From c837b107f7f6abbd113a199072c1a83b8dac22c9 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 18 May 2021 02:44:18 -0400
Subject: [PATCH] import ipa-4.9.2-3.module+el8.4.0+10412+5ecb5b37

---
 .gitignore                                    |    2 +-
 .ipa.metadata                                 |    2 +-
 ...irmentError-while-addin_rhbz#1757045.patch |  409 ---
 ...do_and_sudo_pagure#8530_rhbz#1932289.patch |  381 +++
 ...s-default-configuration_rhbz#1847999.patch |  601 ----
 ...in-uninstall-log-for-KR_rhbz#1932289.patch |   60 +
 ...-Use-256-bit-AJP-secret_rhbz#1849914.patch |  147 -
 ...ust-with-shared-secret-_rhbz#1932289.patch |  119 +
 ...ectorydrive-option-name_rhbz#1851411.patch |  167 -
 ...pa-cert-fix_pagure#8600_rhbz#1932289.patch |  347 +++
 ...ith-NTLM-authentication_rhbz#1932289.patch |  135 +
 ...fetching-trust-topology_rhbz#1845596.patch |   93 -
 ...ance-for-1-host-service_rhbz#1846352.patch |  180 --
 ...ore_zonemgr_pagure#8718_rhbz#1932289.patch |   79 +
 ...n-calling-PKIConnection_rhbz#1849155.patch |  118 -
 ...-fix_renews_pagure#7885_rhbz#1932289.patch |  318 ++
 ...e-for-ipa-custodia.sock_rhbz#1857157.patch |   34 -
 ...calling-journalctl-sinc_rhbz#1932289.patch |   37 +
 ...uthselect-backup-during_rhbz#1810179.patch |  189 --
 ...nctions-with-NULL-LDAP_rhbz#1932784.patch} |  573 ++--
 ...ror-with-CertificateErr_rhbz#1858318.patch |   32 -
 ...arning-if-sudo-is-not-p_rhbz#1939371.patch |   64 +
 ...st-install---add-agents_rhbz#1859213.patch |  103 -
 ...-perms-on-KDC-cert-file_rhbz#1863616.patch |   84 -
 ...eve-LDAP-attributes-fro_rhbz#1866938.patch |  145 -
 ...nhance-input-validation_rhbz#1866291.patch |  404 ---
 ...nnection-error-handling_rhbz#1863079.patch |  141 -
 ...-0644-in-CA-less-instal_rhbz#1870202.patch |  110 -
 ...custodia-replicate-keys_rhbz#1868432.patch |   62 -
 ...y-add-debug-to-pkispawn_rhbz#1879604.patch |  117 -
 ...TestSubCAkeyReplication_rhbz#1870202.patch |  549 ----
 ...node_t-and-pki_tomcat_c_rhbz#1870202.patch |   68 -
 ...k-tuning-of-BDB-backend_rhbz#1882472.patch |  215 --
 ...case-of-trusted-domains_rhbz#1914821.patch |  236 --
 ...-remove-unused-variable_rhbz#1914821.patch |   27 -
 ...mpty-plugin-directories_rhbz#1895910.patch |  121 -
 ...ubordinate-upn-suffixes_rhbz#1914823.patch |   76 -
 ...e-superior-UPN-suffixes_rhbz#1914823.patch |  114 -
 ...f-the-forest-trust-root_rhbz#1914823.patch |   57 -
 ...-fix-crash-in-MS-PAC-cache-init-code.patch |  127 -
 ...nding-to-IPA-and-Identity-Management.patch | 2713 +----------------
 SOURCES/1002-4.8.0-Remove-csrgen.patch        | 2051 -------------
 ...-python3-rjsmin-to-minify-JavaScript.patch |  134 -
 SOURCES/freeipa-4.8.7.tar.gz.asc              |   16 -
 SOURCES/freeipa-4.9.2.tar.gz.asc              |   16 +
 SPECS/ipa.spec                                |  614 ++--
 46 files changed, 2246 insertions(+), 10141 deletions(-)
 delete mode 100644 SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch
 create mode 100644 SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch
 delete mode 100644 SOURCES/0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch
 create mode 100644 SOURCES/0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch
 delete mode 100644 SOURCES/0003-Use-256-bit-AJP-secret_rhbz#1849914.patch
 create mode 100644 SOURCES/0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch
 delete mode 100644 SOURCES/0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch
 create mode 100644 SOURCES/0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch
 create mode 100644 SOURCES/0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch
 delete mode 100644 SOURCES/0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch
 delete mode 100644 SOURCES/0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch
 create mode 100644 SOURCES/0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch
 delete mode 100644 SOURCES/0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch
 create mode 100644 SOURCES/0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch
 delete mode 100644 SOURCES/0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch
 create mode 100644 SOURCES/0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch
 delete mode 100644 SOURCES/0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch
 rename SOURCES/{0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch => 0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch} (79%)
 delete mode 100644 SOURCES/0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch
 create mode 100644 SOURCES/0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch
 delete mode 100644 SOURCES/0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch
 delete mode 100644 SOURCES/0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch
 delete mode 100644 SOURCES/0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch
 delete mode 100644 SOURCES/0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch
 delete mode 100644 SOURCES/0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch
 delete mode 100644 SOURCES/0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch
 delete mode 100644 SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
 delete mode 100644 SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
 delete mode 100644 SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
 delete mode 100644 SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
 delete mode 100644 SOURCES/0021-Fix-nsslapd-db-lock-tuning-of-BDB-backend_rhbz#1882472.patch
 delete mode 100644 SOURCES/0022-rpcserver-fallback-to-non-armored-kinit-in-case-of-trusted-domains_rhbz#1914821.patch
 delete mode 100644 SOURCES/0023-pylint-remove-unused-variable_rhbz#1914821.patch
 delete mode 100644 SOURCES/0024-wgi-plugins.py-ignore-empty-plugin-directories_rhbz#1895910.patch
 delete mode 100644 SOURCES/0025-ipatests-support-subordinate-upn-suffixes_rhbz#1914823.patch
 delete mode 100644 SOURCES/0026-ipa-kdb-support-subordinate-superior-UPN-suffixes_rhbz#1914823.patch
 delete mode 100644 SOURCES/0027-ad-trust-accept-subordinate-domains-of-the-forest-trust-root_rhbz#1914823.patch
 delete mode 100644 SOURCES/0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch
 delete mode 100644 SOURCES/1002-4.8.0-Remove-csrgen.patch
 delete mode 100644 SOURCES/1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
 delete mode 100644 SOURCES/freeipa-4.8.7.tar.gz.asc
 create mode 100644 SOURCES/freeipa-4.9.2.tar.gz.asc

diff --git a/.gitignore b/.gitignore
index eb27ffd..01d0ddf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/freeipa-4.8.7.tar.gz
+SOURCES/freeipa-4.9.2.tar.gz
diff --git a/.ipa.metadata b/.ipa.metadata
index f2e66c8..13b7ab7 100644
--- a/.ipa.metadata
+++ b/.ipa.metadata
@@ -1 +1 @@
-0099d799a77a757eeb4a95a69a38bdec24e45026 SOURCES/freeipa-4.8.7.tar.gz
+c7b37727ffbdebe311990f7d31ae3b8bf2d06792 SOURCES/freeipa-4.9.2.tar.gz
diff --git a/SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch b/SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch
deleted file mode 100644
index 34580fe..0000000
--- a/SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch
+++ /dev/null
@@ -1,409 +0,0 @@
-From c2ba333b9681d008d9c528a79dbdd76ce11a3ecd Mon Sep 17 00:00:00 2001
-From: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Date: Thu, 28 May 2020 08:47:49 +0200
-Subject: [PATCH 01/22] WebUI: Fix "IPA Error 3007: RequirmentError" while
- adding idoverrideuser association
-
-Add builder for association adder dialog which allows to override behavior of the component.
