Incorrect number of results (0) searching forpublic key for + host +- Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to + 4.5 +- Resolves: #1480102 ipa-server-upgrade failes with "This entry already + exists" +- Resolves: #1482802 Unable to set ca renewal master on replica +- Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found + (ipa-server-upgrade) +- Resolves: #1484826 FreeIPA/IdM installations which were upgraded from + versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and + thus startup of Web UI fails +- Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back + to self-signed CA +- Resolves: #1469246 Replica install fails to configure IPA-specific + temporary files/directories +- Resolves: #1469480 bind package is not automatically updated during + ipa-server upgrade process +- Resolves: #1475238 Use CommonNameToSANDefault in default profile (new + installs only) +- Resolves: #1477703 IPA upgrade fails for latest ipa package + +* Fri Oct 20 2017 Pavel Vomacka - 4.5.4-1.el7 +- Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in + buildroot +- Resolves: #1470177 - Rebase IPA to latest 4.5.x version +- Resolves: #1398594 ipa topologysuffix-verify should only warn about + maximum number of replication agreements. +- Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" + to "Host-Based" and "Role-Based" +- Resolves: #1409786 Second phase of --external-ca ipa-server-install + setup fails when dirsrv is not running +- Resolves: #1451576 ipa cert-request failed to generate certificate from csr +- Resolves: #1452086 Pagination Size under Customization in IPA WebUI + accepts negative values +- Resolves: #1458169 --force-join option is not mentioned in + ipa-replica-install man page +- Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case +- Resolves: #1478322 user-show command fails when sizelimit is configured + to number <= number of entity which is user member of +- Resolves: #1496775 Enterprise principals should be able to trigger + a refresh of the trusted domain data in the KDC +- Resolves: #1502533 Changing cert-find to go through the proxy + instead of using the port 8080 +- Resolves: #1502663 pkinit-status command fails after an upgrade from + a pre-4.5 IPA +- Resolves: #1498168 Error when trying to modify a PTR record +- Resolves: #1457876 ipa-backup fails silently +- Resolves: #1493531 In case full PKINIT configuration is failing during + server/replica install the error message should be more meaningful. +- Resolves: #1449985 Suggest CA installation command in KRA installation + warning + +* Wed Sep 20 2017 Felipe Barreto - 4.5.0-21.el7.2.2 +- Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports + expecting IPA services listening on IPv6 ports + - Make sure upgrade also checks for IPv6 stack + - control logging of host_port_open from caller + - log progress of wait_for_open_ports +- Resolves: #1477243 ipa help command returns traceback when no cache + is present + - Store help in Schema before writing to disk + - Disable pylint in get_help function because of type confusion. + +* Tue Sep 19 2017 Felipe Barreto - 4.5.0-21.el7.2 +- Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to + validate message: Incorrect number of results (0) searching forpublic + key for host + - Always check peer has keys before connecting +- Resolves: #1482802 - Unable to set ca renewal master on replica + - Fix ipa config-mod --ca-renewal-master +- Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching + back to self-signed CA + - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) +- Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" + - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists +- Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from + versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and + thus startup of Web UI fails + - Adds whoami DS plugin in case that plugin is missing +- Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 + - Fixing how sssd.conf is updated when promoting a client to replica +- Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 + parameters! + - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace +- Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found + (ipa-server-upgrade) + - Backport 4-5: Fix ipa-server-upgrade with server cert tracking + +* Thu Aug 17 2017 Pavel Vomacka - 4.5.0-21.el7.1.2 +- Resolves: #1477703 IPA upgrade fails for latest ipa package + - Restore old version of caIPAserviceCert for upgrade only + +* Tue Aug 15 2017 Pavel Vomacka - 4.5.0-21.el7.1.1 +- Resolves: #1475238 Use CommonNameToSANDefault in default profile + (new installs only) + - Restore old version of caIPAserviceCert for upgrade only + +* Fri Jul 28 2017 Pavel Vomacka - 4.5.0-21.el7.1 +- Resolves: #1455946 Provide a tooling automating the configuration + of Smart Card authentication on a FreeIPA master + - smart-card advises: configure systemwide NSS DB also on master + - smart-card advises: add steps to store smart card signing CA cert + - Allow to pass in multiple CA cert paths to the smart card advises + - add a class that tracks the indentation in the generated advises + - delegate the indentation handling in advises to dedicated class + - advise: add an infrastructure for formatting Bash compound statements + - delegate formatting of compound Bash statements to dedicated classes + - Fix indentation of statements in Smart card advises + - Use the compound statement formatting API for configuring PKINIT + - smart card advises: use a wrapper around Bash `for` loops + - smart card advise: use password when changing trust flags on HTTP cert + - smart-card-advises: ensure that krb5-pkinit is installed on client +- Resolves: #1475238 Use CommonNameToSANDefault in default profile + (new installs only) + - Add CommonNameToSANDefault to default cert profile +- Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s + during search in cn=ad,cn=trusts,dc=example,dc=com + - NULL LDAP context in call to ldap_search_ext_s during search + +* Wed Jul 12 2017 Pavel Vomacka - 4.5.0-21.el7 +- Resolves: #1469246 Replica install fails to configure IPA-specific + temporary files/directories + - replica install: drop-in IPA specific config to tmpfiles.d +- Resolves: #1469480 bind package is not automatically updated during + ipa-server upgrade process + - Bumped Required version of bind-dyndb-ldap and bind package + +* Tue Jun 27 2017 Pavel Vomacka - 4.5.0-20.el7 +- Resolves: #1452216 Replica installation grants HTTP principal + access in WebUI + - Make sure we check ccaches in all rpcserver paths + +* Wed Jun 21 2017 Pavel Vomacka - 4.5.0-19.el7 +- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL + internal error, assertion failed: Digest MD4 forbidden in FIPS mode! + - ipa-sam: replace encode_nt_key() with E_md4hash() + - ipa_pwd_extop: do not generate NT hashes in FIPS mode +- Resolves: #1377973 ipa-server-install fails when the provided or resolved + IP address is not found on local interfaces + - Fix local IP address validation + - ipa-dns-install: remove check for local ip address + - refactor CheckedIPAddress class + - CheckedIPAddress: remove match_local param + - Remove ip_netmask from option parser + - replica install: add missing check for non-local IP address + - Remove network and broadcast address warnings + +* Thu Jun 15 2017 Pavel Vomacka - 4.5.0-18.el7 +- Resolves: #1449189 ipa-kra-install timeouts on replica + - kra: promote: Get ticket before calling custodia + +* Wed Jun 14 2017 Pavel Vomacka - 4.5.0-17.el7 +- Resolve: #1455946 Provide a tooling automating the configuration + of Smart Card authentication on a FreeIPA master + - server certinstall: update KDC master entry + - pkinit manage: introduce ipa-pkinit-manage + - server upgrade: do not enable PKINIT by default + - Extend the advice printing code by some useful abstractions + - Prepare advise plugin for smart card auth configuration +- Resolve: #1461053 allow to modify list of UPNs of a trusted forest + - trust-mod: allow modifying list of UPNs of a trusted forest + - WebUI: add support for changing trust UPN suffixes + +* Wed Jun 7 2017 Pavel Vomacka - 4.5.0-16.el7 +- Resolves: #1377973 ipa-server-install fails when the provided or resolved + IP address is not found on local interfaces + - Only warn when specified server IP addresses don't match intf +- Resolves: #1438016 gssapi errors after IPA server upgrade + - Bump version of python-gssapi +- Resolves: #1457942 certauth: use canonical principal for lookups + - ipa-kdb: use canonical principal in certauth plugin +- Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid + breaking older clients + - Add code to be able to set default kinit lifetime + - Revert setting sessionMaxAge for old clients + +* Wed Jun 7 2017 Pavel Vomacka - 4.5.0-15.el7 +- Resolves: #1442233 IPA client commands fail when pointing to replica + - httpinstance: wait until the service entry is replicated +- Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then + not indexed + - Fix index definition for ipaAnchorUUID +- Resolves: #1438016 gssapi errors after IPA server upgrade + - Avoid possible endless recursion in RPC call + - rpc: preparations for recursion fix + - rpc: avoid possible recursion in create_connection +- Resolves: #1446087 services entries missing krbCanonicalName attribute. + - Changing cert-find to do not use only primary key to search in LDAP. +- Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers + - ipa-kdb: reload certificate mapping rules periodically +- Resolves: #1455541 after upgrade login from web ui breaks + - kdc.key should not be visible to all +- Resolves: #1435606 Add pkinit_indicator option to KDC configuration + - ipa-kdb: add pkinit authentication indicator in case of a successful + certauth +- Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate + issuance when ipa-ca records are not resolvable + - Turn off OCSP check +- Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - + server_del - TypeError: 'NoneType' object is not iterable + - fix incorrect suffix handling in topology checks + +* Wed May 24 2017 Pavel Vomacka - 4.5.0-14.el7 +- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to + handle PKINIT certificates/anchors + - certdb: add named trust flag constants + - certdb, certs: make trust flags argument mandatory + - certdb: use custom object for trust flags + - install: trust IPA CA for PKINIT + - client install: fix client PKINIT configuration + - install: introduce generic Kerberos Augeas lens + - server install: fix KDC PKINIT configuration + - ipapython.ipautil.run: Add option to set umask before executing command + - certs: do not export keys world-readable in install_key_from_p12 + - certs: do not export CA certs in install_pem_from_p12 + - server install: fix KDC certificate validation in CA-less + - replica install: respect --pkinit-cert-file + - cacert manage: support PKINIT + - server certinstall: support PKINIT +- Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file + option + - certs: do not export CA certs in install_pem_from_p12 + - server install: fix KDC certificate validation in CA-less +- Resolves: #1451228 ipa-kra-install fails when primary KRA server has been + decommissioned + - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname +- Resolves: #1451712 KRA installation fails on server that was originally + installed as CA-less + - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt +- Resolves: #1441499 ipa cert-show does not raise error if no file name + specified + - ca/cert-show: check certificate_out in options +- Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ + - Remove pkinit-anonymous command +- Resolves: #1449523 Provide an API command to retrieve PKINIT status + in the FreeIPA topology + - Allow for multivalued server attributes + - Refactor the role/attribute member reporting code + - Add an attribute reporting client PKINIT-capable servers + - Add the list of PKINIT servers as a virtual attribute to global config + - Add `pkinit-status` command + - test_serverroles: Get rid of MockLDAP and use ldap2 instead +- Resolves: #1452216 Replica installation grants HTTP principal access in WebUI + - Fix rare race condition with missing ccache file +- Resolves: #1455045 Simple service uninstallers must be able to handle + missing service files gracefully + - only stop/disable simple service if it is installed +- Resolves: #1455541 after upgrade login from web ui breaks + - krb5: make sure KDC certificate is readable +- Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing + command "ipa cert-request --add" after upgrade + - Change python-cryptography to python2-cryptography + +* Thu May 18 2017 Pavel Vomacka - 4.5.0-13.el7 +- Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" + error observed during ipa upgrade with latest package. + - ipa-server-install: fix uninstall +- Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break + replica + - ca install: merge duplicated code for DM password + - installutils: add DM password validator + - ca, kra install: validate DM password + +* Tue May 16 2017 Pavel Vomacka - 4.5.0-12.el7 +- Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy + - python2-ipalib: add missing python dependency + - installer service: fix typo in service entry + - upgrade: add missing suffix to http instance +- Resolves: #1444791 Update man page of ipa-kra-install + - ipa-kra-install manpage: document domain-level 1 +- Resolves: #1441493 ipa cert-show raises stack traces when + --certificate-out=/tmp + - cert-show: writable files does not mean dirs +- Resolves: #1441192 Add the name of URL parameter which will be check for + username during cert login + - Bump version of ipa.conf file +- Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login + - Turn on NSSOCSP check in mod_nss conf +- Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting + template on + - renew agent: respect CA renewal master setting + - server upgrade: always fix certmonger tracking request + - cainstance: use correct profile for lightweight CA certificates + - renew agent: allow reusing existing certs + - renew agent: always export CSR on IPA CA certificate renewal + - renew agent: get rid of virtual profiles + - ipa-cacert-manage: add --external-ca-type +- Resolves: #1441593 error adding authenticator indicators to host + - Fixing adding authenticator indicators to host +- Resolves: #1449525 Set directory ownership in spec file + - Added plugins directory to ipaclient subpackages + - ipaclient: fix missing RPM ownership +- Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' + - otptoken-add-yubikey: When --digits not provided use default value + +* Wed May 10 2017 Jan Cholasta - 4.5.0-11.el7 +- Resolves: #1449189 ipa-kra-install timeouts on replica + - ipa-kra-install: fix check_host_keys + +* Wed May 3 2017 Jan Cholasta - 4.5.0-10.el7 +- Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to + validate message: Incorrect number of results (0) searching forpublic key for + host + - Make sure remote hosts have our keys +- Resolves: #1442815 Replica install fails during migration from older IPA + master + - Refresh Dogtag RestClient.ca_host property + - Remove the cachedproperty class +- Resolves: #1444787 Update warning message when KRA installation fails + - kra install: update installation failure message +- Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode + - ipa-server-install with external CA: fix pkinit cert issuance +- Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() + must use FreeIPA CA + - kerberos session: use CA cert with full cert chain for obtaining cookie +- Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors + definition + - ipa-client-install: remove extra space in pkinit_anchors definition +- Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade + - Use proper SELinux context with http.keytab + +* Fri Apr 28 2017 Jan Cholasta - 4.5.0-9.el7 +- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with + certificates on smart cards (pkinit) + - spec file: bump krb5 Requires for certauth fixes +- Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option + is used + - separate function to set ipaConfigString values on service entry + - Allow for configuration of all three PKINIT variants when deploying KDC + - API for retrieval of master's PKINIT status and publishing it in LDAP + - Use only anonymous PKINIT to fetch armor ccache + - Stop requesting anonymous keytab and purge all references of it + - Use local anchor when armoring password requests + - Upgrade: configure local/full PKINIT depending on the master status + - Do not test anonymous PKINIT after install/upgrade +- Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. + update_tdo_gidnumber: ERROR Default SMB Group not found + - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is + installed +- Resolves: #1442932 ipa restore fails to restore IPA user + - restore: restart/reload gssproxy after restore +- Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode + - Fix CA/server cert validation in FIPS +- Resolves: #1444947 Deadlock between topology and schema-compat plugins + - compat-manage: behave the same for all users + - Move the compat plugin setup at the end of install + - compat: ignore cn=topology,cn=ipa,cn=etc subtree +- Resolves: #1445358 ipa vault-add raises TypeError + - vault: piped input for ipa vault-add fails +- Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault + - Vault: Explicitly default to 3DES CBC +- Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning + - automount install: fix checking of SSSD functionality on uninstall +- Resolves: #1446137 pki_client_database_password is shown in + ipaserver-install.log + - Hide PKI Client database password in log file + +* Thu Apr 20 2017 Jan Cholasta - 4.5.0-8.el7 +- Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade + - Fix CAInstance.import_ra_cert for empty passwords + +* Wed Apr 19 2017 Jan Cholasta - 4.5.0-7.el7 +- Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA + WebUI is slow to display user details page + - cert: defer cert-find result post-processing +- Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit + helper when installing replica + - server-install: No double Kerberos install +- Resolves: #1437502 ipa-replica-install fails with requirement to + use --force-join that is a client install option. + - Add the force-join option to replica install + - replicainstall: better client install exception handling +- Resolves: #1437953 Server CA-less impossible option check + - server-install: remove broken no-pkinit check +- Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies + - Add debug log in case cookie retrieval went wrong +- Resolves: #1441548 ipa server install fails with --external-ca option + - ext. CA: correctly write the cert chain +- Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance + spawn + - Fix CA-less to CA-full upgrade +- Resolves: #1442133 Do not link libkrad, liblber, libldap_r and + libsss_nss_idmap to every binary in IPA + - configure: fix AC_CHECK_LIB usage +- Resolves: #1442815 Replica install fails during migration from older IPA + master + - Fix RA cert import during DL0 replication +- Related: #1442004 Building IdM/FreeIPA internally on all architectures - + filtering unsupported packages + - Build all subpackages on all architectures + +* Wed Apr 12 2017 Pavel Vomacka - 4.5.0-6.el7 +- Resolves: #1382053 Need to have validation for idrange names + - idrange-add: properly handle empty --dom-name option +- Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit + helper when installing replica + - dsinstance: reconnect ldap2 after DS is restarted by certmonger + - httpinstance: avoid httpd restart during certificate request + - dsinstance, httpinstance: consolidate certificate request code + - install: request service certs after host keytab is set up + - renew agent: revert to host keytab authentication + - renew agent, restart scripts: connect to LDAP after kinit +- Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted + domain entry + - ipa-sam: create the gidNumber attribute in the trusted domain entry + - Upgrade: add gidnumber to trusted domain entry +- Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: + Incorrect client security database password + - Add pki_pin only when needed +- Resolves: #1438348 Console output message while adding trust should be + mapped with texts changed in Samba. + - ipaserver/dcerpc: unify error processing +- Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid + 'Credentials': Missing credentials for cross-forest communication + - trust: always use oddjobd helper for fetching trust information +- Resolves: #1441192 Add the name of URL parameter which will be check for + username during cert login + - WebUI: cert login: Configure name of parameter used to pass username +- Resolves: #1437879 [copr] Replica install failing + - Create system users for FreeIPA services during package installation +- Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install + - Fix s4u2self with adtrust + +* Wed Apr 5 2017 Jan Cholasta - 4.5.0-5.el7 +- Resolves: #1318186 Misleading error message during external-ca IPA master + install + - httpinstance: make sure NSS database is backed up +- Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR + CA certificate chain in ... incomplete" + - httpinstance: make sure NSS database is backed up +- Resolves: #1393726 Enumerate all available request type options in ipa + cert-request help + - Hide request_type doc string in cert-request help +- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping + - spec file: bump libsss_nss_idmap-devel BuildRequires + - server: make sure we test for sss_nss_getlistbycert +- Resolves: #1437378 ipa-adtrust-install produced an error and failed on + starting smb when hostname is not FQDN + - adtrust: make sure that runtime hostname result is consistent with the + configuration +- Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous + keytab + - Always check and create anonymous principal during KDC install + - Remove duplicate functionality in upgrade +- Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous + principal for PKINIT + - Upgrade: configure PKINIT after adding anonymous principal + - Remove unused variable from failed anonymous PKINIT handling + - Split out anonymous PKINIT test to a separate method + - Ensure KDC is propery configured after upgrade +- Resolves: #1437951 Remove pkinit-related options from server/replica-install + on DL0 + - Fix the order of cert-files check + - Don't allow setting pkinit-related options on DL0 + - replica-prepare man: remove pkinit option refs + - Remove redundant option check for cert files +- Resolves: #1438490 CA-less installation fails on publishing CA certificate + - Get correct CA cert nickname in CA-less + - Remove publish_ca_cert() method from NSSDatabase +- Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap + - IPA-KDB: use relative path in ipa-certmap config snippet +- Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute + - Allow erasing ipaDomainResolutionOrder attribute + +* Wed Mar 29 2017 Jan Cholasta - 4.5.0-4.el7 +- Resolves: #1434032 Run ipa-custodia with custom SELinux context + - Require correct custodia version + +* Tue Mar 28 2017 Jan Cholasta - 4.5.0-3.el7 +- Resolves: #800545 [RFE] Support SUDO command rename + - Reworked the renaming mechanism + - Allow renaming of the sudorule objects +- Resolves: #872671 IPA WebUI login for AD Trusted User fails + - WebUI: check principals in lowercase + - WebUI: add method for disabling item in user dropdown menu + - WebUI: Add support for login for AD users +- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with + certificates on smart cards (pkinit) + - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() + - IPA certauth plugin + - ipa-kdb: do not depend on certauth_plugin.h + - spec file: bump krb5-devel BuildRequires for certauth +- Resolves: #1264370 RFE: disable last successful authentication by default in + ipa. + - Set "KDC:Disable Last Success" by default +- Resolves: #1318186 Misleading error message during external-ca IPA master + install + - certs: do not implicitly create DS pin.txt + - httpinstance: clean up /etc/httpd/alias on uninstall +- Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR + CA certificate chain in ... incomplete" + - certs: do not implicitly create DS pin.txt + - httpinstance: clean up /etc/httpd/alias on uninstall +- Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication + - configure: fix --disable-server with certauth plugin + - rpcserver.login_x509: Actually return reply from __call__ method + - spec file: Bump requires to make Certificate Login in WebUI work +- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping + - extdom: do reverse search for domain separator + - extdom: improve cert request +- Resolves: #1430363 [RFE] HBAC rule names command rename + - Reworked the renaming mechanism + - Allow renaming of the HBAC rule objects +- Resolves: #1433082 systemctl daemon-reload needs to be called after + httpd.service.d/ipa.conf is manipulated + - tasks: run `systemctl daemon-reload` after httpd.service.d updates +- Resolves: #1434032 Run ipa-custodia with custom SELinux context + - Use Custodia 0.3.1 features +- Resolves: #1434384 RPC client should use HTTP persistent connection + - Use connection keep-alive + - Add debug logging for keep-alive + - Increase Apache HTTPD's default keep alive timeout +- Resolves: #1434729 man ipa-cacert-manage install needs clarification + - man ipa-cacert-manage install needs clarification +- Resolves: #1434910 replica install against IPA v3 master fails with ACIError + - Fixing replica install: fix ldap connection in domlvl 0 +- Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is + used during typing Directory Manager password + - ipapython.ipautil.nolog_replace: Do not replace empty value +- Resolves: #1435397 ipa-replica-install can't install replica file produced by + ipa-replica-prepare on 4.5 + - replica prepare: fix wrong IPA CA nickname in replica file +- Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if + KRA is not installed + - WebUI: Fix showing vault in selfservice view +- Resolves: #1435718 As a ID user I cannot call a command with --rights option + - ldap2: use LDAP whoami operation to retrieve bind DN for current connection +- Resolves: #1436319 "Truncated search results" pop-up appears in user details + in WebUI + - WebUI: Add support for suppressing warnings + - WebUI: suppress truncation warning in select widget +- Resolves: #1436333 Uninstall fails with No such file or directory: + '/var/run/ipa/services.list' + - Create temporaty directories at the begining of uninstall +- Resolves: #1436334 WebUI: Adding certificate mapping data using certificate + fails + - WebUI: Allow to add certs to certmapping with CERT LINES around +- Resolves: #1436338 CLI doesn't work after ipa-restore + - Backup ipa-specific httpd unit-file + - Backup CA cert from kerberos folder +- Resolves: #1436342 Bump samba version, required for FIPS mode and privilege + separation + - Bump samba version for FIPS and priv. separation +- Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with + ipa vault commands + - Avoid growing FILE ccaches unnecessarily + - Handle failed authentication via cookie + - Work around issues fetching session data + - Prevent churn on ccaches +- Resolves: #1436657 Add workaround for pki_pin for FIPS + - Generate PIN for PKI to help Dogtag in FIPS +- Resolves: #1436714 [vault] cache KRA transport cert + - Simplify KRA transport cert cache +- Resolves: #1436723 cert-find does not find all certificates without + sizelimit=0 + - cert: do not limit internal searches in cert-find +- Resolves: #1436724 Renewal of IPA RA fails on replica + - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function +- Resolves: #1436753 Master tree fails to install + - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not + available + +* Tue Mar 21 2017 Jan Cholasta - 4.5.0-2.el7 +- Resolves: #1432630 python2-jinja2 needed for python2-ipaclient + - Remove csrgen +- Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets + - Add options to allow ticket caching + +* Wed Mar 15 2017 Jan Cholasta - 4.5.0-1.el7 +- Resolves: #828866 [RFE] enhance --subject option for ipa-server-install +- Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in + hostname +- Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' + attribute +- Resolves: #1321652 ipa-server-install fails when using external certificates + that encapsulate RDN components in double quotes +- Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on + revocation reasons +- Resolves: #1340880 ipa-server-install: improve prompt on interactive + installation +- Resolves: #1353841 ipa-replica-install fails to install when resolv.conf + incomplete entries +- Resolves: #1356104 cert-show command does not display Subject Alternative + Names +- Resolves: #1357511 Traceback message seen when ipa is provided with invalid + configuration file name +- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is + converted from CA-less to CA-full +- Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication +- Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa + config-mod --enable-migration=TRUE +- Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain +- Resolves: #1371927 Implement ca-enable/disable commands. +- Resolves: #1372202 Add Users into User Group editors fails to show Full names +- Resolves: #1373091 Adding an auth indicator from the CLI creates an extra + check box in the UI +- Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error + message +- Resolves: #1375905 "Normal" group type in the UI is confusing +- Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback +- Resolves: #1376630 IDM admin password gets written to + /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf +- Resolves: #1376729 ipa-server-install script option --no_hbac_allow should + match other options +- Resolves: #1378461 IPA Allows Password Reuse with History value defined when + admin resets the password. +- Resolves: #1379029 conncheck failing intermittently during single step + replica installs +- Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck +- Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace +- Resolves: #1392778 Update man page for ipa-adtrust-install by + removing --no-msdcs option +- Resolves: #1392858 Rebase to FreeIPA 4.5+ + - Rebase to 4.5.0 +- Resolves: #1399133 Delete option shouldn't be available for hosts applied to + view. +- Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA + should contain full trust chain +- Resolves: #1400416 RFE: Provide option to take backup of IPA server before + uninstalling IPA server +- Resolves: #1400529 cert-request is not aware of Kerberos principal aliases +- Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but + not on details page +- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping +- Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when + non-FQDN name of IPA server is first in /etc/hosts +- Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using + nsupdate +- Resolves: #1413742 Backport request for bug/issue Change IP address + validation errors to warnings +- Resolves: #1415652 IPA replica install log shows password in plain text +- Resolves: #1427897 different behavior regarding system wide certs in master + and replica. +- Resolves: #1430314 The ipa-managed-entries command failed, exception: + AttributeError: ldap2 + +* Tue Mar 14 2017 Jan Cholasta - 4.4.0-14.7 +- Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica + with cert errors (untrusted) + - added ssl verification using IPA trust anchor +- Resolves: #1428472 batch param compatibility is incorrect + - compat: fix `Any` params in `batch` and `dnsrecord` +- Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream + +* Tue Jan 31 2017 Jan Cholasta - 4.4.0-14.6 +- Resolves: #1416454 replication race condition prevents IPA to install + - wait_for_entry: use only DN as parameter + - Wait until HTTPS principal entry is replicated to replica + - Use proper logging for error messages + +* Tue Jan 31 2017 Jan Cholasta - 4.4.0-14.5 +- Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is + installed without CA + - Set up DS TLS on replica in CA-less topology +- Resolves: #1398600 IPA replica install fails with dirsrv errors. + - Do not configure PKI ajp redirection to use "::1" +- Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for + ca-del, ca-disable and ca-enable commands + - ca: correctly authorise ca-del, ca-enable and ca-disable + +* Fri Dec 16 2016 Jan Cholasta - 4.4.0-14.4 +- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services + by abusing password policy + - ipa-kdb: search for password policies globally +- Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream + +* Tue Dec 13 2016 Jan Cholasta - 4.4.0-14.3 +- Resolves: #1398670 Check IdM Topology for broken record caused by replication + conflict before upgrading it + - Check for conflict entries before raising domain level + +* Tue Dec 13 2016 Jan Cholasta - 4.4.0-14.2 +- Resolves: #1382812 Creation of replica for disconnected environment is + failing with CA issuance errors; Need good steps. + - gracefully handle setting replica bind dn group on old masters +- Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a + temporary CA admin + - replication: ensure bind DN group check interval is set on replica config + - add missing attribute to ipaca replica during CA topology update +- Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of + named-pkcs11 + - bindinstance: use data in named.conf to determine configuration status + +* Mon Dec 12 2016 Jan Cholasta - 4.4.0-14.1 +- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services + by abusing password policy + - password policy: Add explicit default password policy for hosts and + services +- Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in + certprofile-mod + - certprofile-mod: correctly authorise config update + +* Tue Nov 1 2016 Jan Cholasta - 4.4.0-14 +- Resolves: #1378353 Replica install fails with old IPA master sometimes during + replication process + - spec file: bump minimal required version of 389-ds-base +- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 + - Fix missing file that fails DL1 replica installation +- Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade + - WebUI: services without canonical name are shown correctly +- Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run + - trustdomain-del: fix the way how subdomain is searched + +* Mon Oct 31 2016 Jan Cholasta - 4.4.0-13 +- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca + - Keep NSS trust flags of existing certificates +- Resolves: #1360813 ipa-server-certinstall does not update all certificate + stores and doesn't set proper trust permissions + - Add cert checks in ipa-server-certinstall +- Resolves: #1371479 cert-find --all does not show information about revocation + - cert: add revocation reason back to cert-find output +- Resolves: #1375133 WinSync users who have First.Last casing creates users who + can have their password set + - ipa passwd: use correct normalizer for user principals +- Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers + - Properly handle LDAP socket closures in ipa-otpd +- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 + - Make httpd publish its CA certificate on DL1 + +* Fri Sep 16 2016 Petr Vobornik - 4.4.0-12 +- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. +- Resolves: #1375269 ipa trust-fetch-domains throws internal error + +* Tue Sep 13 2016 Jan Cholasta - 4.4.0-11 +- Resolves: #1373359 ipa-certupdate fails with "CA is not configured" + - Fix regression introduced in ipa-certupdate + +* Wed Sep 7 2016 Jan Cholasta - 4.4.0-10 +- Resolves: #1355753 adding two way non transitive(external) trust displays + internal error on the console + - Always fetch forest info from root DCs when establishing two-way trust + - factor out `populate_remote_domain` method into module-level function + - Always fetch forest info from root DCs when establishing one-way trust +- Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger + after `ipa-replica-install` + - Track lightweight CAs on replica installation +- Resolves: #1357488 ipa command stuck forever on higher versioned client with + lower versioned server + - compat: Save server's API version in for pre-schema servers + - compat: Fix ping command call + - schema cache: Store and check info for pre-schema servers +- Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag + - Fix man page ipa-replica-manage: remove duplicate -c option + from --no-lookup +- Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA + when revoking certificate + - cert: include CA name in cert command output + - WebUI add support for sub-CAs while revoking certificates +- Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI + - Add support for additional options taken from table facet + - WebUI: Fix showing certificates issued by sub-CA +- Resolves: #1368557 dnsrecord-add does not prompt for missing record parts + internactively + - dns: normalize record type read interactively in dnsrecord_add + - dns: prompt for missing record parts in CLI + - dns: fix crash in interactive mode against old servers +- Resolves: #1370519 Certificate revocation in service-del and host-del isn't + aware of Sub CAs + - cert: fix cert-find --certificate when the cert is not in LDAP + - Make host/service cert revocation aware of lightweight CAs +- Resolves: #1371901 Use OAEP padding with custodia + - Use RSA-OAEP instead of RSA PKCS#1 v1.5 +- Resolves: #1371915 When establishing external two-way trust, forest root + Administrator account is used to fetch domain info + - do not use trusted forest name to construct domain admin principal +- Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in + certificate request + - Fix CA ACL Check on SubjectAltNames +- Resolves: #1373272 CLI always sends default command version + - cli: use full name when executing a command +- Resolves: #1373359 ipa-certupdate fails with "CA is not configured" + - Fix ipa-certupdate for CA-less installation +- Resolves: #1373540 client-install with IPv6 address fails on link-local + address (always) + - Fix parse errors with link-local addresses + +* Fri Sep 2 2016 Jan Cholasta - 4.4.0-9 +- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env + - Fix ipa-server-install in pure IPv6 environment +- Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as + reachable via the forest root + - trust: make sure ID range is created for the child domain even if it exists + - ipa-kdb: simplify trusted domain parent search +- Resolves: #1335567 Update Warning in IdM Web UI API browser + - WebUI: add API browser is tech preview warning +- Resolves: #1348560 Mulitple domain Active Directory Trust conflict + - ipaserver/dcerpc: reformat to make the code closer to pep8 + - trust: automatically resolve DNS trust conflicts for triangle trusts +- Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in + certificate revocation + - cert-revoke: fix permission check bypass (CVE-2016-5404) +- Resolves: #1353936 custodia.conf and server.keys file is world-readable. + - Remove Custodia server keys from LDAP + - Secure permissions of Custodia server.keys +- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is + converted from CA-less to CA-full + - custodia: include known CA certs in the PKCS#12 file for Dogtag + - custodia: force reconnect before retrieving CA certs from LDAP +- Resolves: #1362333 ipa vault container owner cannot add vault + - Fix: container owner should be able to add vault +- Resolves: #1365546 External trust with root domain is transitive + - trust: make sure external trust topology is correctly rendered +- Resolves: #1365572 IPA server broken after upgrade + - Require pki-core-10.3.3-7 +- Resolves: #1367864 Server assumes latest version of command instead of + version 1 for old / 3rd party clients + - rpcserver: assume version 1 for unversioned command calls + - rpcserver: fix crash in XML-RPC system commands +- Resolves: #1367773 thin client ignores locale change + - schema cache: Fallback to 'en_us' when locale is not available +- Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" + - Fail on topology disconnect/last role removal +- Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP + - otptoken, permission: Convert custom type parameters on server +- Resolves: #1369414 ipa server-del fails with Python stack trace + - Handled empty hostname in server-del command +- Resolves: #1369761 ipa-server must depend on a version of httpd that support + mod_proxy with UDS + - Require httpd 2.4.6-31 with mod_proxy Unix socket support +- Resolves: #1370512 Received ACIError instead of DuplicatedError in + stageuser_tests + - Raise DuplicatedEnrty error when user exists in delete_container +- Resolves: #1371479 cert-find --all does not show information about revocation + - cert: add missing param values to cert-find output +- Renamed patch 1011 to 0100, as it was merged upstream + +* Wed Aug 17 2016 Jan Cholasta - 4.4.0-8 +- Resolves: #1298288 [RFE] Improve performance in large environments. + - cert: speed up cert-find +- Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card + authentication + - service: add flag to allow S4U2Self + - Add 'trusted to auth as user' checkbox + - Added new authentication method +- Resolves: #1353881 ipa-replica-install suggests about + non-existent --force-ntpd option + - Don't show --force-ntpd option in replica install +- Resolves: #1354441 DNS forwarder check is too strict: unable to add + sub-domain to already-broken domain + - DNS: allow to add forward zone to already broken sub-domain +- Resolves: #1356146 performance regression in CLI help + - schema: Speed up schema cache + - frontend: Change doc, summary, topic and NO_CLI to class properties + - schema: Introduce schema cache format + - schema: Generate bits for help load them on request + - help: Do not create instances to get information about commands and topics + - schema cache: Do not reset ServerInfo dirty flag + - schema cache: Do not read fingerprint and format from cache + - Access data for help separately + - frontent: Add summary class property to CommandOverride + - schema cache: Read server info only once + - schema cache: Store API schema cache in memory + - client: Do not create instance just to check isinstance + - schema cache: Read schema instead of rewriting it when SchemaUpToDate +- Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file + - server install: do not prompt for cert file PIN repeatedly +- Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create + cache directory: [Errno 13] Permission denied: '/home/test_user' + - schema: Speed up schema cache +- Resolves: #1366604 `cert-find` crashes on invalid certificate data + - cert: do not crash on invalid data in cert-find +- Resolves: #1366612 Middle replica uninstallation in line topology works + without '--ignore-topology-disconnect' + - Fail on topology disconnect/last role removal +- Resolves: #1366626 caacl-add-service: incorrect error message when service + does not exists + - Fix ipa-caalc-add-service error message +- Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 + does not happen to run during dnf upgrade + - DNS server upgrade: do not fail when DNS server did not respond +- Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server + with CA + - Add warning about only one existing CA server + - Set servers list as default facet in topology facet group +- Resolves: #1367773 thin client ignores locale change + - schema check: Check current client language against cached one + +* Wed Aug 10 2016 Jan Cholasta - 4.4.0-7 +- Resolves: #1361119 UPN-based search for AD users does not match an entry in + slapi-nis map cache + - support multiple uid values in schema compatibility tree + +* Wed Aug 10 2016 Jan Cholasta - 4.4.0-6 +- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 + - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" +- Resolves: #1341249 Subsequent external CA installation fails + - install: fix external CA cert validation +- Resolves: #1353831 ipa-server-install fails in container because of + hostnamectl set-hostname + - server-install: Fix --hostname option to always override api.env values + - install: Call hostnamectl set-hostname only if --hostname option is used +- Resolves: #1356091 ipa-cacert-manage --help and man differ + - Improvements for the ipa-cacert-manage man and help +- Resolves: #1360631 ipa-backup is not keeping the + /etc/tmpfiles.d/dirsrv-.conf + - ipa-backup: backup /etc/tmpfiles.d/dirsrv-.conf +- Resolves: #1361047 ipa-replica-install --help usage line suggests the replica + file is needed + - Update ipa-replica-install documentation +- Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does + not rpm-require it + - client: RPM require initscripts to get *-domainname.service +- Resolves: #1364197 caacl: error when instantiating rules with service + principals + - caacl: fix regression in rule instantiation +- Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm + - parameters: move the `confirm` kwarg to Param +- Resolves: #1364464 Topology graph: ca and domain adders shows question marks + instead of plus icon + - Fix unicode characters in ca and domain adders +- Resolves: #1365083 Incomplete output returned for command ipa vault-add + - client: add missing output params to client-side commands +- Resolves: #1365526 build fails during "make check" + - ipa-kdb: Fix unit test after packaging changes in krb5 + +* Fri Aug 5 2016 Jan Cholasta - 4.4.0-5 +- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. + - Do not initialize API in ipa-client-automount uninstall +- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin + client changes + - idrange: fix unassigned global variable +- Resolves: #1360792 Migrating users doesn't update krbCanonicalName + - re-set canonical principal name on migrated users +- Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' + and 'bool' objects + - Fix ipa hbactest output +- Resolves: #1362260 ipa vault-mod no longer allows defining salt + - vault: add missing salt option to vault_mod +- Resolves: #1362312 ipa vault-retrieve internal error when using the wrong + public key + - vault: Catch correct exception in decrypt +- Resolves: #1362537 ipa-server-install fails to create symlink from + /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ + - Correct path to HTTPD's systemd service directory +- Resolves: #1363756 Increase length of passwords generated by installer + - Increase default length of auto generated passwords + +* Fri Jul 29 2016 Jan Cholasta - 4.4.0-4 +- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos + aliases) + - harden the check for trust namespace overlap in new principals +- Resolves: #1351142 CLI is not using session cookies for communication with + IPA API + - Fix session cookies +- Resolves: #1353888 Fix the help for ipa otp and other topics + - help: Add dnsserver commands to help topic 'dns' +- Resolves: #1354406 host-del updatedns options complains about missing ptr + record for host + - Host-del: fix behavior of --updatedns and PTR records +- Resolves: #1355718 ipa-replica-manage man page example output differs actual + command output + - Minor fix in ipa-replica-manage MAN page +- Resolves: #1358229 Traceback message should be fixed, seen while editing + winsync migrated user information in Default trust view. + - baseldap: Fix MidairCollision instantiation during entry modification +- Resolves: #1358849 CA replica install logs to wrong log file + - unite log file name of ipa-ca-install +- Resolves: #1359130 ipa-server-install command fails to install IPA server. + - DNS Locations: fix update-system-records unpacking error +- Resolves: #1359237 AVC on dirsrv config caused by IPA installer + - Use copy when replacing files to keep SELinux context +- Resolves: #1359692 ipa-client-install join fail with traceback against + RHEL-6.8 ipa-server + - compat: fix ping call +- Resolves: #1359738 ipa-replica-install --domain= option + does not work + - replica-install: Fix --domain +- Resolves: #1360778 Vault commands are available in CLI even when the server + does