-Replace default implementation with a custom one for idoverrideuser.
-Replace text filter with 'ID view' select box in the idoverrideuser dialog.
-
-Ticket: https://pagure.io/freeipa/issue/8335
-
-Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- install/ui/src/freeipa/association.js | 13 ++++-
- install/ui/src/freeipa/dialog.js      | 73 ++++++++++++++++-----------
- install/ui/src/freeipa/group.js       | 14 +++++
- install/ui/src/freeipa/idviews.js     | 58 +++++++++++++++++++++
- ipaserver/plugins/internal.py         |  6 +++
- 5 files changed, 133 insertions(+), 31 deletions(-)
-
-diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
-index f10ccb2a5..b083a79f9 100644
---- a/install/ui/src/freeipa/association.js
-+++ b/install/ui/src/freeipa/association.js
-@@ -25,6 +25,7 @@
- define([
-     'dojo/_base/lang',
-     'dojo/Deferred',
-+    './builder',
-     './metadata',
-     './ipa',
-     './jquery',
-@@ -38,7 +39,7 @@ define([
-     './facet',
-     './search',
-     './dialog'],
--        function(lang, Deferred, metadata_provider, IPA, $, metadata,
-+        function(lang, Deferred, builder, metadata_provider, IPA, $, metadata,
-                  navigation, phases, reg, rpc, su, text) {
- 
- /**
-@@ -1209,7 +1210,8 @@ exp.association_facet = IPA.association_facet = function (spec, no_init) {
- 
-         var pkeys = that.data.result.result[that.get_attribute_name()];
- 
--        var dialog = IPA.association_adder_dialog({
-+        var dialog = builder.build('association_adder_dialog', {
-+            $type: that.other_entity.name,
-             title: title,
-             entity: that.entity,
-             pkey: pkey,
-@@ -1675,6 +1677,13 @@ IPA.attr_read_only_evaluator = function(spec) {
-     return that;
- };
- 
-+// Create a registry for adder dialogs where key is name of 'other entity'.
-+// It allows to override dialogs for some specific cases of association
-+// creation.
-+var dialog_builder = builder.get('association_adder_dialog');
-+dialog_builder.factory = IPA.association_adder_dialog;
-+reg.set('association_adder_dialog', dialog_builder.registry);
-+
- phases.on('registration', function() {
-     var w = reg.widget;
-     var f = reg.field;
-diff --git a/install/ui/src/freeipa/dialog.js b/install/ui/src/freeipa/dialog.js
-index c153120df..d67d63b6d 100644
---- a/install/ui/src/freeipa/dialog.js
-+++ b/install/ui/src/freeipa/dialog.js
-@@ -919,35 +919,7 @@ IPA.adder_dialog = function(spec) {
-             'class': 'input-group col-md-12 adder-dialog-top'
-         }).appendTo(container);
- 
--        var filter_placeholder = text.get('@i18n:association.filter_placeholder');
--        filter_placeholder = filter_placeholder.replace('${other_entity}',
--            that.other_entity.metadata.label);
--
--        that.filter_field = $('<input/>', {
--            type: 'text',
--            name: 'filter',
--            'class': 'form-control',
--            'placeholder': filter_placeholder,
--            keyup: function(event) {
--                if (event.keyCode === keys.ENTER) {
--                    that.search();
--                    return false;
--                }
--            }
--        }).appendTo(input_group);
--
--        var input_group_btn = $('<div/>', {
--            'class': 'input-group-btn'
--        }).appendTo(input_group);
--
--        that.find_button = IPA.button({
--            name: 'find',
--            label: '@i18n:buttons.filter',
--            click: function() {
--                that.search();
--                return false;
--            }
--        }).appendTo(input_group_btn);
-+        that.filter_field = that.get_filter_field(input_group);
- 
-         var row = $('<div/>', { 'class': 'row adder-dialog-main'}).appendTo(container);
-         //
-@@ -1132,6 +1104,49 @@ IPA.adder_dialog = function(spec) {
-         return that.filter_field.val();
-     };
- 
-+    /**
-+     * Return field for filtering available items
-+     *
-+     * Default implementation returns text input + "Filter" button.
-+     * It can be overridden.
-+     *
-+     * @param {HTMLElement} input_group - container for a filter field
-+     * @return {HTMLElement}
-+     */
-+    that.get_filter_field = function(input_group) {
-+        var filter_placeholder = text.get(
-+            '@i18n:association.filter_placeholder'
-+        ).replace('${other_entity}', that.other_entity.metadata.label);
-+
-+        var filter_field = $('<input/>', {
-+            type: 'text',
-+            name: 'filter',
-+            'class': 'form-control',
-+            'placeholder': filter_placeholder,
-+            keyup: function(event) {
-+                if (event.keyCode === keys.ENTER) {
-+                    that.search();
-+                    return false;
-+                }
-+            }
-+        }).appendTo(input_group);
-+
-+        var input_group_btn = $('<div/>', {
-+            'class': 'input-group-btn'
-+        }).appendTo(input_group);
-+
-+        that.find_button = IPA.button({
-+            name: 'find',
-+            label: '@i18n:buttons.filter',
-+            click: function() {
-+                that.search();
-+                return false;
-+            }
-+        }).appendTo(input_group_btn);
-+
-+        return filter_field;
-+    };
-+
-     /**
-      * Clear rows in available table
-      */
-diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
-index e46d8c7e3..2984bd4b2 100644
---- a/install/ui/src/freeipa/group.js
-+++ b/install/ui/src/freeipa/group.js
-@@ -205,6 +205,20 @@ return {
-             add_title: '@i18n:objects.group.add_into_sudo',
-             remove_method: 'remove_user',
-             remove_title: '@i18n:objects.group.remove_from_sudo'
-+        },
-+        {
-+            $type: 'association',
-+            name: 'member_idoverrideuser',
-+            associator: IPA.serial_associator,
-+            add_title: '@i18n:objects.group.add_idoverride_user',
-+            remove_title: '@i18n:objects.group.remove_idoverride_users',
-+            columns: [
-+                {
-+                    name: 'ipaanchoruuid',
-+                    label: '@i18n:objects.idoverrideuser.anchor_label',
-+                    link: false
-+                }
-+            ]
-         }
-     ],
-     standard_association_facets: true,
-diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
-index 35dc998c8..a4fca6205 100644
---- a/install/ui/src/freeipa/idviews.js
-+++ b/install/ui/src/freeipa/idviews.js
-@@ -966,6 +966,58 @@ idviews.unapply_action = function(spec) {
-     return that;
- };
- 
-+idviews.idoverrideuser_adder_dialog = function(spec) {
-+
-+    spec = spec || {};
-+
-+    var that = IPA.association_adder_dialog(spec);
-+
-+    that.base_search = that.search;
-+
-+    that.search = function() {
-+        // Search for users only in case a ID view is selected
-+        if (that.get_filter()) {
-+            that.base_search();
-+        }
-+    };
-+
-+    /**
-+     * Replace default text filter with a select box for filtering by ID view
-+     */
-+    that.get_filter_field = function(input_group) {
-+
-+        var filter_field = $('<select/>', {
-+            name: 'filter',
-+            'class': 'form-control',
-+            change: function(event) {
-+                that.search();
-+            }
-+        }).appendTo(input_group);
-+
-+        rpc.command({
-+            entity: 'idview',
-+            method: 'find',
-+            on_success: function(data) {
-+                var results = data.result;
-+
-+                for (var i=0; i<results.count; i++) {
-+                    var result = results.result[i];
-+                    $('<option/>', {
-+                        text: result.cn[0],
-+                        value: result.cn[0]
-+                    }).appendTo(filter_field);
-+                }
-+
-+                that.search();
-+            }
-+        }).execute();
-+
-+        return filter_field;
-+    };
-+
-+    return that;
-+};
-+
- /**
-  * ID View entity specification object
-  * @member idviews
-@@ -993,6 +1045,7 @@ idviews.register = function() {
-     var f = reg.facet;
-     var a = reg.action;
-     var w = reg.widget;
-+    var ad = reg.association_adder_dialog;
- 
-     e.register({type: 'idview', spec: idviews.spec});
-     e.register({
-@@ -1012,6 +1065,11 @@ idviews.register = function() {
- 
-     w.register('idviews_certs', idviews.idviews_certs_widget);
-     w.register('cert_textarea', idviews.cert_textarea_widget);
-+
-+    ad.register({
-+        type: 'idoverrideuser',
-+        factory: idviews.idoverrideuser_adder_dialog
-+    });
- };
- 
- phases.on('registration', idviews.register);
-diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
-index 5f2b1fdc2..7622e65dc 100644
---- a/ipaserver/plugins/internal.py
-+++ b/ipaserver/plugins/internal.py
-@@ -835,6 +835,9 @@ class i18n_messages(Command):
-                     "Remove users from member managers for user group "
-                     "'${primary_key}'"
-                 ),
-+                "add_idoverride_user": _(
-+                    "Add user ID override into user group '${primary_key}'"
-+                ),
-                 "details": _("Group Settings"),
-                 "external": _("External"),
-                 "groups": _("Groups"),
-@@ -868,6 +871,9 @@ class i18n_messages(Command):
-                 "remove_users": _(
-                     "Remove users from user group '${primary_key}'"
-                 ),
-+                "remove_idoverride_users": _(
-+                    "Remove user ID overrides from user group '${primary_key}'"
-+                ),
-                 "type": _("Group Type"),
-                 "user_groups": _("User Groups"),
-             },
--- 
-2.26.2
-
-From f6c460aee8542d4d81cd9970d71051c240156973 Mon Sep 17 00:00:00 2001
-From: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Date: Thu, 16 Jul 2020 18:52:24 +0200
-Subject: [PATCH] WebUI: Fix error "unknown command
- 'idoverrideuser_add_member'"
-
-There was wrong IPA.associator class used for 'Groups' -> 'User ID overrides' association,
-as a result a wrong command was sent to the server.
-
-Ticket: https://pagure.io/freeipa/issue/8416
-
-Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- install/ui/src/freeipa/group.js | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
-index 2984bd4b2..61c19a82f 100644
---- a/install/ui/src/freeipa/group.js
-+++ b/install/ui/src/freeipa/group.js
-@@ -209,7 +209,6 @@ return {
-         {
-             $type: 'association',
-             name: 'member_idoverrideuser',
--            associator: IPA.serial_associator,
-             add_title: '@i18n:objects.group.add_idoverride_user',
-             remove_title: '@i18n:objects.group.remove_idoverride_users',
-             columns: [
--- 
-2.26.2
-
-From e35739b7e9f6bb016b37abbd92bdaee71a59a288 Mon Sep 17 00:00:00 2001
-From: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Date: Wed, 29 Jul 2020 09:41:36 +0200
-Subject: [PATCH] WebUI tests: Add test case to cover user ID override feature
-
-The test case includes adding an user ID override to Default Trust View
-and adding the ID override to some IPA group.
-
-Ticket: https://pagure.io/freeipa/issue/8416
-
-Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipatests/test_webui/test_trust.py | 41 +++++++++++++++++++++++++++++++
- 1 file changed, 41 insertions(+)
-
-diff --git a/ipatests/test_webui/test_trust.py b/ipatests/test_webui/test_trust.py
-index c04c2fcd8..605f8a2a7 100644
---- a/ipatests/test_webui/test_trust.py
-+++ b/ipatests/test_webui/test_trust.py
-@@ -21,6 +21,8 @@
- Trust tests
- """
- 
-+import ipatests.test_webui.data_group as group
-+import ipatests.test_webui.data_idviews as idview
- from ipatests.test_webui.ui_driver import UI_driver
- from ipatests.test_webui.ui_driver import screenshot
- from ipatests.test_webui.task_range import range_tasks
-@@ -29,6 +31,8 @@ import pytest
- ENTITY = 'trust'
- CONFIG_ENTITY = 'trustconfig'
- 
-+DEFAULT_TRUST_VIEW = 'Default Trust View'
-+
- CONFIG_DATA = {
-     'mod': [
-         ['combobox', 'ipantfallbackprimarygroup', 'admins'],
-@@ -164,3 +168,40 @@ class test_trust(trust_tasks):
- 
-         self.mod_record(CONFIG_ENTITY, CONFIG_DATA)
-         self.mod_record(CONFIG_ENTITY, CONFIG_DATA2)
-+
-+    @screenshot
-+    def test_group_member_idoverrideuser(self):
-+
-+        self.init_app()
-+
-+        # Create new trust
-+        data = self.get_data()
-+        self.add_record(ENTITY, data)
-+
-+        # Create an user ID override
-+        ad_domain = self.config.get('ad_domain')
-+        ad_admin = self.config.get('ad_admin')
-+        idoverrideuser_pkey = '{}@{}'.format(ad_admin, ad_domain).lower()
-+
-+        self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY)
-+        self.add_record(idview.ENTITY, {
-+            'pkey': idoverrideuser_pkey,
-+            'add': [
-+                ('textbox', 'ipaanchoruuid_default', idoverrideuser_pkey),
-+            ],
-+        }, facet='idoverrideuser')
-+
-+        # Create new group and add the user ID override there
-+        self.navigate_to_entity(group.ENTITY)
-+        self.add_record(group.ENTITY, group.DATA)
-+        self.navigate_to_record(group.PKEY)
-+        self.add_associations([idoverrideuser_pkey],
-+                              facet='member_idoverrideuser', delete=True)
-+
-+        # Clean up data
-+        self.navigate_to_entity(group.ENTITY)
-+        self.delete_record(group.PKEY)
-+        self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY)
-+        self.delete_record(idoverrideuser_pkey)
-+        self.navigate_to_entity(ENTITY)
-+        self.delete_record(ad_domain)
--- 
-2.26.2
-
diff --git a/SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch b/SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch
new file mode 100644
index 0000000..5935601
--- /dev/null
+++ b/SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch
@@ -0,0 +1,381 @@
+From b590dcef10680b4ea3181ae1caec183e5967562b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Fri, 11 Dec 2020 07:35:59 +0200
+Subject: [PATCH] ipatests: add TestInstallWithoutSudo
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Test IPA servers and clients behavior when sudo is not installed.