not support them + - Revert "Enable vault-* commands on client" + - client: fix hiding of commands which lack server support +- Related: #1281704 Rebase to softhsm 2.1.0 + - Remove the workaround for softhsm bug #1293340 +- Related: #1298288 [RFE] Improve performance in large environments. + - Create indexes for krbCanonicalName attribute + +* Fri Jul 22 2016 Jan Cholasta - 4.4.0-3 +- Resolves: #1296140 Remove redhat-access-plugin-ipa support + - Obsolete and conflict redhat-access-plugin-ipa +- Resolves: #1351119 Multiple issues while uninstalling ipa-server + - server uninstall fails to remove krb principals +- Resolves: #1351758 ipa commands not showing expected error messages + - frontend: copy command arguments to output params on client + - Show full error message for selinuxusermap-add-hostgroup +- Resolves: #1352883 Traceback on adding default automember group and hostgroup + set + - allow 'value' output param in commands without primary key +- Resolves: #1353888 Fix the help for ipa otp and other topics + - schema: Fix subtopic -> topic mapping +- Resolves: #1354348 ipa trustconfig-show throws internal error. + - allow 'value' output param in commands without primary key +- Resolves: #1354381 ipa trust-add with raw option gives internal error. + - trust-add: handle `--all/--raw` options properly +- Resolves: #1354493 Replica install fails with old IPA master + - DNS install: Ensure that DNS servers container exists +- Resolves: #1354628 ipa hostgroup-add-member does not return error message + when adding itself as member + - frontend: copy command arguments to output params on client +- Resolves: #1355856 ipa otptoken-add --type=totp gives internal error + - messages: specify message type for ResultFormattingError +- Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter + secret key + - expose `--secret` option in radiusproxy-* commands + - prevent search for RADIUS proxy servers by secret +- Resolves: #1356099 Bug in the ipapwd plugin + - Heap corruption in ipapwd plugin +- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin + client changes + - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper +- Resolves: #1356964 Renaming a user removes all of his principal aliases + - Preserve user principal aliases during rename operation + +* Fri Jul 15 2016 Petr Vobornik - 4.4.0-2.1 +- Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas +- Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD +- Related: #1356134 'kinit -E' does not work for IPA user + +* Thu Jul 14 2016 Petr Vobornik - 4.4.0-2 +- Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA + with certmonger + - uninstall: untrack lightweight CA certs +- Resolves: #1351807 ipa-nis-manage config.get_dn missing + - ipa-nis-manage: Use server API to retrieve plugin status +- Resolves: #1353452 ipa-compat-manage command failed, + exception: NotImplementedError: config.get_dn() + - ipa-compat-manage: use server API to retrieve plugin status +- Resolves: #1353899 ipa-advise: object of type 'type' has no len() + - ipa-advise: correct handling of plugin namespace iteration +- Resolves: #1356134 'kinit -E' does not work for IPA user + - kdb: check for local realm in enterprise principals +- Resolves: #1353072 ipa unknown command vault-add + - Enable vault-* commands on client + - vault-add: set the default vault type on the client side if none was given +- Resolves: #1353995 Default CA can be used without a CA ACL + - caacl: expand plugin documentation +- Resolves: #1356144 host-find should not print SSH keys by default, only + SSH fingerprints + - host-find: do not show SSH key by default +- Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 + - Removed unused method parameter from migrate-ds + +* Fri Jul 1 2016 Jan Cholasta - 4.4.0-1 +- Resolves: #747612 [RFE] IPA should support and manage DNS sites +- Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) + in the default global_policy in IPA sets user's password expiration + (krbPasswordExpiration) to be 90 days +- Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records +- Resolves: #1084018 [RFE] Add IdM user password change support for legacy + client compat tree +- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos + aliases) + - Fix incorrect check for principal type when evaluating CA ACLs +- Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI +- Resolves: #1238190 ipasam unable to lookup group in directory yet manual + search works +- Resolves: #1250110 search by users which don't have read rights for all attrs + in search_attributes fails +- Resolves: #1263764 Show Certificate displays in useless format +- Resolves: #1272491 [WebUI] Certificate action dropdown does not display all + the options after adding new certificate +- Resolves: #1292141 Rebase to FreeIPA 4.4+ + - Rebase to 4.4.0 +- Resolves: #1294503 IPA fails to issue 3rd party certs +- Resolves: #1298242 [RFE] API compatibility - compatibility of clients +- Resolves: #1298848 [RFE] Centralized topology management +- Resolves: #1298966 [RFE] Extend Smart Card support +- Resolves: #1315146 Multiple clients cannot join domain simultaneously: + /var/run/httpd/ipa/clientcaches race condition? +- Resolves: #1318903 ipa server install failing when SUBCA signs the cert +- Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper + console output +- Resolves: #1324055 IPA always qualify requests for admin +- Resolves: #1328552 [RFE] Allow users to authenticate with alternative names +- Resolves: #1334582 Inconsistent UI and CLI options for removing certificate + hold +- Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) +- Resolves: #1349281 Fix `Conflicts` with ipa-python +- Resolves: #1350695 execution of copy-schema script fails +- Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z +- Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test + execution to 7.3 +- Resolves: #1351276 ipa-server-install with dns cannot resolve itself to + create ipa-ca entry +- Related: #1343422 [RFE] Add GssapiImpersonate option + +* Wed Jun 22 2016 Jan Cholasta - 4.4.0-0.2.alpha1 +- Resolves: #1348948 IPA server install fails with build + ipa-server-4.4.0-0.el7.1.alpha1 + - Revert "Increased mod_wsgi socket-timeout" + +* Wed Jun 22 2016 Jan Cholasta - 4.4.0-0.1.alpha1 +- Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while + setting password for default sudo binddn. +- Resolves: #747612 [RFE] IPA should support and manage DNS sites +- Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name +- Resolves: #825391 [RFE] Replica installation should provide a means for + inheriting nssldap security access settings +- Resolves: #921497 Incorrect *.py[co] files placement +- Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support +- Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas +- Resolves: #1196958 IPA replica installation failing with high number of users + (160000). +- Resolves: #1219402 IPA suggests to uninstall a client when the user needs to + uninstall a replica +- Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on + Authentication Indicator +- Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos + principal expiration" +- Resolves: #1234223 [WebUI] General invalid password error message appearing + for "Locked user" +- Resolves: #1254267 ipa-server-install failure applying ldap updates with + limits exceeded +- Resolves: #1258626 realmdomains-mod --add-domain command throwing error when + doamin already is in forwardzone. +- Resolves: #1259020 ipa-server-adtrust-install doesn't allow + NetBIOS-name=EXAMPLE-TEST.COM (dash character) +- Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error + message when DNSSEC master not installed +- Resolves: #1262747 dnssec options missing in ipa-dns-install man page +- Resolves: #1265900 Fail installation immediately after dirsrv fails to + install using ipa-server-install +- Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not + resolvable anymore +- Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - + LimitsExceeded: limits exceeded for this query +- Resolves: #1269089 Certificate of managed-by host/service fails to resubmit +- Resolves: #1269200 ipa-server crashing while trying to preserve admin user +- Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults +- Resolves: #1271579 Automember rule expressions disappear from tables on + single expression delete +- Resolves: #1275816 Incomplete ports for IPA ad-trust +- Resolves: #1276351 [RFE] Remove + /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases +- Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in + the IPA UI +- Resolves: #1278426 Better error message needed for invalid ca-signing-algo + option +- Resolves: #1279932 ipa-client-install --request-cert needs workaround in + anaconda chroot +- Resolves: #1282521 Creating a user w/o private group fails when doing so in + WebUI +- Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced + by "IPA is not configured on this system" +- Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert + file +- Resolves: #1287194 [RFE] Support of UPN for trusted domains +- Resolves: #1288967 Normalize Manager entry in ipa user-add +- Resolves: #1289487 Priority field missing in Password Policy detail tab +- Resolves: #1291140 ipa client should configure kpasswd_server directive in + krb5.conf +- Resolves: #1292141 Rebase to FreeIPA 4.4+ + - Rebase to 4.4.0.alpha1 +- Resolves: #1298848 [RFE] Centralized topology management +- Resolves: #1300576 Browser setup page includes instructions for Internet + Explorer +- Resolves: #1301586 ipa host-del --updatedns should remove related dns + entries. +- Resolves: #1304618 Residual Files After IPA Server Uninstall +- Resolves: #1305144 ipa-python does not require its dependencies +- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 +- Resolves: #1313798 Console output post ipa-winsync-migrate command should be + corrected. +- Resolves: #1314786 [RFE] External Trust with Active Directory domain +- Resolves: #1319023 Include description for 'status' option in man page for + ipactl command. +- Resolves: #1319912 ipa-server-install does not completely change hostname and + named-pkcs11 fails +- Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': + Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given +- Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on + revocation reasons +- Resolves: #1328549 "ipa-kra-install" command reports incorrect message when + it is executed on server already installed with KRA. +- Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' + to 'rpcbind' +- Resolves: #1329275 ipa-nis-manage command should include status option +- Resolves: #1330843 'man ipa' should be updated with latest commands +- Resolves: #1333755 ipa cert-request causes internal server error while + requesting certificate +- Resolves: #1337484 EOF is not handled for ipa-client-install command +- Resolves: #1338031 Insufficient 'write' privilege on some attributes for the + members of the role which has "User Administrators" privilege. +- Resolves: #1343142 IPA DNS should do better verification of DNS zones +- Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in + browser + +* Wed May 25 2016 Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3.1 +- Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files + - Fix incorrect rebase of patch 1001 + +* Tue May 24 2016 Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3 +- Resolves: #1339233 CA installed on replica is always marked as renewal master +- Related: #1292141 Rebase to FreeIPA 4.4+ + - Rebase to 4.3.1.201605241723GIT1b427d3 + +* Tue May 24 2016 Jan Cholasta - 4.3.1-0.201605191449GITf8edf37.1 +- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install + because of missing dependencies + - Rebuild with krb5-1.14.1 + +* Fri May 20 2016 Jan Cholasta - 4.3.1-0.201605191449GITf8edf37 +- Resolves: #837369 [RFE] Switch to client promotion to replica model +- Resolves: #1199516 [RFE] Move replication topology to the shared tree +- Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology +- Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) +- Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also + list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend +- Resolves: #1267206 ipa-server-install uninstall should warn if no + installation found +- Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when + ipa-client-automount is executed. +- Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly + displayed when certificate generated using IPA on RHEL 7.2up2. +- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install + because of missing dependencies +- Related: #1292141 Rebase to FreeIPA 4.4+ + - Rebase to 4.3.1.201605191449GITf8edf37 + +* Mon Apr 18 2016 Jan Cholasta - 4.2.0-16 +- Resolves: #1277696 IPA certificate auto renewal fail with "Invalid + Credential" + - cert renewal: make renewal of ipaCert atomic +- Resolves: #1278330 installer options are not validated at the beginning of + installation + - install: fix command line option validation +- Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd + from starting up + - client install: do not corrupt OpenSSH config with Match sections +- Resolves: #1282935 ipa upgrade causes vault internal error + - install: export KRA agent PEM file in ipa-kra-install +- Resolves: #1283429 Default CA ACL rule is not created during + ipa-replica-install + - TLS and Dogtag HTTPS request logging improvements + - Avoid race condition caused by profile delete and recreate + - Do not erroneously reinit NSS in Dogtag interface + - Add profiles and default CA ACL on migration + - disconnect ldap2 backend after adding default CA ACL profiles + - do not disconnect when using existing connection to check default CA ACLs +- Resolves: #1283430 ipa-kra-install: fails to apply updates + - suppress errors arising from adding existing LDAP entries during KRA + install +- Resolves: #1283748 Caching of ipaconfig does not work in framework + - fix caching in get_ipa_config +- Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after + upgrade from RHEL 7.0 to RHEL 7.2 + - upgrade: fix migration of old dns forward zones + - Fix upgrade of forwardzones when zone is in realmdomains +- Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap + connection + - ipa-cacert-renew: Fix connection to ldap. +- Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection + - ipa-otptoken-import: Fix connection to ldap. +- Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using + "yum update ipa* sssd" + - Set minimal required version for openssl +- Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps + - Upgrade: Fix upgrade of NIS Server configuration +- Resolves: #1289311 umask setting causes named-pkcs11 issue with directory + permissions on /var/lib/ipa/dnssec + - DNS: fix file permissions + - Explicitly call chmod on newly created directories + - Fix: replace mkdir with chmod +- Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison + - Fix version comparison + - use FFI call to rpmvercmp function for version comparison +- Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix + groups are missing + - ipa-kdb: map_groups() consider all results +- Resolves: #1293870 User should be notified for wrong password in password + reset page + - Fixed login error message box in LoginScreen page +- Resolves: #1296196 Sysrestore did not restore state if a key is specified in + mixed case + - Allow to used mixed case for sysrestore +- Resolves: #1296214 DNSSEC key purging is not handled properly + - DNSSEC: Improve error reporting from ipa-ods-exporter + - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in + LDAP + - DNSSEC: Make sure that current key state in LDAP matches key state in BIND + - DNSSEC: remove obsolete TODO note + - DNSSEC: add debug mode to ldapkeydb.py + - DNSSEC: logging improvements in ipa-ods-exporter + - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP + - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP + - DNSSEC: ipa-ods-exporter: add ldap-cleanup command + - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal + - DNSSEC: Log debug messages