+
+Fixes: https://pagure.io/freeipa/issue/8530
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Armando Neto <abiagion@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Armando Neto <abiagion@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ .../nightly_ipa-4-9_latest.yaml               | 12 ++++
+ .../nightly_ipa-4-9_latest_selinux.yaml       | 13 ++++
+ .../nightly_ipa-4-9_previous.yaml             | 12 ++++
+ .../test_integration/test_installation.py     | 66 +++++++++++++++++++
+ 4 files changed, 103 insertions(+)
+
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+index 3acd6a13c..d91b16cab 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+@@ -535,6 +535,18 @@ jobs:
+         timeout: 10800
+         topology: *master_1repl
+ 
++  fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
++    requires: [fedora-latest-ipa-4-9/build]
++    priority: 50
++    job:
++      class: RunPytest
++      args:
++        build_url: '{fedora-latest-ipa-4-9/build_url}'
++        test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
++        template: *ci-ipa-4-9-latest
++        timeout: 4800
++        topology: *master_1repl_1client
++
+   fedora-latest-ipa-4-9/test_idviews:
+     requires: [fedora-latest-ipa-4-9/build]
+     priority: 50
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+index c01192cf5..8adb06d0c 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+@@ -575,6 +575,19 @@ jobs:
+         timeout: 10800
+         topology: *master_1repl
+ 
++  fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
++    requires: [fedora-latest-ipa-4-9/build]
++    priority: 50
++    job:
++      class: RunPytest
++      args:
++        build_url: '{fedora-latest-ipa-4-9/build_url}'
++        selinux_enforcing: True
++        test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
++        template: *ci-ipa-4-9-latest
++        timeout: 4800
++        topology: *master_1repl_1client
++
+   fedora-latest-ipa-4-9/test_idviews:
+     requires: [fedora-latest-ipa-4-9/build]
+     priority: 50
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+index a6ea24f6a..2b5d4fd5e 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+@@ -535,6 +535,18 @@ jobs:
+         timeout: 10800
+         topology: *master_1repl
+ 
++  fedora-previous-ipa-4-9/test_installation_TestInstallWithoutSudo:
++    requires: [fedora-previous-ipa-4-9/build]
++    priority: 50
++    job:
++      class: RunPytest
++      args:
++        build_url: '{fedora-previous-ipa-4-9/build_url}'
++        test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
++        template: *ci-ipa-4-9-previous
++        timeout: 4800
++        topology: *master_1repl_1client
++
+   fedora-previous-ipa-4-9/test_idviews:
+     requires: [fedora-previous-ipa-4-9/build]
+     priority: 50
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index eb6f7d78e..6e8af024c 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -1537,3 +1537,69 @@ class TestInstallReplicaAgainstSpecificServer(IntegrationTest):
+                                             self.replicas[0].hostname],
+                                            stdin_text=dirman_password)
+         assert self.replicas[0].hostname not in cmd.stdout_text
++
++
++class TestInstallWithoutSudo(IntegrationTest):
++
++    num_clients = 1
++    num_replicas = 1
++    no_sudo_str = "The sudo binary does not seem to be present on this"
++
++    @classmethod
++    def install(cls, mh):
++        pass
++
++    def test_sudo_removal(self):
++        # ipa-client makes sudo depend on libsss_sudo.
++
++        # --nodeps is mandatory because dogtag uses sudo at install
++        # time until commit 49585867207922479644a03078c29548de02cd03
++        # which is scheduled to land in 10.10.
++
++        # This also means sudo+libsss_sudo cannot be uninstalled on
++        # IPA servers with a CA.
++        assert tasks.is_package_installed(self.clients[0], 'sudo')
++        assert tasks.is_package_installed(self.clients[0], 'libsss_sudo')
++        tasks.uninstall_packages(
++            self.clients[0], ['sudo', 'libsss_sudo'], nodeps=True
++        )
++
++    def test_ipa_installation_without_sudo(self):
++        # FixMe: When Dogtag 10.10 is out, test installation without sudo
++        tasks.install_master(self.master, setup_dns=True)
++
++    def test_replica_installation_without_sudo(self):
++        # FixMe: When Dogtag 10.10 is out, test replica installation
++        # without sudo and with CA
++        tasks.uninstall_packages(
++            self.replicas[0], ['sudo', 'libsss_sudo'], nodeps=True
++        )
++        # One-step install is needed.
++        # With promote=True, two-step install is done and that only captures
++        # the ipa-replica-install stdout/stderr, not ipa-client-install's.
++        result = tasks.install_replica(
++            self.master, self.replicas[0], promote=False,
++            setup_dns=True, setup_ca=False
++        )
++        assert self.no_sudo_str in result.stderr_text
++
++    def test_client_installation_without_sudo(self):
++        result = tasks.install_client(self.master, self.clients[0])
++        assert self.no_sudo_str in result.stderr_text
++
++    def test_remove_sudo_on_ipa(self):
++        tasks.uninstall_packages(
++            self.master, ['sudo', 'libsss_sudo'], nodeps=True
++        )
++        self.master.run_command(
++            ['ipactl', 'restart']
++        )
++
++    def test_install_sudo_on_client(self):
++        """ Check that installing sudo pulls libsss_sudo in"""
++        for pkg in ('sudo', 'libsss_sudo'):
++            assert tasks.is_package_installed(self.clients[0], pkg) is False
++        tasks.uninstall_client(self.clients[0])
++        tasks.install_packages(self.clients[0], ['sudo'])
++        for pkg in ('sudo', 'libsss_sudo'):
++            assert tasks.is_package_installed(self.clients[0], pkg)
+-- 
+2.29.2
+
+From 0c2741af9f353d2fbb21a5768e6433c0e99da0e9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Thu, 10 Dec 2020 08:35:12 +0200
+Subject: [PATCH] ipatests: tasks: handle uninstalling packages with nodeps
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Handle package removal without taking dependencies into account.
+E.g. add frontends for rpm -e --nodeps.
+
+Related: ipatests/pytest_ipa/integration/tasks.py
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Armando Neto <abiagion@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Armando Neto <abiagion@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipatests/pytest_ipa/integration/tasks.py | 51 +++++++++++++++++++-----
+ 1 file changed, 41 insertions(+), 10 deletions(-)
+
+diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
+index b91859816..2fe78367f 100755
+--- a/ipatests/pytest_ipa/integration/tasks.py
++++ b/ipatests/pytest_ipa/integration/tasks.py
+@@ -29,6 +29,7 @@ import re
+ import collections
+ import itertools
+ import shutil
++import shlex
+ import copy
+ import subprocess
+ import tempfile
+@@ -2381,20 +2382,33 @@ def download_packages(host, pkgs):
+     return tmpdir
+ 
+ 
+-def uninstall_packages(host, pkgs):
++def uninstall_packages(host, pkgs, nodeps=False):
+     """Uninstall packages on a remote host.
+-    :param host: the host where the uninstallation takes place
+-    :param pkgs: packages to uninstall, provided as a list of strings
++    :param host: the host where the uninstallation takes place.
++    :param pkgs: packages to uninstall, provided as a list of strings.
++    :param nodeps: ignore dependencies (dangerous!).