at log level DEBUG +- Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running + - prevent crash of CA-less server upgrade due to absent certmonger + - always start certmonger during IPA server configuration upgrade +- Resolves: #1297811 The ipa -e skip_version_check=1 still issues + incompatibility error when called against RHEL 6 server + - ipalib: assume version 2.0 when skip_version_check is enabled +- Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" + - Do not decode HTTP reason phrase from Dogtag +- Resolves: #1300252 shared certificateProfiles container is missing on a + freshly installed RHEL7.2 system + - upgrade: unconditional import of certificate profiles into LDAP +- Resolves: #1301674 --setup-dns and other options is forgotten for using an + external PKI + - installer: Propagate option values from components instead of copying them. + - installer: Fix logic of reading option values from cache. +- Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA + IPA setup + - ipa-ca-install: print more specific errors when CA is already installed + - cert renewal: import all external CA certs on IPA CA cert renewal + - CA install: explicitly set dogtag_version to 10 + - fix standalone installation of externally signed CA on IPA master + - replica install: validate DS and HTTP server certificates + - replica install: improvements in the handling of CA-related IPA config + entries +- Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups + - slapi-nis: update configuration to allow external members of IPA groups +- Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find + returns "0 trusts matched" + - upgrade: fix config of sidgen and extdom plugins + - trusts: use ipaNTTrustPartner attribute to detect trust entries + - Warn user if trust is broken + - fix upgrade: wait for proper DS socket after DS restart + - Insure the admin_conn is disconnected on stop + - Fix connections to DS during installation + - Fix broken trust warnings +- Resolves: #1321092 Installers fail when there are multiple versions of the + same certificate + - certdb: never use the -r option of certutil +- Related: #1317381 Crash during IPA upgrade due to slapd + - spec file: update minimum required version of slapi-nis +- Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 + CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws + [rhel-7.3] + - Rebuild against newer Samba version + +* Tue Oct 13 2015 Jan Cholasta - 4.2.0-15 +- Resolves: #1252556 Missing CLI param and ACL for vault service operations + - vault: fix private service vault creation + +* Mon Oct 12 2015 Jan Cholasta - 4.2.0-14 +- Resolves: #1262996 ipa vault internal error on replica without KRA + - upgrade: make sure ldap2 is connected in export_kra_agent_pem +- Resolves: #1270608 IPA upgrade fails for server with CA cert signed by + external CA + - schema: do not derive ipaVaultPublicKey from ipaPublicKey + +* Thu Oct 8 2015 Jan Cholasta - 4.2.0-13 +- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens + - Fix an integer underflow bug in libotp +- Resolves: #1262996 ipa vault internal error on replica without KRA + - install: always export KRA agent PEM file + - vault: select a server with KRA for vault operations +- Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files + - do not overwrite files with local users/groups when restoring authconfig +- Renamed patch 1011 to 0138, as it was merged upstream + +* Wed Sep 23 2015 Jan Cholasta - 4.2.0-12 +- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to + Trusts + - winsync-migrate: Convert entity names to posix friendly strings + - winsync-migrate: Properly handle collisions in the names of external groups +- Resolves: #1261074 Adjust Firefox configuration to new extension signing + policy + - webui: use manual Firefox configuration for Firefox >= 40 +- Resolves: #1263337 IPA Restore failed with installed KRA + - ipa-backup: Add mechanism to store empty directory structure +- Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate + and private key in world readable file [rhel-7.2] + - install: fix KRA agent PEM file permissions +- Resolves: #1265086 Mark IdM API Browser as experimental + - WebUI: add API browser is experimental warning +- Resolves: #1265277 Fix kdcproxy user creation + - install: create kdcproxy user during server install + - platform: add option to create home directory when adding user + - install: fix kdcproxy user home directory +- Resolves: #1265559 GSS failure after ipa-restore + - destroy httpd ccache after stopping the service + +* Thu Sep 17 2015 Jan Cholasta - 4.2.0-11 +- Resolves: #1258965 ipa vault: set owner of vault container + - baseldap: make subtree deletion optional in LDAPDelete + - vault: add vault container commands + - vault: set owner to current user on container creation + - vault: update access control + - vault: add permissions and administrator privilege + - install: support KRA update +- Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses + - config: allow user/host attributes with tagging options +- Resolves: #1262315 Unable to establish winsync replication + - winsync: Add inetUser objectclass to the passsync sysaccount + +* Wed Sep 16 2015 Jan Cholasta - 4.2.0-10 +- Resolves: #1260663 crash of ipa-dnskeysync-replica component during + ipa-restore + - IPA Restore: allows to specify files that should be removed +- Resolves: #1261806 Installing ipa-server package breaks httpd + - Handle timeout error in ipa-httpd-kdcproxy +- Resolves: #1262322 Failed to backup CS.cfg message in upgrade. + - Server Upgrade: backup CS.cfg when dogtag is turned off + +* Wed Sep 9 2015 Jan Cholasta - 4.2.0-9 +- Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not + tracked + - cert renewal: Include KRA users in Dogtag LDAP update + - cert renewal: Automatically update KRA agent PEM file +- Resolves: #1257163 renaming certificatte profile with --rename option leads + to integrity issues + - certprofile: remove 'rename' option +- Resolves: #1257968 kinit stop working after ipa-restore + - Backup: back up the hosts file +- Resolves: #1258926 Remove 'DNSSEC is experimental' warnings + - DNSSEC: remove "DNSSEC is experimental" warnings +- Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts + - Installer: do not modify /etc/hosts before user agreement +- Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 + zone + - DNSSEC: backup and restore opendnssec zone list file + - DNSSEC: remove ccache and keytab of ipa-ods-exporter + - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart + - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction + - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC + key master + - DNSSEC: Fix key metadata export + - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. +- Resolves: #1258964 revert to use ldapi to add kra agent in KRA install + - Using LDAPI to setup CA and KRA agents. +- Resolves: #1259848 server closes connection and refuses commands after + deleting user that is still logged in + - ldap: Make ldap2 connection management thread-safe again +- Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute + 'ra_certprofile' while ipa-ca-install + - load RA backend plugins during standalone CA install on CA-less IPA master + +* Wed Aug 26 2015 Jan Cholasta - 4.2.0-8 +- Resolves: #1254689 Storing big file as a secret in vault raises traceback + - vault: Limit size of data stored in vault +- Resolves: #1255880 ipactl status should distinguish between different + pki-tomcat services + - ipactl: Do not start/stop/restart single service multiple times + +* Wed Aug 26 2015 Jan Cholasta - 4.2.0-7 +- Resolves: #1256840 [webui] majority of required fields is no longer marked as + required + - fix missing information in object metadata +- Resolves: #1256842 [webui] no option to choose trust type when creating a + trust + - webui: add option to establish bidirectional trust +- Resolves: #1256853 Clear text passwords in KRA install log + - Removed clear text passwords from KRA install log. +- Resolves: #1257072 The "Standard Vault" MUST not be the default and must be + discouraged + - vault: change default vault type to symmetric +- Resolves: #1257163 renaming certificatte profile with --rename option leads + to integrity issues + - certprofile: prevent rename (modrdn) + +* Wed Aug 26 2015 Jan Cholasta - 4.2.0-6 +- Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone + - DNSSEC: fix forward zone forwarders checks +- Resolves: #1250190 idrange is not added for sub domain + - trusts: format Kerberos principal properly when fetching trust topology +- Resolves: #1252334 User life cycle: missing ability to provision a stage user + from a preserved user + - Add user-stage command +- Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to + start. + - spec file: Add Requires(post) on selinux-policy +- Resolves: #1254304 Changing vault encryption attributes + - Change internal rsa_(public|private)_key variable names + - Added support for changing vault encryption. +- Resolves: #1256715 Executing user-del --preserve twice removes the user + pernamently + - improve the usability of `ipa user-del --preserve` command + +* Wed Aug 19 2015 Jan Cholasta - 4.2.0-5 +- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities + - user-undel: Fix error messages. +- Resolves: #1200694 [RFE] Support for multiple cert profiles + - Prohibit deletion of predefined profiles +- Resolves: #1232819 testing ipa-restore on fresh system install fails + - Backup/resore authentication control configuration +- Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 + server + - Require Dogtag PKI >= 10.2.6 +- Resolves: #1245225 Asymmetric vault drops traceback when the key is not + proper + - Asymmetric vault: validate public key in client +- Resolves: #1248399 Missing DNSSEC related files in backup + - fix typo in BasePathNamespace member pointing to ods exporter config + - ipa-backup: archive DNSSEC zone file and kasp.db +- Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is + finished + - winsync-migrate: Add warning about passsync + - winsync-migrate: Expand the man page +- Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" + - adjust search so that it works for non-admin users +- Resolves: #1250093 ipa certprofile-import accepts invalid config + - Require Dogtag PKI >= 10.2.6 +- Resolves: #1250107 IPA framework should not allow modifying trust on AD trust + agents + - trusts: Detect missing Samba instance +- Resolves: #1250111 User lifecycle - preserved users can be assigned + membership + - ULC: Prevent preserved users from being assigned membership +- Resolves: #1250145 Add permission for user to bypass caacl enforcement + - Add permission for bypassing CA ACL enforcement +- Resolves: #1250190 idrange is not added for sub domain + - idranges: raise an error when local IPA ID range is being modified + - trusts: harden trust-fetch-domains oddjobd-based script +- Resolves: #1250928 Man page for ipa-server-install is out of sync + - install: Fix server and replica install options +- Resolves: #1251225 IPA default CAACL does not allow cert-request for services + after upgrade + - Fix default CA ACL added during upgrade +- Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey + - validate mutually exclusive options in vault-add +- Resolves: #1251579 ipa vault-add --user should set container owner equal to + user on first run + - Fixed vault container ownership. +- Resolves: #1252517 cert-request rejects request with correct + krb5PrincipalName SAN + - Fix KRB5PrincipalName / UPN SAN comparison +- Resolves: #1252555 ipa vault-find doesn't work for services + - vault: Add container information to vault command results + - Add flag to list all service and user vaults +- Resolves: #1252556 Missing CLI param and ACL for vault service operations + - Added CLI param and ACL for vault service operations. +- Resolves: #1252557 certprofile: improve profile format documentation + - certprofile-import: improve profile format documentation + - certprofile: add profile format explanation +- Resolves: #1253443 ipa vault-add creates vault with invalid type + - vault: validate vault type +- Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing + owner + - baseldap: Allow overriding member param label in LDAPModMember + - vault: Fix param labels in output of vault owner commands +- Resolves: #1253511 ipa vault-find does not use criteria + - vault: Fix vault-find with criteria +- Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 + - install: Fix replica install with custom certificates +- Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc + - improve the handling of krb5-related errors in dnssec daemons +- Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with + starting CA and named-pkcs11.service + - Server Upgrade: Start DS before CA is started. +- Resolves: #1254637 Add ACI and permission for managing user userCertificate + attribute + - add permission: System: Manage User Certificates +- Resolves: #1254641 Remove CSR allowed-extensions restriction + - cert-request: remove allowed extensions check +- Resolves: #1254693 vault --service does not normalize service principal + - vault: normalize service principal in service vault operations +- Resolves: #1254785 ipa-client-install does not properly handle dual stacked + hosts + - client: Add support for multiple IP addresses during installation. + - Add dependency to SSSD 1.13.1 + - client: Add description of --ip-address and --all-ip-addresses to man page + +* Tue Aug 11 2015 Jan Cholasta - 4.2.0-4 +- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to + users in IdM + - store certificates issued for user entries as + - user-show: add --out option to save certificates to file +- Resolves: #1145748 [RFE] IPA running with One Way Trust + - Fix upgrade of sidgen and extdom plugins +- Resolves: #1195339 ipa-client-install changes the label on various files + which causes SELinux denials + - Use 'mv -Z' in specfile to restore SELinux context +- Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior + for combinations of "User authentication types" + - webui: add LDAP vs Kerberos behavior description to user auth +- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities + - ULC: Fix stageused-add --from-delete command +- Resolves: #1200694 [RFE] Support for multiple cert profiles + - certprofile-import: do not require profileId in profile data + - Give more info on virtual command access denial + - Allow SAN extension for cert-request self-service + - Add profile for DNP3 / IEC 62351-8 certificates + - Work around python-nss bug on unrecognised OIDs +- Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality + - Validate vault's file parameters + - Fixed missing KRA agent cert on replica. +- Resolves: #1225866 display browser config options that apply to the browser. + - webui: add Kerberos configuration instructions for Chrome + - Remove ico files from Makefile +- Resolves: #1246342 Unapply idview raises internal error + - idviews: Check for the Default Trust View only if applying the view +- Resolves: #1248102 [webui] regression - incorrect/no failed auth messages + - webui: fix regressions failed auth messages +- Resolves: #1248396 Internal error in DomainValidator.