+     """
+     platform = get_platform(host)
+-    # Only supports RHEL 8+ and Fedora for now
+-    if platform in ('rhel', 'fedora'):
+-        install_cmd = ['/usr/bin/dnf', 'remove', '-y']
+-    elif platform in ('ubuntu'):
+-        install_cmd = ['apt-get', 'remove', '-y']
++    if platform not in ('rhel', 'fedora', 'ubuntu'):
++        raise ValueError('uninstall_packages: unknown platform %s' % platform)
++    if nodeps:
++        if platform in ('rhel', 'fedora'):
++            cmd = "rpm -e --nodeps"
++        elif platform in ('ubuntu'):
++            cmd = "dpkg -P --force-depends"
++        for package in pkgs:
++            uninstall_cmd = shlex.split(cmd)
++            uninstall_cmd.append(package)
++            # keep raiseonerr=True here. --fcami
++            host.run_command(uninstall_cmd)
+     else:
+-        raise ValueError('install_packages: unknown platform %s' % platform)
+-    host.run_command(install_cmd + pkgs, raiseonerr=False)
++        if platform in ('rhel', 'fedora'):
++            cmd = "/usr/bin/dnf remove -y"
++        elif platform in ('ubuntu'):
++            cmd = "apt-get remove -y"
++        uninstall_cmd = shlex.split(cmd)
++        uninstall_cmd.extend(pkgs)
++        host.run_command(uninstall_cmd, raiseonerr=False)
+ 
+ 
+ def wait_for_request(host, request_id, timeout=120):
+@@ -2649,3 +2663,20 @@ def run_ssh_cmd(
+             assert "Authentication succeeded" not in stderr
+             assert "No more authentication methods to try." in stderr
+     return (return_code, stdout, stderr)
++
++
++def is_package_installed(host, pkg):
++    platform = get_platform(host)
++    if platform in ('rhel', 'fedora'):
++        result = host.run_command(
++            ['rpm', '-q', pkg], raiseonerr=False
++        )
++    elif platform in ['ubuntu']:
++        result = host.run_command(
++            ['dpkg', '-s', pkg], raiseonerr=False
++        )
++    else:
++        raise ValueError(
++            'is_package_installed: unknown platform %s' % platform
++        )
++    return result.returncode == 0
+-- 
+2.29.2
+
+From fe157ca349e3146a53884e90e6e588efb4e97eeb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Thu, 10 Dec 2020 08:15:22 +0200
+Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: https://pagure.io/freeipa/issue/8530
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Armando Neto <abiagion@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Armando Neto <abiagion@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipaclient/install/client.py | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
+index 8acfa0cd1..0e478fa26 100644
+--- a/ipaclient/install/client.py
++++ b/ipaclient/install/client.py
+@@ -24,6 +24,7 @@ import re
+ import SSSDConfig
+ import shutil
+ import socket
++import subprocess
+ import sys
+ import tempfile
+ import textwrap
+@@ -2200,7 +2201,18 @@ def install_check(options):
+             "authentication resources",
+             rval=CLIENT_INSTALL_ERROR)
+ 
+-    # when installing with '--no-sssd' option, check whether nss-ldap is
++    # When installing without the "--no-sudo" option, check whether sudo is
++    # available.
++    if options.conf_sudo:
++        try:
++            subprocess.Popen(['sudo -V'])
++        except FileNotFoundError:
++            logger.info(
++                "The sudo binary does not seem to be present on this "
++                "system. Please consider installing sudo if required."
++            )
++
++    # when installing with the '--no-sssd' option, check whether nss-ldap is
+     # installed
+     if not options.sssd:
+         if not os.path.exists(paths.PAM_KRB5_SO):
+-- 
+2.29.2
+
+From ee0ba2df41cf545b82d3d26e7e7e42447bb0f63e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Thu, 10 Dec 2020 07:55:16 +0200
+Subject: [PATCH] freeipa.spec: client: depend on libsss_sudo and sudo
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+On 10.10+ releases of Dogtag, the PKI installer will not depend
+on sudo anymore. This opens the possibility of creating IPA servers
+without a properly configured sudo.
+In fact, even IPA clients should have sudo and libsss_sudo installed
+in most cases, so add a weak dependency on both of them to the client
+subpackage.
+Also make sure libsss_sudo is installed if sudo is present.
+
+Fixes: https://pagure.io/freeipa/issue/8530
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Armando Neto <abiagion@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Armando Neto <abiagion@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ freeipa.spec.in | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index ba52a3834..93e473ac4 100755
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -640,6 +640,11 @@ Requires: nfs-utils
+ Requires: sssd-tools >= %{sssd_version}
+ Requires(post): policycoreutils
+ 
++# https://pagure.io/freeipa/issue/8530
++Recommends: libsss_sudo
++Recommends: sudo
++Requires: (libsss_sudo if sudo)
++
+ Provides: %{alt_name}-client = %{version}
+ Conflicts: %{alt_name}-client
+ Obsoletes: %{alt_name}-client < %{version}
+-- 
+2.29.2
+
diff --git a/SOURCES/0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch b/SOURCES/0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch
deleted file mode 100644
index eec611f..0000000
--- a/SOURCES/0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch
+++ /dev/null
@@ -1,601 +0,0 @@
-From 77fae8c48bbe0f4499f4d8ed91b268568c64cd7c Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Thu, 11 Jun 2020 11:17:25 +0200
-Subject: [PATCH] Move ipa-epn systemd files and run RPM hooks
-
-The init/systemd directory is for server only and not part of
-CLIENT_ONLY builds.
-
-It's necesary to run pre/post installation hooks to make systemd aware
-of new files.
-
-Fixes: https://pagure.io/freeipa/issue/8367
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Francois Cami <fcami@redhat.com>
----
- .gitignore                                    |  4 +--
- client/Makefile.am                            |  1 +
- client/share/Makefile.am                      |  5 ++++
- {install => client}/share/expire_msg.template |  0
- client/systemd/Makefile.am                    | 27 +++++++++++++++++++
- {init => client}/systemd/ipa-epn.service.in   |  0
- {init => client}/systemd/ipa-epn.timer.in     |  0
- configure.ac                                  | 24 +++++++++++++++--
- freeipa.spec.in                               | 15 +++++++++++
- init/systemd/Makefile.am                      |  8 +++---
- install/share/Makefile.am                     |  5 ----
- server.m4                                     | 19 -------------
- 12 files changed, 76 insertions(+), 32 deletions(-)
- rename {install => client}/share/expire_msg.template (100%)
- create mode 100644 client/systemd/Makefile.am
- rename {init => client}/systemd/ipa-epn.service.in (100%)
- rename {init => client}/systemd/ipa-epn.timer.in (100%)
-
-#diff --git a/.gitignore b/.gitignore
-#index 6584c3b4f..4cedb1ff2 100644
-#--- a/.gitignore
-#+++ b/.gitignore
-#@@ -94,8 +94,6 @@ freeipa2-dev-doc
-# /init/ipa_memcached
-# /init/systemd/ipa-custodia.service
-# /init/systemd/ipa.service
-#-/init/systemd/ipa-epn.service
-#-/init/systemd/ipa-epn.timer
-# /init/tmpfilesd/ipa.conf
-# 
-# !/install/ui/doc/Makefile.in
-#@@ -116,6 +114,8 @@ freeipa2-dev-doc
-# /client/ipa-getkeytab
-# /client/ipa-join
-# /client/ipa-rmkeytab
-#+/client/systemd/ipa-epn.service
-#+/client/systemd/ipa-epn.timer
-# 
-# /ipaplatform/override.py
-# /ipapython/version.py
-diff --git a/client/Makefile.am b/client/Makefile.am
-index 858a9369e..87da87fcd 100644
---- a/client/Makefile.am
-+++ b/client/Makefile.am
-@@ -95,6 +95,7 @@ SUBDIRS =			\
- 	share		        \
- 	man			\
- 	sysconfig	        \
-+	systemd			\
- 	$(NULL)
- #       init                    
- 
-diff --git a/client/share/Makefile.am b/client/share/Makefile.am
-index 6d4a62d5e..1402a3a9d 100644
---- a/client/share/Makefile.am
-+++ b/client/share/Makefile.am
-@@ -4,3 +4,8 @@ appdir = $(IPA_DATA_DIR)/client
- dist_app_DATA =				\
- 	freeipa.template		\
- 	$(NULL)
-+
-+epnconfdir = $(IPA_SYSCONF_DIR)/epn
-+dist_epnconf_DATA =			\
-+	expire_msg.template	\
-+	$(NULL)
-diff --git a/install/share/expire_msg.template b/client/share/expire_msg.template
-similarity index 100%
-rename from install/share/expire_msg.template
-rename to client/share/expire_msg.template
-diff --git a/client/systemd/Makefile.am b/client/systemd/Makefile.am
-new file mode 100644
-index 000000000..1f591be83
---- /dev/null
-+++ b/client/systemd/Makefile.am
-@@ -0,0 +1,27 @@
-+# This file will be processed with automake-1.7 to create Makefile.in
-+#
-+AUTOMAKE_OPTIONS = 1.7
-+
-+NULL =
-+
-+dist_noinst_DATA = 			\
-+	ipa-epn.service.in		\
-+	ipa-epn.timer.in		\
-+	$(NULL)
-+
-+systemdsystemunit_DATA = 	\
-+	ipa-epn.service			\
-+	ipa-epn.timer		\
-+	$(NULL)
-+
-+CLEANFILES = $(systemdsystemunit_DATA)
-+
-+%: %.in Makefile
-+	sed \
-+		-e 's|@bindir[@]|$(bindir)|g' \
-+		-e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
-+		-e 's|@localstatedir[@]|$(localstatedir)|g' \
-+		-e 's|@sbindir[@]|$(sbindir)|g' \
-+		-e 's|@libexecdir[@]|$(libexecdir)|g' \
-+		-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
-+		'$(srcdir)/$@.in' >$@
-diff --git a/init/systemd/ipa-epn.service.in b/client/systemd/ipa-epn.service.in
-similarity index 100%
-rename from init/systemd/ipa-epn.service.in
-rename to client/systemd/ipa-epn.service.in
-diff --git a/init/systemd/ipa-epn.timer.in b/client/systemd/ipa-epn.timer.in
-similarity index 100%
-rename from init/systemd/ipa-epn.timer.in
-rename to client/systemd/ipa-epn.timer.in
-diff --git a/configure.ac b/configure.ac
-index 5ec529088..586b2532a 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -220,6 +220,25 @@ AC_ARG_WITH([runstatedir],
-             [runstatedir="/run"])
- AC_SUBST([runstatedir])
- 
-+dnl ---------------------------------------------------------------------------
-+dnl - Check for systemd directories
-+dnl ---------------------------------------------------------------------------
-+
-+PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
-+AC_ARG_WITH([systemdsystemunitdir],
-+            AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
-+               [Directory for systemd service files]),
-+            [systemdsystemunitdir=$with_systemdsystemunitdir],
-+        [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
-+AC_SUBST([systemdsystemunitdir])
-+
-+AC_ARG_WITH([systemdtmpfilesdir],
-+            AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
-+               [Directory for systemd-tmpfiles configuration files]),
-+            [systemdtmpfilesdir=$with_systemdtmpfilesdir],
-+        [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
-+AC_SUBST([systemdtmpfilesdir])
-+
- dnl ---------------------------------------------------------------------------
- dnl - Server-only configuration
- dnl ---------------------------------------------------------------------------
-@@ -544,6 +563,7 @@ AC_CONFIG_FILES([
-     client/share/Makefile
-     client/man/Makefile
-     client/sysconfig/Makefile
-+    client/systemd/Makefile
-     contrib/completion/Makefile
-     contrib/Makefile
-     daemons/dnssec/Makefile
-@@ -637,13 +657,13 @@ echo "
-         jslint:                   ${JSLINT}
-         LDAP libs:                ${LDAP_LIBS}
-         OpenSSL crypto libs:      ${CRYPTO_LIBS}
--        KRB5 libs:                ${KRB5_LIBS}"
-+        KRB5 libs:                ${KRB5_LIBS}
-+        systemdsystemunitdir:     ${systemdsystemunitdir}"
- 
- AM_COND_IF([ENABLE_SERVER], [
-     echo "\
-         KRAD libs:                ${KRAD_LIBS}
-         krb5rundir:               ${krb5rundir}
--        systemdsystemunitdir:     ${systemdsystemunitdir}
-         systemdtmpfilesdir:       ${systemdtmpfilesdir}
-         build mode:               server & client"
- ], [
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index cec57e64e..1d8f4e6aa 100755
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -586,6 +586,10 @@ on the machine enrolled into a FreeIPA environment
- %package client-epn
- Summary: Tools to configure Expiring Password Notification in IPA
- Group: System Environment/Base
-+Requires: systemd-units
-+Requires(post): systemd-units
-+Requires(preun): systemd-units
-+Requires(postun): systemd-units
- Requires: %{name}-client = %{version}-%{release}
- 
- %description client-epn
-@@ -1003,6 +1007,17 @@ fi
- # ONLY_CLIENT
- %endif
- 
-+%preun client-epn
-+%systemd_preun ipa-epn.service
-+%systemd_preun ipa-epn.timer
-+
-+%postun client-epn
-+%systemd_postun ipa-epn.service
-+%systemd_postun ipa-epn.timer
-+
-+%post client-epn
-+%systemd_post ipa-epn.service
-+%systemd_post ipa-epn.timer
- 
- %post client
- if [ $1 -gt 1 ] ; then
-diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
-index 5053dbff6..175178787 100644
---- a/init/systemd/Makefile.am
-+++ b/init/systemd/Makefile.am
-@@ -2,17 +2,17 @@
- #
- AUTOMAKE_OPTIONS = 1.7
- 
-+NULL =
-+
- dist_noinst_DATA = 			\
- 	ipa-custodia.service.in		\
- 	ipa.service.in			\
--	ipa-epn.service.in		\
--	ipa-epn.timer.in
-+	$(NULL)
- 
- systemdsystemunit_DATA = 	\
- 	ipa-custodia.service	\
- 	ipa.service				\
--	ipa-epn.service			\
--	ipa-epn.timer
-+	$(NULL)
- 
- CLEANFILES = $(systemdsystemunit_DATA)
- 
-diff --git a/install/share/Makefile.am b/install/share/Makefile.am
-index 496e81288..e95796dfb 100644
---- a/install/share/Makefile.am
-+++ b/install/share/Makefile.am
-@@ -106,8 +106,3 @@ dist_app_DATA =				\
- kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
- dist_kdcproxyconf_DATA =			\
- 	kdcproxy.conf
--
--epnconfdir = $(IPA_SYSCONF_DIR)/epn
--dist_epnconf_DATA =			\
--	expire_msg.template	\
--	$(NULL)
-diff --git a/server.m4 b/server.m4
-index d35823e80..842d599d2 100644
---- a/server.m4
-+++ b/server.m4
-@@ -153,22 +153,3 @@ dnl Check for libverto
- dnl ---------------------------------------------------------------------------
- 
- PKG_CHECK_MODULES([LIBVERTO], [libverto])
--
--dnl ---------------------------------------------------------------------------
--dnl - Check for systemd directories
--dnl ---------------------------------------------------------------------------
--
--PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
--AC_ARG_WITH([systemdsystemunitdir],
--            AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
--               [Directory for systemd service files]),
--            [systemdsystemunitdir=$with_systemdsystemunitdir],
--        [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
--AC_SUBST([systemdsystemunitdir])
--
--AC_ARG_WITH([systemdtmpfilesdir],
--            AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
--               [Directory for systemd-tmpfiles configuration files]),
--            [systemdtmpfilesdir=$with_systemdtmpfilesdir],
--        [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
--AC_SUBST([systemdtmpfilesdir])
--- 
-2.26.2
-
-From 23e2935e5c5cb402dd4f6f44eaa4b013e6a8188a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Mon, 22 Jun 2020 16:39:02 +0200
-Subject: [PATCH] EPN: ship the configuration file.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Ship and install /etc/ipa/epn.conf.