__search_in_dc + - dcerpc: Fix UnboundLocalError for ccache_name +- Resolves: #1249455 ipa trust-add failed CIFS server configuration does not + allow access to \\pipe\lsarpc + - Fix selector of protocol for LSA RPC binding string + - dcerpc: Simplify generation of LSA-RPC binding strings +- Resolves: #1250192 Error in ipa trust-fecth-domains + - Fix incorrect type comparison in trust-fetch-domains +- Resolves: #1251553 Winsync setup fails with unexpected error + - replication: Fix incorrect exception invocation +- Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. + - ACI plugin: correctly parse bind rules enclosed in +- Resolves: #1252414 Trust agent install does not detect available replicas to + add to master + - adtrust-install: Correctly determine 4.2 FreeIPA servers + +* Fri Jul 24 2015 Jan Cholasta - 4.2.0-3 +- Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains + that conflicts with AD DC + - trusts: Check for AD root domain among our trusted domains +- Resolves: #1195339 ipa-client-install changes the label on various files + which causes SELinux denials + - sysrestore: copy files instead of moving them to avoind SELinux issues +- Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned + commands / ntpd -qgc $tmpfile hangs + - enable debugging of ntpd during client installation +- Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled + - migration: Use api.env variables. +- Resolves: #1212719 abort-clean-ruv subcommand should allow + replica-certifyall: no + - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand +- Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has + occurred + - dcerpc: Expand explanation for WERR_ACCESS_DENIED + - dcerpc: Fix UnboundLocalError for ccache_name +- Resolves: #1222778 idoverride group-del can delete user and user-del can + delete group + - dcerpc: Add get_trusted_domain_object_type method + - idviews: Restrict anchor to name and name to anchor conversions + - idviews: Enforce objectclass check in idoverride*-del +- Resolves: #1234919 Be able to request certificates without certmonger service + running + - cermonger: Use private unix socket when DBus SystemBus is not available. + - ipa-client-install: Do not (re)start certmonger and DBus daemons. +- Resolves: #1240939 Please add dependency on bind-pkcs11 + - Create server-dns sub-package. + - ipaplatform: Add constants submodule + - DNS: check if DNS package is installed +- Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow + calling out oddjobd-activated services + - selinux: enable httpd_run_ipa to allow communicating with oddjobd services +- Resolves: #1243261 non-admin users cannot search hbac rules + - fix hbac rule search for non-admin users + - fix selinuxusermap search for non-admin users +- Resolves: #1243652 Client has missing dependency on memcache + - do not import memcache on client +- Resolves: #1243835 [webui] user change password dialog does not work + - webui: fix user reset password dialog +- Resolves: #1244802 spec: selinux denial during kdcproxy user creation + - Fix selinux denial during kdcproxy user creation +- Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user + - oddjob: avoid chown keytab to sssd if sssd user does not exist +- Resolves: #1246136 Adding a privilege to a permission avoids validation + - Validate adding privilege to a permission +- Resolves: #1246141 DNS Administrators cannot search in zones + - DNS: Consolidate DNS RR types in API and schema +- Resolves: #1246143 User plugin - user-find doesn't work properly with manager + option + - fix broken search for users by their manager + +* Wed Jul 15 2015 Jan Cholasta - 4.2.0-2 +- Resolves: #1131907 [ipa-client-install] cannot write certificate file + '/etc/ipa/ca.crt.new': must be string or buffer, not None +- Resolves: #1195775 unsaved changes dialog internally inconsistent +- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities + - Stageusedr-activate: show username instead of DN +- Resolves: #1200694 [RFE] Support for multiple cert profiles + - Prevent to rename certprofile profile id +- Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error +- Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files + - copy-schema-to-ca: allow to overwrite schema files +- Resolves: #1241941 kdc component installation of IPA failed + - spec file: Update minimum required version of krb5 +- Resolves: #1242036 Replica install fails to update DNS records + - Fix DNS records installation for replicas +- Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy + - Start dirsrv for kdcproxy upgrade + +* Thu Jul 9 2015 Jan Cholasta - 4.2.0-1 +- Resolves: #846033 [RFE] Documentation for JSONRPC IPA API +- Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP + client +- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to + users in IdM +- Resolves: #1115294 [RFE] Add support for DNSSEC +- Resolves: #1145748 [RFE] IPA running with One Way Trust +- Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade +- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities +- Resolves: #1200694 [RFE] Support for multiple cert profiles +- Resolves: #1200728 [RFE] Replicate PKI Profile information +- Resolves: #1200735 [RFE] Allow issuing certificates for user accounts +- Resolves: #1204054 SSSD database is not cleared between installs and + uninstalls of ipa +- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to + Trusts +- Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality +- Resolves: #1204504 [RFE] Add access control so hosts can create their own + services +- Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default +- Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default +- Resolves: #1209476 package ipa-client does not require package dbus-python +- Resolves: #1211589 [RFE] Add option to skip the verify_client_version +- Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) +- Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone +- Resolves: #1217010 OTP Manager field is not exposed in the UI +- Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp + 00007fffd68b2340 error 6 in libc-2.17.so +- Related: #1204809 Rebase ipa to 4.2 + - Update to upstream 4.2.0 + - Move /etc/ipa/kdcproxy to the server subpackage + +* Tue Jun 23 2015 Jan Cholasta - 4.2.0-0.2.alpha1 +- Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install +- Related: #1204809 Rebase ipa to 4.2 + - Fix minimum version of slapi-nis + - Require python-sss and python-sss-murmur (provided by sssd-1.13.0) + +* Mon Jun 22 2015 Jan Cholasta - 4.2.0-0.1.alpha1 +- Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 +- Resolves: #1019272 With 20000+ users, adding a user to a group intermittently + throws Internal server error +- Resolves: #1035494 Unable to add Kerberos principal via kadmin.local +- Resolves: #1045153 ipa-managed-entries --list -p still requires + DM password +- Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 + from ldap_port_t +- Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI +- Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not + matching uidgid +- Resolves: #1176036 IDM client registration failure in a high load environment +- Resolves: #1183116 Remove Requires: subscription-manager +- Resolves: #1186054 permission-add does not prompt to enter --right option in + interactive mode +- Resolves: #1187524 Replication agreement with replica not disabled when + ipa-restore done without IPA installed +- Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as + normal user. +- Resolves: #1189034 "an internal error has occurred" during ipa host-del + --updatedns +- Resolves: #1193554 ipa-client-automount: failing with error LDAP server + returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. +- Resolves: #1193759 IPA extdom plugin fails when encountering large groups +- Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode + certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. +- Resolves: #1194633 Default trust view can be deleted in lower case +- Resolves: #1196455 ipa-server-install step [8/27]: starting certificate + server instance - confusing CA staus message on TLS error +- Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis +- Resolves: #1199527 [RFE] Use datepicker component for datetime fields +- Resolves: #1200867 [RFE] Make OTP validation window configurable +- Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi +- Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using + get_user_grouplist() [rhel-7.2] +- Resolves: #1204637 slow group operations +- Resolves: #1204642 migrate-ds: slow add o users to default group +- Resolves: #1208461 IPA CA master server update stuck on checking getStatus + via https +- Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) +- Resolves: #1211708 ipa-client-install gets stuck during NTP sync +- Resolves: #1215197 ipa-client-install ignores --ntp-server option during time + sync +- Resolves: #1215200 ipa-client-install configures IPA server as NTP source + even if IPA server has not ntpd configured +- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens +- Related: #1204809 Rebase ipa to 4.2 + - Update to upstream 4.2.0.alpha1 + +* Thu Mar 19 2015 Jan Cholasta - 4.1.0-18.3 +- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: + (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312) + +* Wed Mar 18 2015 Alexander Bokovoy - 4.1.0-18.2 +- IPA extdom plugin fails when encountering large groups (#1193759) +- CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() + (#1202998) + +* Thu Mar 5 2015 Jan Cholasta - 4.1.0-18.1 +- "an internal error has occurred" during ipa host-del --updatedns (#1198431) +- Renamed patch 1013 to 0114, as it was merged upstream +- Fax number not displayed for user-show when kinit'ed as normal user. + (#1198430) +- Replication agreement with replica not disabled when ipa-restore done without + IPA installed (#1199060) +- Limit deadlocks between DS plugin DNA and slapi-nis (#1199128) + +* Thu Jan 29 2015 Martin Kosek - 4.1.0-18 +- Fix ipa-pwd-extop global configuration caching (#1187342) +- group-detach does not add correct objectclasses (#1187540) + +* Tue Jan 27 2015 Jan Cholasta - 4.1.0-17 +- Wrong directories created on full restore (#1186398) +- ipa-restore crashes if replica is unreachable (#1186396) +- idoverrideuser-add option --sshpubkey does not work (#1185410) + +* Wed Jan 21 2015 Jan Cholasta - 4.1.0-16 +- PassSync does not sync passwords due to missing ACIs (#1181093) +- ipa-replica-manage list does not list synced domain (#1181010) +- Do not assume certmonger is running in httpinstance (#1181767) +- ipa-replica-manage disconnect fails without password (#1183279) +- Put LDIF files to their original location in ipa-restore (#1175277) +- DUA profile not available anonymously (#1184149) +- IPA replica missing data after master upgraded (#1176995) + +* Wed Jan 14 2015 Jan Cholasta - 4.1.0-15 +- Re-add accidentally removed patches for #1170695 and #1164896 + +* Wed Jan 14 2015 Jan Cholasta - 4.1.0-14 +- IPA Replicate creation fails with error "Update failed! Status: [10 Total + update abortedLDAP error: Referral]" (#1166265) +- running ipa-server-install --setup-dns results in a crash (#1072502) +- DNS zones are not migrated into forward zones if 4.0+ replica is added + (#1175384) +- gid is overridden by uid in default trust view (#1168904) +- When migrating warn user if compat is enabled (#1177133) +- Clean up debug log for trust-add (#1168376) +- No error message thrown on restore(full kind) on replica from full backup + taken on master (#1175287) +- ipa-restore proceed even IPA not configured (#1175326) +- Data replication not working as expected after data restore from full backup + (#1175277) +- IPA externally signed CA cert expiration warning missing from log (#1178128) +- ipa-upgradeconfig fails in CA-less installs (#1181767) +- IPA certs fail to autorenew simultaneouly (#1173207) +- More validation required on ipa-restore's options (#1176034) + +* Wed Dec 17 2014 Jan Cholasta - 4.1.0-13 +- Expand the token auth/sync windows (#919228) +- Access is not rejected for disabled domain (#1172598) +- krb5kdc crash in ldap_pvt_search (#1170695) +- RHEL7.1 IPA server httpd avc denials after upgrade (#1164896) + +* Wed Dec 10 2014 Jan Cholasta - 4.1.0-12 +- RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible + (#1169591) +- CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) + (#1172578) + +* Tue Dec 9 2014 Jan Cholasta - 4.1.0-11 +- Throw zonemgr error message before installation proceeds (#1163849) +- Winsync: Setup is broken due to incorrect import of certificate (#1169867) +- Enable last token deletion when password auth type is configured (#919228) +- ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) +- add --hosts and --hostgroup options to allow/retrieve keytab methods + (#1007367) +- Extend host-show to add the view attribute in set of default attributes + (#1168916) +- Prefer TCP connections to UDP in krb5 clients (#919228) +- [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) +- webui: increase notification duration (#1171089) +- RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) +- RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert + (#1170003) +- Improve validation of --instance and --backend options in ipa-restore + (#951581) +- RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) +- Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466) + +* Wed Nov 26 2014 Jan Cholasta - 4.1.0-10 +- Use NSS protocol range API to set available TLS protocols (#1156466) + +* Tue Nov 25 2014 Jan Cholasta - 4.1.0-9 +- schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 + build fails (#1167196) +- Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) +- "ipa trust-add ... " cmd says : (Trust status: Established and verified) + while in the logs we see "WERR_ACCESS_DENIED" during verification step. + (#1144121) +- POODLE: force using safe ciphers (non-SSLv3) in IPA client and server + (#1156466) +- Add support/hooks for a one-time password system like SecureID in IPA + (#919228) +- Tracebacks with latest build for --zonemgr cli option (#1167270) +- ID Views: Support migration from the sync solution to the trust solution + (#891984) + +* Mon Nov 24 2014 Jan Cholasta - 4.1.0-8 +- Improve otptoken help messages (#919228) +- Ensure users exist when assigning tokens to them (#919228) +- Enable QR code display by default in otptoken-add (#919228) +- Show warning instead of error if CA did not start (#1158410) +- CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) +- Traceback when adding zone with long name (#1164859) +- Backup & Restore mechanism (#951581) +- ignoring user attributes in migrate-ds does not work if uppercase characters + are returned by ldap (#1159816) +- Allow ipa-getkeytab to optionally fetch existing keys (#1007367) +- Failure when installing on dual stacked system with external ca (#1128380) +- ipa-server should keep backup of CS.cfg (#1059135) +- Tracebacks with latest build for --zonemgr cli option (#1167270) +- webui: use domain name instead of domain SID in idrange adder dialog + (#891984) +- webui: normalize idview tab labels (#891984) + +* Wed Nov 19 2014 Jan Cholasta - 4.1.0-7 +- ipa-csreplica-manage connect fails (#1157735) +- error message which is not understandable when IDNA2003 characters are + present in --zonemgr (#1163849) +- Fix warning message should not contain CLI commands (#1114013) +- Renewing the CA signing certificate does not extend its validity period end + (#1163498) +- RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for + httpd (#1159330) + +* Thu Nov 13 2014 Jan Cholasta - 4.1.0-6 +- Fix: DNS installer adds invalid zonemgr email (#1056202) +- ipaplatform: Use the dirsrv service, not target (#951581) +- Fix: DNS policy upgrade raises asertion error (#1161128) +- Fix upgrade referint plugin (#1161128) +- Upgrade: fix trusts objectclass violationi (#1161128) +- group-add doesn't accept gid parameter (#1149124) + +* Tue Nov 11 2014 Jan Cholasta - 4.1.0-5 +- Update slapi-nis dependency to pull 0.54-2 (#891984) +- ipa-restore: Don't crash if AD trust is not installed (#951581) +- Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) +- Trust setting not restored for CA cert with ipa-restore command (#1159011) +- ipa-server-install fails when restarting named (#1162340) + +* Thu Nov 06 2014 Jan Cholasta - 4.1.0-4 +- Update Requires on pki-ca to 10.1.2-4 (#1129558) +- build: increase java stack size for all arches +- Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) +- Fix dns zonemgr validation regression (#1056202) +- Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) +- Do not wait for new CA certificate to appear in LDAP in ipa-certupdate + (#886645) +- Add bind-dyndb-ldap working dir to IPA specfile +- Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage + (#886645) +- Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) +- Deadlock in schema compat plugin (#1161131) +- ipactl stop should stop dirsrv last (#1161129) +- Upgrade 3.3.5 to 4.1 failed (#1161128) +- CVE-2014-7828 freeipa: password not required when OTP in use (#1160877) + +* Wed Oct 22 2014 Jan Cholasta - 4.1.0-3 +- Do not check if port 8443 is available in step 2 of external CA install + (#1129481) + +* Wed Oct 22 2014 Jan Cholasta - 4.1.0-2 +- Update Requires on selinux-policy to 3.13.1-4 + +* Tue Oct 21 2014 Jan Cholasta - 4.1.0-1 +- Update to upstream 4.1.0 (#1109726) + +* Mon Sep 29 2014 Jan Cholasta - 4.1.0-0.1.alpha1 +- Update to upstream 4.1.0 Alpha 1 (#1109726) + +* Fri Sep 26 2014 Petr Vobornik - 4.0.3-3 +- Add redhat-access-plugin-ipa dependency + +* Thu Sep 25 2014 Jan Cholasta - 4.0.3-2 +- Re-enable otptoken_yubikey plugin + +* Mon Sep 15 2014 Jan Cholasta - 4.0.3-1 +- Update to upstream 4.0.3 (#1109726) + +* Thu Aug 14 2014 Martin Kosek - 3.3.3-29 +- Server installation fails using external signed certificates with + "IndexError: list index out of range" (#1111320) +- Add rhino to BuildRequires to fix Web UI build error + +* Tue Apr 1 2014 Martin Kosek - 3.3.3-28 +- ipa-client-automount fails with incompatibility error when installed against + older IPA server (#1083108) + +* Wed Mar 26 2014 Martin Kosek - 3.3.3-27 +- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future + PKI versions (#1080865) + +* Tue Mar 25 2014 Martin Kosek - 3.3.3-26 +- When IdM server trusts multiple AD forests, IPA client returns invalid group + membership info (#1079498) + +* Thu Mar 13 2014 Martin Kosek - 3.3.3-25 +- Deletion of active subdomain range should not be allowed (#1075615) + +* Thu Mar 13 2014 Martin Kosek - 3.3.3-24 +- PKI database is ugraded during replica installation (#1075118) + +* Wed Mar 12 2014 Martin Kosek - 3.3.3-23 +- Unable to add trust successfully with --trust-secret (#1075704) + +* Wed Mar 12 2014 Martin Kosek - 3.3.3-22 +- ipa-replica-install never checks for 7389 port (#1075165) +- Non-terminated string may be passed to LDAP search (#1075091) +- ipa-sam may fail to translate group SID into GID (#1073829) +- Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132) + +* Thu Mar 6 2014 Martin Kosek - 3.3.3-21 +- Do not fetch a principal two times, remove potential memory leak (#1070924) + +* Wed Mar 5 2014 Martin Kosek - 3.3.3-20 +- trustdomain-find with pkey-only fails (#1068611) +- Invalid credential cache in trust-add (#1069182) +- ipa-replica-install prints unexpected error (#1069722) +- Too big font in input fields in details facet in Firefox (#1069720) +- trust-add for POSIX AD does not fetch trustdomains (#1070925) +- Misleading trust-add error message in some cases (#1070926) +- Access is not rejected for disabled domain (#1070924) + +* Wed Feb 26 2014 Martin Kosek - 3.3.3-19 +- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) + +* Wed Feb 12 2014 Martin Kosek - 3.3.3-18 +- Display server name in ipa command's verbose mode (#1061703) +- Remove sourcehostcategory from default HBAC rule (#1061187) +- dnszone-add cannot add classless PTR zones (#1058688) +- Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850) + +* Tue Feb 4 2014 Martin Kosek - 3.3.3-17 +- Lockout plugin crashed during ipa-server-install (#912725) + +* Fri Jan 31 2014 Martin Kosek - 3.3.3-16 +- Fallback to global policy in ipa lockout plugin (#912725) +- Migration does not add users to default group (#903232) + +* Fri Jan 24 2014 Daniel Mach - 3.3.3-15 +- Mass rebuild 2014-01-24 + +* Thu Jan 23 2014 Martin Kosek - 3.3.3-14 +- Fix NetBIOS name generation in CLDAP plugin (#1030517) + +* Mon Jan 20 2014 Martin Kosek - 3.3.3-13 +- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) +- Increase default timeout for IPA services (#1033273) +- Error while running trustdomain-find (#1054376) +- group-show lists SID instead of name for external groups (#1054391) +- Fix IPA server NetBIOS name in samba configuration (#1030517) +- dnsrecord-mod produces missing API version warning (#1054869) +- Hide trust-resolve command as internal (#1052860) +- Add Trust domain Web UI (#1054870) +- ipasam cannot delete multiple child trusted domains (#1056120) + +* Wed Jan 15 2014 Martin Kosek - 3.3.3-12 +- Missing objectclasses when empty password passed to host-add (#1052979) +- sudoOrder missing in sudoers (#1052983) +- Missing examples in sudorule help (#1049464) +- Client automount does not uninstall when fstore is empty (#910899) +- Error not clear for invalid realm given to trust-fetch-domains (#1052981) +- trust-fetch-domains does not add idrange for subdomains found (#1049926) +- Add option to show if an AD subdomain is enabled/disabled (#1052973) +- ipa-adtrust-install still failed with long NetBIOS names (#1030517) +- Error not clear for invalid relam given to trustdomain-find (#1049455) +- renewed client cert not recognized during IPA CA renewal (#1033273) + +* Fri Jan 10 2014 Martin Kosek - 3.3.3-11 +- hbactest does not work for external users (#848531) + +* Wed Jan 08 2014 Martin Kosek - 3.3.3-10 +- PKI service restart after CA renewal failed (#1040018) + +* Mon Jan 06 2014 Martin Kosek - 3.3.3-9 +- Move ipa-tests package to separate srpm (#1032668) + +* Fri Jan 3 2014 Martin Kosek - 3.3.3-8 +- Fix status trust-add command status message (#910453) +- NetBIOS was not trimmed at 15 characters (#1030517) +- Harden CA subsystem certificate renewal on CA clones (#1040018) + +* Fri Dec 27 2013 Daniel Mach - 3.3.3-7 +- Mass rebuild 2013-12-27 + +* Mon Dec 2 2013 Martin Kosek - 3.3.3-6 +- Remove "Listen 443 http" hack from deployed nss.conf (#1029046) +- Re-adding existing trust fails (#1033216) +- IPA uninstall exits with a samba error (#1033075) +- Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) +- Fixed ownership of /usr/share/ipa/ui/js (#1026260) +- ipa-tests: support external names for hosts (#1032668) +- ipa-client-install fail due fail to obtain host TGT (#1029354) + +* Fri Nov 22 2013 Martin Kosek - 3.3.3-5 +- Trust add tries to add same value of --base-id for sub domain, + causing an error (#1033068) +- Improved error reporting for adding trust case (#1029856) + +* Wed Nov 13 2013 Martin Kosek - 3.3.3-4 +- Winsync agreement cannot be created (#1023085) + +* Wed Nov 6 2013 Martin Kosek - 3.3.3-3 +- Installer did not detect different server and IPA domain (#1026845) +- Allow kernel keyring CCACHE when supported (#1026861) + +* Tue Nov 5 2013 Martin Kosek - 3.3.3-2 +- ipa-server-install crashes when AD subpackage is not installed (#1026434) + +* Fri Nov 1 2013 Martin Kosek - 3.3.3-1 +- Update to upstream 3.3.3 (#991064) + +* Tue Oct 29 2013 Martin Kosek - 3.3.2-5 +- Temporarily move ipa-backup and ipa-restore functionality + back to make them available in public Beta (#1003933) + +* Tue Oct 29 2013 Martin Kosek - 3.3.2-4 +- Server install failure during client enrollment shouldn't + roll back (#1023086) +- nsds5ReplicaStripAttrs are not set on agreements (#1023085) +- ipa-server conflicts with mod_ssl (#1018172) + +* Wed Oct 16 2013 Martin Kosek - 3.3.2-3 +- Reinstalling ipa server hangs when configuring certificate + server (#1018804) + +* Fri Oct 11 2013 Martin Kosek - 3.3.2-2 +- Deprecate --serial-autoincrement option (#1016645) +- CA installation always failed on replica (#1005446) +- Re-initializing a winsync connection exited with error (#994980) + +* Fri Oct 4 2013 Martin Kosek - 3.3.2-1 +- Update to upstream 3.3.2 (#991064) +- Add delegation info to MS-PAC (#915799) +- Warn about incompatibility with AD when IPA realm and domain + differs (#1009044) +- Allow PKCS#12 files with empty password in install tools (#1002639) +- Privilege "SELinux User Map Administrators" did not list + permissions (#997085) +- SSH key upload broken when client joins an older server (#1009024) + +* Mon Sep 23 2013 Martin Kosek - 3.3.1-5 +- Remove dependency on python-paramiko (#1002884) +- Broken redirection when deleting last entry of DNS resource + record (#1006360) + +* Tue Sep 10 2013 Martin Kosek - 3.3.1-4 +- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) + +* Mon Sep 9 2013 Martin Kosek - 3.3.1-3 +- Replica installation fails for RHEL 6.4 master (#1004680) +- Server uninstallation crashes if DS is not available (#998069) + +* Thu Sep 5 2013 Martin Kosek - 3.3.1-2 +- Unable to remove replica by ipa-replica-manage (#1001662) +- Before uninstalling a server, warn about active replicas (#998069) + +* Thu Aug 29 2013 Rob Crittenden - 3.3.1-1 +- Update to upstream 3.3.1 (#991064) +- Update minimum version of bind-dyndb-ldap to 3.5 + +* Tue Aug 20 2013 Rob Crittenden - 3.3.0-7 +- Fix replica installation failing on certificate subject (#983075) + +* Tue Aug 13 2013 Martin Kosek - 3.3.0-6 +- Allow ipa-tests to work with older version (1.7.7) of python-paramiko + +* Tue Aug 13 2013 Martin Kosek - 3.3.0-5 +- Prevent multilib failures in *.pyo and *.pyc files + +* Mon Aug 12 2013 Martin Kosek - 3.3.0-4 +- ipa-server-install fails if --subject parameter is other than default + realm (#983075) +- do not allow configuring bind-dyndb-ldap without persistent search (#967876) + +* Mon Aug 12 2013 Martin Kosek - 3.3.0-3 +- diffstat was missing as a build dependency causing multilib problems + +* Thu Aug 8 2013 Martin Kosek - 3.3.0-2 +- Remove ipa-server-selinux obsoletes as upgrades from version prior to + 3.3.0 are not allowed +- Wrap server-trust-ad subpackage description better +- Add (noreplace) flag for %%{_sysconfdir}/tmpfiles.d/ipa.conf +- Change permissions on default_encoding_utf8.so to fix ipa-python Provides + +* Thu Aug 8 2013 Martin Kosek - 3.3.0-1 +- Update to upstream 3.3.0 (#991064) + +* Thu Aug 8 2013 Martin Kosek - 3.3.0-0.2.beta2 +- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release + +* Wed Aug 7 2013 Martin Kosek - 3.3.0-0.1.beta2 +- Update to upstream 3.3.0 Beta 2 (#991064) + +* Thu Jul 18 2013 Martin Kosek - 3.2.2-1 +- Update to upstream 3.2.2 +- Drop ipa-server-selinux subpackage +- Drop redundant directory /var/cache/ipa/sessions +- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost +- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency + issues when there are still old parts of software (like entitlements plugin) + +* Fri Jun 14 2013 Martin Kosek - 3.2.1-1 +- Update to upstream 3.2.1 +- Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0 + +* Tue May 14 2013 Rob Crittenden - 3.2.0-2 +- Add OTP patches +- Add patch to set KRB5CCNAME for 389-ds-base + +* Fri May 10 2013 Rob Crittenden - 3.2.0-1 +- Update to upstream 3.2.0 GA +- ipa-client-install fails if /etc/ipa does not exist (#961483) +- Certificate status is not visible in Service and Host page (#956718) +- ipa-client-install removes needed options from ldap.conf (#953991) +- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) +- Add triggerin scriptlet to support OpenSSH 6.2 (#953617) +- Require nss 3.14.3-12.0 to address certutil certificate import + errors (#953485) +- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 + environments. (#953464) +- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) +- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) +- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for + socket based connections (#960222) +- Require libsss_nss_idmap-python +- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to + member is now done automatically and having it in the config file raises + an error. +- Add backup and restore tools, directory. +- require at least systemd 38 which provides the journal (we no longer + need to require syslog.target) +- Update Requires on policycoreutils to 2.1.14-37 +- Update Requires on selinux-policy to 3.12.1-42 +- Update Requires on 389-ds-base to 1.3.1.0 +- Remove a Requires for java-atk-wrapper + +* Tue Apr 23 2013 Rob Crittenden - 3.2.0-0.4.beta1 +- Remove release from krb5-server in strict sub-package to allow for rebuilds. + +* Mon Apr 22 2013 Rob Crittenden - 3.2.0-0.3.beta1 +- Add a Requires for java-atk-wrapper until we can determine which package + should be pulling it in, dogtag or tomcat. + +* Tue Apr 16 2013 Rob Crittenden - 3.2.0-0.2.beta1 +- Update to upstream 3.2.0 Beta 1 + +* Tue Apr 2 2013 Martin Kosek - 3.2.0-0.1.pre1 +- Update to upstream 3.2.0 Prerelease 1 +- Use upstream reference spec file as a base for Fedora spec file + +* Sat Mar 30 2013 Kevin Fenzi 3.1.2-4 +- Rebuild for broken deps +- Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1 + +* Sat Feb 23 2013 Kevin Fenzi - 3.1.2-3 +- Rebuild for broken deps in rawhide +- Fix 389-ds-base strict dep to be 1.3.0.3 + +* Wed Feb 13 2013 Fedora Release Engineering - 3.1.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 23 2013 Rob Crittenden - 3.1.2-1 +- Update to upstream 3.1.2 +- CVE-2012-4546: Incorrect CRLs publishing +- CVE-2012-5484: MITM Attack during Join process +- CVE-2013-0199: Cross-Realm Trust key leak +- Updated strict dependencies to 389-ds-base = 1.3.0.2 and + pki-ca = 10.0.1 + +* Thu Dec 20 2012 Martin Kosek - 3.1.0-2 +- Remove redundat Requires versions that are already in Fedora 17 +- Replace python-crypto Requires with m2crypto +- Add missing Requires(post) for client and server-trust-ad subpackages +- Restart httpd service when server-trust-ad subpackage is installed +- Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes + +* Mon Dec 10 2012 Rob Crittenden - 3.1.0-1 +- Updated to upstream 3.1.0 GA +- Set minimum for sssd to 1.9.2 +- Set minimum for pki-ca to 10.0.0-1 +- Set minimum for 389-ds-base to 1.3.0 +- Set minimum for selinux-policy to 3.11.1-60 +- Remove unneeded dogtag package requires + +* Tue Oct 23 2012 Martin Kosek - 3.0.0-3 +- Update Requires on krb5-server to 1.11 + +* Fri Oct 12 2012 Rob Crittenden - 3.0.0-2 +- Configure CA replication to use TLS instead of SSL + +* Fri Oct 12 2012 Rob Crittenden - 3.0.0-1 +- Updated to upstream 3.0.0 GA +- Set minimum for samba to 4.0.0-153. +- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so + plugin to /dev/null since they cannot be used when trusts are configured +- Restrict krb5-server to 1.10. +- Update BR for 389-ds-base to 1.3.0 +- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca +- Add Requires on zip for generating FF browser extension + +* Fri Oct 5 2012 Rob Crittenden - 3.0.0-0.10 +- Updated to upstream 3.0.0 rc 2 +- Include new FF configuration extension +- Set minimum Requires of selinux-policy to 3.11.1-33 +- Set minimum Requires dogtag to 10.0.0-0.43.b1 +- Add new optional strict sub-package to allow users to limit other + package upgrades. + +* Tue Oct 2 2012 Martin Kosek - 3.0.0-0.9 +- Require samba packages instead of obsoleted samba4 packages + +* Fri Sep 21 2012 Rob Crittenden - 3.0.0-0.8 +- Updated to upstream 3.0.0 rc 1 +- Update BR for 389-ds-base to 1.2.11.14 +- Update BR for krb5 to 1.10 +- Update BR for samba4-devel to 4.0.0-139 (rc1) +- Add BR for python-polib +- Update BR and Requires on sssd to 1.9.0 +- Update Requires on policycoreutils to 2.1.12-5 +- Update Requires on 389-ds-base to 1.2.11.14 +- Update Requires on selinux-policy to 3.11.1-21 +- Update Requires on dogtag to 10.0.0-0.33.a1 +- Update Requires on certmonger to 0.60 +- Update Requires on tomcat to 7.0.29 +- Update minimum version of bind to 9.9.1-10.P3 +- Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 +- Remove Requires on authconfig from python sub-package + +* Wed Sep 5 2012 Rob Crittenden - 3.0.0-0.7 +- Rebuild against samba4 beta8 + +* Fri Aug 31 2012 Rob Crittenden - 3.0.0-0.6 +- Rebuild against samba4 beta7 + +* Wed Aug 22 2012 Alexander Bokovoy - 3.0.0-0.5 +- Adopt to samba4 beta6 (libsecurity -> libsamba-security) +- Add dependency to samba4-winbind + +* Fri Aug 17 2012 Rob Crittenden - 3.0.0-0.4 +- Updated to upstream 3.0.0 beta 2 + +* Mon Aug 6 2012 Martin Kosek - 3.0.0-0.3 +- Updated to current upstream state of 3.0.0 beta 2 development + +* Mon Jul 23 2012 Alexander Bokovoy - 3.0.0-0.2 +- Rebuild against samba4 beta4 + +* Mon Jul 2 2012 Rob Crittenden - 3.0.0-0.1 +- Updated to upstream 3.0.0 beta 1 + +* Thu May 3 2012 Rob Crittenden - 2.2.0-1 +- Updated to upstream 2.2.0 GA +- Update minimum n-v-r of certmonger to 0.53 +- Update minimum n-v-r of slapi-nis to 0.40 +- Add Requires in client to oddjob-mkhomedir and python-krbV +- Update minimum selinux-policy to 3.10.0-110 + +* Mon Mar 19 2012 Rob Crittenden - 2.1.90-0.2 +- Update to upstream 2.2.0 beta 1 (2.1.90.rc1) +- Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. +- Add Conflicts on mod_ssl +- Update minimum n-v-r of 389-ds-base to 1.2.10.4 +- Update minimum n-v-r of sssd to 1.8.0 +- Update minimum n-v-r of slapi-nis to 0.38 +- Update minimum n-v-r of pki-* to 9.0.18 +- Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 +- Update conflicts on bind to < 9.9.0-1 +- Drop requires on krb5-server-ldap +- Add patch to remove escaping arguments to pkisilent + +* Mon Feb 06 2012 Rob Crittenden - 2.1.90-0.1 +- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) + +* Wed Feb 01 2012 Alexander Bokovoy - 2.1.4-5 +- Force to use 389-ds 1.2.10-0.8.a7 or above +- Improve upgrade script to handle systemd 389-ds change +- Fix freeipa to work with python-ldap 2.4.6 + +* Wed Jan 11 2012 Martin Kosek - 2.1.4-4 +- Fix ipa-replica-install crashes +- Fix ipa-server-install and ipa-dns-install logging +- Set minimum version of pki-ca to 9.0.17 to fix sslget problem + caused by FEDORA-2011-17400 update (#771357) + +* Wed Dec 21 2011 Alexander Bokovoy - 2.1.4-3 +- Allow Web-based migration to work with tightened SE Linux policy (#769440) +- Rebuild slapi plugins against re-enterant version of libldap + +* Sun Dec 11 2011 Alexander Bokovoy - 2.1.4-2 +- Allow longer dirsrv startup with systemd: + - IPAdmin class will wait until dirsrv instance is available up to 10 seconds + - Helps with restarts during upgrade for ipa-ldap-updater +- Fix pylint warnings from F16 and Rawhide + +* Tue Dec 6 2011 Rob Crittenden - 2.1.4-1 +- Update to upstream 2.1.4 (CVE-2011-3636) + +* Mon Dec 5 2011 Rob Crittenden - 2.1.3-8 +- Update SELinux policy to allow ipa_kpasswd to connect ldap and + read /dev/urandom. (#759679) + +* Wed Nov 30 2011 Alexander Bokovoy - 2.1.3-7 +- Fix wrong path in packaging freeipa-systemd-upgrade + +* Wed Nov 30 2011 Alexander Bokovoy - 2.1.3-6 +- Introduce upgrade script to recover existing configuration after systemd migration + as user has no means to recover FreeIPA from systemd migration +- Upgrade script: + - recovers symlinks in Dogtag instance install + - recovers systemd configuration for FreeIPA's directory server instances + - recovers freeipa.service + - migrates directory server and KDC configs to use proper keytabs for systemd services + +* Wed Oct 26 2011 Fedora Release Engineering - 2.1.3-5 +- Rebuilt for glibc bug#747377 + +* Wed Oct 19 2011 Alexander Bokovoy - 2.1.3-4 +- clean up spec +- Depend on sssd >= 1.6.2 for better user experience + +* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-3 +- Fix Fedora package changelog after merging systemd changes + +* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-2 +- Fix postin scriplet for F-15/F-16 + +* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-1 +- 2.1.3 + +* Mon Oct 17 2011 Alexander Bokovoy - 2.1.2-1 +- Default to systemd for Fedora 16 and onwards + +* Tue Aug 16 2011 Rob Crittenden - 2.1.0-1 +- Update to upstream 2.1.0 + +* Fri May 6 2011 Simo Sorce - 2.0.1-2 +- Fix bug #702633 + +* Mon May 2 2011 Rob Crittenden - 2.0.1-1 +- Update minimum selinux-policy to 3.9.16-18 +- Update minimum pki-ca and pki-selinux to 9.0.7 +- Update minimum 389-ds-base to 1.2.8.0-1 +- Update to upstream 2.0.1 + +* Thu Mar 24 2011 Rob Crittenden - 2.0.0-1 +- Update to upstream GA release +- Automatically apply updates when the package is upgraded + +* Fri Feb 25 2011 Rob Crittenden - 2.0.0-0.4.rc2 +- Update to upstream freeipa-2.0.0.rc2 +- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in +- Set minimum version of sssd to 1.5.1 +- Patch to include SuiteSpotGroup when setting up 389-ds instances +- Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled + +* Tue Feb 15 2011 Rob Crittenden - 2.0.0-0.3.rc1 +- Set the N-V-R so rc1 is an update to beta2. + +* Mon Feb 14 2011 Rob Crittenden - 2.0.0-0.1.rc1 +- Set minimum version of sssd to 1.5.1 +- Update to upstream freeipa-2.0.0.rc1 +- Move server-only binaries from admintools subpackage to server + +* Tue Feb 08 2011 Fedora Release Engineering - 2.0.0-0.2.beta2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Feb 3 2011 Rob Crittenden - 2.0.0-0.1.beta2 +- Set min version of 389-ds-base to 1.2.8 +- Set min version of mod_nss 1.0.8-10 +- Set min version of selinux-policy to 3.9.7-27 +- Add dogtag themes to Requires +- Update to upstream freeipa-2.0.0.pre2 + +* Thu Jan 27 2011 Rob Crittenden - 2.0.0-0.2.beta.git80e87e7 +- Remove unnecessary moving of v1 CA serial number file in post script +- Add Obsoletes for server-selinxu subpackage +- Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da + +* Wed Jan 26 2011 Rob Crittenden - 2.0.0-0.1.beta.git80e87e7 +- Prepare spec file for release +- Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503 + +* Tue Jan 25 2011 Rob Crittenden - 1.99-41 +- Re-arrange doc and defattr to clean up rpmlint warnings +- Remove conditionals on older releases +- Move some man pages into admintools subpackage +- Remove some explicit Requires in client that aren't needed +- Consistent use of buildroot vs RPM_BUILD_ROOT + +* Wed Jan 19 2011 Adam Young - 1.99-40 +- Moved directory install/static to install/ui + +* Thu Jan 13 2011 Simo Sorce - 1.99-39 +- Remove dependency on nss_ldap/nss-pam-ldapd +- The official client is sssd and that's what we use by default. + +* Thu Jan 13 2011 Simo Sorce - 1.99-38 +- Remove radius subpackages + +* Thu Jan 13 2011 Rob Crittenden - 1.99-37 +- Set minimum pki-ca and pki-silent versions to 9.0.0 + +* Wed Jan 12 2011 Rob Crittenden - 1.99-36 +- Drop BuildRequires on mozldap-devel + +* Mon Dec 13 2010 Rob Crittenden - 1.99-35 +- Add Requires on krb5-pkinit-openssl + +* Fri Dec 10 2010 Jr Aquino - 1.99-34 +- Add ipa-host-net-manage script + +* Tue Dec 7 2010 Simo Sorce - 1.99-33 +- Add ipa init script + +* Fri Nov 19 2010 Rob Crittenden - 1.99-32 +- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin + +* Wed Nov 3 2010 Rob Crittenden - 1.99-31 +- remove ipa-fix-CVE-2008-3274 + +* Wed Oct 6 2010 Rob Crittenden - 1.99-30 +- Remove duplicate %%files entries on share/ipa/static +- Add python default encoding shared library + +* Mon Sep 20 2010 Rob Crittenden - 1.99-29 +- Drop requires on python-configobj (not used any more) +- Drop ipa-ldap-updater message, upgrades are done differently now + +* Wed Sep 8 2010 Rob Crittenden - 1.99-28 +- Drop conflicts on mod_nss +- Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) +- Drop a slew of conditionals on older Fedora releases (< 12) +- Add a few conditionals against RHEL 6 +- Add Requires of nss-tools on ipa-client + +* Fri Aug 13 2010 Rob Crittenden - 1.99-27 +- Set minimum version of certmonger to 0.26 (to pck up #621670) +- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) +- Set minimum version of pki-ca to 1.3.6 +- Set minimum version of sssd to 1.2.1 + +* Tue Aug 10 2010 Rob Crittenden - 1.99-26 +- Add BuildRequires for authconfig + +* Mon Jul 19 2010 Rob Crittenden - 1.99-25 +- Bump up minimum version of python-nss to pick up nss_is_initialize() API + +* Thu Jun 24 2010 Adam Young - 1.99-24 +- Removed python-asset based webui + +* Thu Jun 24 2010 Rob Crittenden - 1.99-23 +- Change Requires from fedora-ds-base to 389-ds-base +- Set minimum level of 389-ds-base to 1.2.6 for the replication + version plugin. + +* Tue Jun 1 2010 Rob Crittenden - 1.99-22 +- Drop Requires of python-krbV on ipa-client + +* Mon May 17 2010 Rob Crittenden - 1.99-21 +- Load ipa_dogtag.pp in post install + +* Mon Apr 26 2010 Rob Crittenden - 1.99-20 +- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. + +* Thu Mar 4 2010 Rob Crittenden - 1.99-19 +- No need to create /var/log/ipa_error.log since we aren't using + TurboGears any more. + +* Mon Mar 1 2010 Jason Gerard DeRose - 1.99-18 +- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included + +* Wed Feb 24 2010 Jason Gerard DeRose - 1.99-17 +- Added Require mod_wsgi, added share/ipa/wsgi.py + +* Thu Feb 11 2010 Jason Gerard DeRose - 1.99-16 +- Require python-wehjit >= 0.2.2 + +* Wed Feb 3 2010 Rob Crittenden - 1.99-15 +- Add sssd and certmonger as a Requires on ipa-client + +* Wed Jan 27 2010 Jason Gerard DeRose - 1.99-14 +- Require python-wehjit >= 0.2.0 + +* Fri Dec 4 2009 Rob Crittenden - 1.99-13 +- Add ipa-rmkeytab tool + +* Tue Dec 1 2009 Rob Crittenden - 1.99-12 +- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 + Any type + +* Wed Nov 25 2009 Rob Crittenden - 1.99-11 +- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf + +* Fri Nov 13 2009 Rob Crittenden - 1.99-10 +- Add bash completion script and own /etc/bash_completion.d in case it + doesn't already exist + +* Tue Nov 3 2009 Rob Crittenden - 1.99-9 +- Remove ipa_webgui, its functions rolled into ipa_httpd + +* Mon Oct 12 2009 Jason Gerard DeRose - 1.99-8 +- Removed python-cherrypy from BuildRequires and Requires +- Added Requires python-assets, python-wehjit + +* Mon Aug 24 2009 Rob Crittenden - 1.99-7 +- Added httpd SELinux policy so CRLs can be read + +* Thu May 21 2009 Rob Crittenden - 1.99-6 +- Move ipalib to ipa-python subpackage +- Bump minimum version of slapi-nis to 0.15 + +* Wed May 6 2009 Rob Crittenden - 1.99-5 +- Set 0.14 as minimum version for slapi-nis + +* Wed Apr 22 2009 Rob Crittenden - 1.99-4 +- Add Requires: python-nss to ipa-python sub-package + +* Thu Mar 5 2009 Rob Crittenden - 1.99-3 +- Remove the IPA DNA plugin, use the DS one + +* Wed Mar 4 2009 Rob Crittenden - 1.99-2 +- Build radius separately +- Fix a few minor issues + +* Tue Feb 3 2009 Rob Crittenden - 1.99-1 +- Replace TurboGears requirement with python-cherrypy + +* Sat Jan 17 2009 Tomas Mraz - 1.2.1-3 +- rebuild with new openssl + +* Fri Dec 19 2008 Dan Walsh - 1.2.1-2 +- Fix SELinux code + +* Mon Dec 15 2008 Simo Sorce - 1.2.1-1 +- Fix breakage caused by python-kerberos update to 1.1 + +* Fri Dec 5 2008 Simo Sorce - 1.2.1-0 +- New upstream release 1.2.1 + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 1.2.0-4 +- Rebuild for Python 2.6 + +* Fri Nov 14 2008 Simo Sorce - 1.2.0-3 +- Respin after the tarball has been re-released upstream + New hash is 506c9c92dcaf9f227cba5030e999f177 + +* Thu Nov 13 2008 Simo Sorce - 1.2.0-2 +- Conditionally restart also dirsrv and httpd when upgrading + +* Wed Oct 29 2008 Rob Crittenden - 1.2.0-1 +- Update to upstream version 1.2.0 +- Set fedora-ds-base minimum version to 1.1.3 for winsync header +- Set the minimum version for SELinux policy +- Remove references to Fedora 7 + +* Wed Jul 23 2008 Simo Sorce - 1.1.0-3 +- Fix for CVE-2008-3274 +- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface +- Add fix for bug #453185 +- Rebuild against openldap libraries, mozldap ones do not work properly +- TurboGears is currently broken in rawhide. Added patch to not build + the UI locales and removed them from the ipa-server files section. + +* Wed Jun 18 2008 Rob Crittenden - 1.1.0-2 +- Add call to /usr/sbin/upgradeconfig to post install + +* Wed Jun 11 2008 Rob Crittenden - 1.1.0-1 +- Update to upstream version 1.1.0 +- Patch for indexing memberof attribute +- Patch for indexing uidnumber and gidnumber +- Patch to change DNA default values for replicas +- Patch to fix uninitialized variable in ipa-getkeytab + +* Fri May 16 2008 Rob Crittenden - 1.0.0-5 +- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum + version to 1.0.7-4 so we pick up the NSS fixes. +- Add selinux-policy-base(post) to Requires (446496) + +* Tue Apr 29 2008 Rob Crittenden - 1.0.0-4 +- Add missing entry for /var/cache/ipa/kpasswd (444624) +- Added patch to fix permissions problems with the Apache NSS database. +- Added patch to fix problem with DNS querying where the query could be + returned as the answer. +- Fix spec error where patch1 was in the wrong section + +* Fri Apr 25 2008 Rob Crittenden - 1.0.0-3 +- Added patch to fix problem reported by ldapmodify + +* Fri Apr 25 2008 Rob Crittenden - 1.0.0-2 +- Fix Requires for krb5-server that was missing for Fedora versions > 9 +- Remove quotes around test for fedora version to package egg-info + +* Fri Apr 18 2008 Rob Crittenden - 1.0.0-1 +- Update to upstream version 1.0.0 + +* Tue Mar 18 2008 Rob Crittenden 0.99-12 +- Pull upstream changelog 722 +- Add Conflicts mod_ssl (435360) + +* Fri Feb 29 2008 Rob Crittenden 0.99-11 +- Pull upstream changelog 698 +- Fix ownership of /var/log/ipa_error.log during install (435119) +- Add pwpolicy command and man page + +* Thu Feb 21 2008 Rob Crittenden 0.99-10 +- Pull upstream changelog 678 +- Add new subpackage, ipa-server-selinux +- Add Requires: authconfig to ipa-python (bz #433747) +- Package i18n files + +* Mon Feb 18 2008 Rob Crittenden 0.99-9 +- Pull upstream changelog 641 +- Require minimum version of krb5-server on F-7 and F-8 +- Package some new files + +* Thu Jan 31 2008 Rob Crittenden 0.99-8 +- Marked with wrong license. IPA is GPLv2. + +* Tue Jan 29 2008 Rob Crittenden 0.99-7 +- Ensure that /etc/ipa exists before moving user-modifiable html files there +- Put html files into /etc/ipa/html instead of /etc/ipa + +* Tue Jan 29 2008 Rob Crittenden 0.99-6 +- Pull upstream changelog 608 which renamed several files + +* Thu Jan 24 2008 Rob Crittenden 0.99-5 +- package the sessions dir /var/cache/ipa/sessions +- Pull upstream changelog 597 + +* Thu Jan 24 2008 Rob Crittenden 0.99-4 +- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the + UI to not start. + +* Thu Jan 24 2008 Rob Crittenden 0.99-3 +- Included LICENSE and README in all packages for documentation +- Move user-modifiable content to /etc/ipa and linked back to + /usr/share/ipa/html +- Changed some references to /usr to the {_usr} macro and /etc + to {_sysconfdir} +- Added popt-devel to BuildRequires for Fedora 8 and higher and + popt for Fedora 7 +- Package the egg-info for Fedora 9 and higher for ipa-python + +* Tue Jan 22 2008 Rob Crittenden 0.99-2 +- Added auto* BuildRequires + +* Mon Jan 21 2008 Rob Crittenden 0.99-1 +- Unified spec file + +* Thu Jan 17 2008 Rob Crittenden - 0.6.0-2 +- Fixed License in specfile +- Include files from /usr/lib/python*/site-packages/ipaserver + +* Fri Dec 21 2007 Karl MacMillan - 0.6.0-1 +- Version bump for release + +* Wed Nov 21 2007 Karl MacMillan - 0.5.0-1 +- Preverse mode on ipa-keytab-util +- Version bump for relase and rpm name change + +* Thu Nov 15 2007 Rob Crittenden - 0.4.1-2 +- Broke invididual Requires and BuildRequires onto separate lines and + reordered them +- Added python-tgexpandingformwidget as a dependency +- Require at least fedora-ds-base 1.1 + +* Thu Nov 1 2007 Karl MacMillan - 0.4.1-1 +- Version bump for release + +* Wed Oct 31 2007 Karl MacMillan - 0.4.0-6 +- Add dep for freeipa-admintools and acl + +* Wed Oct 24 2007 Rob Crittenden - 0.4.0-5 +- Add dependency for python-krbV + +* Fri Oct 19 2007 Rob Crittenden - 0.4.0-4 +- Require mod_nss-1.0.7-2 for mod_proxy fixes + +* Thu Oct 18 2007 Karl MacMillan - 0.4.0-3 +- Convert to autotools-based build + +* Tue Sep 25 2007 Karl MacMillan - 0.4.0-2 + +* Fri Sep 7 2007 Karl MacMillan - 0.3.0-1 +- Added support for libipa-dna-plugin + +* Fri Aug 10 2007 Karl MacMillan - 0.2.0-1 +- Added support for ipa_kpasswd and ipa_pwd_extop + +* Sun Aug 5 2007 Rob Crittenden - 0.1.0-3 +- Abstracted client class to work directly or over RPC + +* Wed Aug 1 2007 Rob Crittenden - 0.1.0-2 +- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires +- Remove references to admin server in ipa-server-setupssl +- Generate a client certificate for the XML-RPC server to connect to LDAP with +- Create a keytab for Apache +- Create an ldif with a test user +- Provide a certmap.conf for doing SSL client authentication + +* Fri Jul 27 2007 Karl MacMillan - 0.1.0-1 +- Initial rpm version diff --git a/rpminspect.yaml b/rpminspect.yaml new file mode 100644 index 0000000..fd6cadb --- /dev/null +++ b/rpminspect.yaml @@ -0,0 +1,9 @@ +--- +specname: + match: suffix +runpath: + allowed_paths: + - /usr/lib64/samba +annocheck: + - hardened: --ignore-unknown --verbose --skip-run-path + diff --git a/sources b/sources new file mode 100644 index 0000000..2b1317f --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA1 (freeipa-4.9.8.tar.gz) = 38641a7f95779ba35089fcc10e25ec82a9b0248e