-Minor fixes to the associated man page.
-
-Fixes: https://pagure.io/freeipa/issue/8374
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- client/man/epn.conf.5    |  5 ++--
- client/share/Makefile.am |  7 +++++-
- client/share/epn.conf    | 54 ++++++++++++++++++++++++++++++++++++++++
- freeipa.spec.in          |  4 ++-
- 4 files changed, 65 insertions(+), 5 deletions(-)
- create mode 100644 client/share/epn.conf
-
-diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
-index 38e99e25d..14f5dbb75 100644
---- a/client/man/epn.conf.5
-+++ b/client/man/epn.conf.5
-@@ -71,11 +71,10 @@ Specifies the From e-mail address value in the e-mails sent. The default is
- root@localhost. Bounces will be sent here.
- .TP
- .B smtp_delay <milliseconds>
--Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue.
-+Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue. The default is 0.
- .TP
- .B mail_from <address>
--Specifies the From: e-mal address value in the e-mails sent. The default is
--noreply@ipadefaultemaildomain. This value can be found by running
-+Specifies the From: e-mail address value in the e-mails sent. The default is noreply@ipadefaultemaildomain. This value can be found by running
- .I ipa config-show
- .TP
- .B notify_ttls <list of days>
-diff --git a/client/share/Makefile.am b/client/share/Makefile.am
-index 1402a3a9d..472242e62 100644
---- a/client/share/Makefile.am
-+++ b/client/share/Makefile.am
-@@ -5,7 +5,12 @@ dist_app_DATA =				\
- 	freeipa.template		\
- 	$(NULL)
- 
--epnconfdir = $(IPA_SYSCONF_DIR)/epn
-+epnconfdir = $(IPA_SYSCONF_DIR)
- dist_epnconf_DATA =			\
-+	epn.conf			\
-+	$(NULL)
-+
-+epntemplatedir = $(IPA_SYSCONF_DIR)/epn
-+dist_epntemplate_DATA =			\
- 	expire_msg.template	\
- 	$(NULL)
-diff --git a/client/share/epn.conf b/client/share/epn.conf
-new file mode 100644
-index 000000000..0e590dfc3
---- /dev/null
-+++ b/client/share/epn.conf
-@@ -0,0 +1,54 @@
-+# Global IPA-EPN [0] configuration file.
-+# For a complete explanation of each parameter, see the epn.conf(5)
-+# manual page.
-+# For best results, change no more than a single parameter at a time,
-+# and test if ipa-epn(1) still works as intended, using --dry-run when
-+# it makes sense.
-+#
-+# [0] https://github.com/freeipa/freeipa/blob/master/doc/designs/expiring-password-notification.md
-+
-+[global]
-+
-+# Specifies the SMTP server to use. 
-+smtp_server = localhost
-+
-+# Specifies the SMTP port.
-+smtp_port = 25
-+
-+# Specifies the id of the user to authenticate with the SMTP server.
-+# Default None (empty value).
-+# smtp_user =
-+
-+# Specifies the password for the authorized user.
-+# Default None (empty value).
-+# smtp_password =
-+
-+# pecifies the number of seconds to wait for SMTP to respond.
-+smtp_timeout = 60
-+
-+# Specifies the type of secure connection to make. Options are: none,
-+# starttls and ssl.
-+smtp_security = none
-+
-+# Specifies the From e-mail address value in the e-mails sent. Bounces will
-+# be sent here.
-+smtp_admin = root@localhost
-+
-+# Time to wait, in milliseconds, between each e-mail sent to try to avoid
-+# overloading the mail queue.
-+smtp_delay = 0
-+
-+# Specifies the From: e-mail address value in the e-mails sent.
-+# The default when unset is noreply@ipadefaultemaildomain.
-+# This value can be found by running ipa config-show.
-+# mail_from =
-+
-+# The list of days before a password expiration when ipa-epn should notify
-+# a user that their password will soon require a reset.
-+notify_ttls = 28, 14, 7, 3, 1
-+
-+# Set the character set of the message.
-+msg_charset = utf8
-+
-+# Set the message's MIME sub-content type.
-+msg_subtype = plain
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index 5bce6f118..8cca99697 100755
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -1387,13 +1387,15 @@ fi
- 
- %files client-epn
- %doc README.md Contributors.txt
-+%dir %{_sysconfdir}/ipa/epn
- %license COPYING
- %{_sbindir}/ipa-epn
- %{_mandir}/man1/ipa-epn.1*
- %{_mandir}/man5/epn.conf.5*
- %attr(644,root,root) %{_unitdir}/ipa-epn.service
- %attr(644,root,root) %{_unitdir}/ipa-epn.timer
--%attr(644,root,root) %{_sysconfdir}/ipa/epn/expire_msg.template
-+%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
-+%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
- 
- %files -n python3-ipaclient
- %doc README.md Contributors.txt
--- 
-2.26.2
-
-From 3b43950d35f78b28d4edde4fda475b5aa84f4587 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 23 Jun 2020 09:39:02 +0200
-Subject: [PATCH] man pages: fix epn.conf.5 and ipa-epn.1 formatting
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fix formatting issues found with mandoc.
-
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- client/man/epn.conf.5 | 2 +-
- client/man/ipa-epn.1  | 8 ++++----
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
-index 14f5dbb75..df1f0156c 100644
---- a/client/man/epn.conf.5
-+++ b/client/man/epn.conf.5
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Rob Crittenden <rcritten@@redhat.com>
- .\"
--.TH "epn.conf" "5" "Apr 28 2020" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "EPN.CONF" "5" "April 28, 2020" "FreeIPA" "FreeIPA Manual Pages"
- .SH "NAME"
- epn.conf \- Expiring Password Notification configuration file
- .SH "SYNOPSIS"
-diff --git a/client/man/ipa-epn.1 b/client/man/ipa-epn.1
-index 9999ea8ca..124fd4536 100644
---- a/client/man/ipa-epn.1
-+++ b/client/man/ipa-epn.1
-@@ -15,14 +15,14 @@
- .\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
- .\"
- .\"
--.TH "ipa-epn" "1" "Apr 24 2020" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "IPA-EPN" "1" "April 24, 2020" "FreeIPA" "FreeIPA Manual Pages"
- .SH "NAME"
- ipa\-epn \- Send expiring password nofications
- .SH "SYNOPSIS"
--ipa\-epn \[options\]
-+ipa\-epn \fR[options\fR]
- 
- .SH "DESCRIPTION"
--ipa\-epn provides a method to warn users via email that their IPA account password is about to expire. 
-+ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
- 
- It can be used in dry\-run mode which is recommmended during setup. The output is always JSON in this case.
- 
-@@ -38,7 +38,7 @@ The \-\-to\-nbdays CLI option can be used to determine the number of notificatio
- 
- If \fB\-\-from\-nbdays\fR is not specified, ipa\-epn will look within a 24\-hour long time range in <number of days> days.
- 
--if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future. 
-+if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
- 
- Together, these two CLI options can be used to determine how many emails would be sent in a specific time in the future.
- 
--- 
-2.26.2
-
-From 2648c218467792e907435eaa5267a0f3457f634f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 23 Jun 2020 13:50:02 +0200
-Subject: [PATCH] ipatests: check that EPN's configuration file is installed.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes: https://pagure.io/freeipa/issue/8374
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipatests/test_integration/test_epn.py | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index 7f56d4bc0..409d588d5 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -209,6 +209,20 @@ class TestEPN(IntegrationTest):
-         cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
-         cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
- 
-+    @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
-+    def test_EPN_config_file(self):
-+        """Check that the EPN configuration file is installed.
-+           https://pagure.io/freeipa/issue/8374
-+        """
-+        epn_conf = "/etc/ipa/epn.conf"
-+        epn_template = "/etc/ipa/epn/expire_msg.template"
-+        cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
-+        assert epn_conf in cmd1.stdout_text
-+        assert epn_template in cmd1.stdout_text
-+        cmd2 = self.master.run_command(["sha256sum", epn_conf])
-+        ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
-+        assert cmd2.stdout_text.find(ck) == 0
-+
-     def test_EPN_smoketest_1(self):
-         """No users except admin. Check --dry-run output.
-            With the default configuration, the result should be an empty list.
--- 
-2.26.2
-
-From 06accac8906f66ebbb31849d6528b39ae006b124 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Wed, 24 Jun 2020 23:24:36 +0200
-Subject: [PATCH] ipatests: ipa_epn: uninstall/reinstall ipa-client-epn
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
-the installed version of freeipa-client-epn is not the built
-one. Temporarily force uninstall/reinstall of this package
-before running the test.
-
-Fixes: https://pagure.io/freeipa/issue/8374
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipatests/test_integration/test_epn.py | 20 +++++++++++++++++++-
- 1 file changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index 409d588d5..9a9fb17b9 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -209,11 +209,29 @@ class TestEPN(IntegrationTest):
-         cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
-         cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
- 
--    @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
-+    @pytest.mark.skip_if_platform(
-+        "debian", reason="Cannot check installed packages using RPM"
-+    )
-     def test_EPN_config_file(self):
-         """Check that the EPN configuration file is installed.
-            https://pagure.io/freeipa/issue/8374
-         """
-+        # workaround for https://github.com/freeipa/freeipa-pr-ci/issues/378
-+        rpm_q_cmds = [
-+            ["rpm", "-qi", "freeipa-client"],
-+            ["rpm", "-qi", "freeipa-client-epn"],
-+            ["rpm", "-qc", "freeipa-client-epn"],
-+            ["rpm", "-V", "freeipa-client-epn"],
-+            ["rpm", "-qvc", "freeipa-client-epn"],
-+            ["ls", "-l", "/etc/ipa", "/etc/ipa/epn"],
-+        ]
-+        for cmd in rpm_q_cmds:
-+            self.master.run_command(cmd, raiseonerr=False)
-+        tasks.uninstall_packages(self.master, ["*ipa-client-epn"])
-+        tasks.install_packages(self.master, ["*ipa-client-epn"])
-+        for cmd in rpm_q_cmds:
-+            self.master.run_command(cmd, raiseonerr=False)
-+        # end workaround
-         epn_conf = "/etc/ipa/epn.conf"
-         epn_template = "/etc/ipa/epn/expire_msg.template"
-         cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
--- 
-2.26.2
-
diff --git a/SOURCES/0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch b/SOURCES/0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch
new file mode 100644
index 0000000..62e3fef
--- /dev/null
+++ b/SOURCES/0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch
@@ -0,0 +1,60 @@
+From 6b25cd3241a5609b4d903d5697b8947fab403c90 Mon Sep 17 00:00:00 2001
+From: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
+Date: Wed, 17 Feb 2021 19:43:00 +0530
+Subject: [PATCH] ipatests: error message check in uninstall log for KRA
+
+This test checks that there is no error message in uninstall
+log for KRA instance when IPA was installed with KRA.
+
+related: https://pagure.io/freeipa/issue/8550
+
+Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ .../test_backup_and_restore.py                | 22 ++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
+index f13dfb5cb..6890ef201 100644
+--- a/ipatests/test_integration/test_backup_and_restore.py
++++ b/ipatests/test_integration/test_backup_and_restore.py
+@@ -451,9 +451,11 @@ class BaseBackupAndRestoreWithKRA(IntegrationTest):
+ 
+             backup_path = tasks.get_backup_dir(self.master)
+ 
+-            self.master.run_command(['ipa-server-install',
+-                                     '--uninstall',
+-                                     '-U'])
++            # check that no error message in uninstall log for KRA instance
++            cmd = self.master.run_command(['ipa-server-install',
++                                           '--uninstall',
++                                           '-U'])
++            assert "failed to uninstall KRA" not in cmd.stderr_text
+ 
+             if reinstall:
+                 tasks.install_master(self.master, setup_dns=True)
+@@ -482,6 +484,20 @@ class TestBackupReinstallRestoreWithKRA(BaseBackupAndRestoreWithKRA):
+         """backup, uninstall, reinstall, restore"""
+         self._full_backup_restore_with_vault(reinstall=True)
+ 
++    def test_no_error_message_with_uninstall_ipa_with_kra(self):
++        """Test there is no error message in uninstall log for KRA instance
++
++        There was error message in uninstall log when IPA with KRA was
++        uninstalled. This test check that there is no error message in
++        uninstall log for kra instance.
++
++        related: https://pagure.io/freeipa/issue/8550
++        """
++        cmd = self.master.run_command(['ipa-server-install',
++                                       '--uninstall',
++                                       '-U'])
++        assert "failed to uninstall KRA" not in cmd.stderr_text
++
+ 
+ class TestBackupAndRestoreWithReplica(IntegrationTest):
+     """Regression tests for issues 7234 and 7455
+-- 
+2.29.2
+
diff --git a/SOURCES/0003-Use-256-bit-AJP-secret_rhbz#1849914.patch b/SOURCES/0003-Use-256-bit-AJP-secret_rhbz#1849914.patch
deleted file mode 100644
index f011db3..0000000
--- a/SOURCES/0003-Use-256-bit-AJP-secret_rhbz#1849914.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From be48983558a560dadad410a70a4a1684565ed481 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Mon, 15 Jun 2020 18:38:35 -0400
-Subject: [PATCH] Clarify AJP connector creation process
-
-We do two things:
-
- 1. Fix the xpath for AJP connector verification. An AJP connector is
-    one which has protocol="AJP/1.3", NOT one that has port="8009". An
-    AJP connector can exist on any port and port 8009 can have any
-    protocol. Secrets only make sense on AJP connectors, so make the
-    xpath match the existing comment.
-
- 2. Add some background in-line documentation about AJP secret
-    provisioning. This should help future developers understand why this
-    was added to IPA and what limitations there are in what PKI or IPA
-    can do. Most notably, explain why Dogtag can't upgrade the AJP
-    connector to have a secret in the general case.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/install/dogtaginstance.py | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
-index 42c9db3fb..aa3baeb7c 100644
---- a/ipaserver/install/dogtaginstance.py
-+++ b/ipaserver/install/dogtaginstance.py
-@@ -308,11 +308,12 @@ class DogtagInstance(service.Service):
-         doc = server_xml.getroot()
- 
-         # no AJP connector means no need to update anything
--        connectors = doc.xpath('//Connector[@port="8009"]')
-+        connectors = doc.xpath('//Connector[@protocol="AJP/1.3"]')
-         if len(connectors) == 0:
-             return
- 
--        # AJP connector is set on port 8009. Use non-greedy search to find it
-+        # AJP protocol is at version 1.3. Assume there is only one as
-+        # Dogtag only provisions one.
-         connector = connectors[0]
- 
-         # Detect tomcat version and choose the right option name
-@@ -331,11 +332,24 @@ class DogtagInstance(service.Service):
-             rewrite = False
-         else:
-             if oldattr in connector.attrib:
-+                # Sufficiently new Dogtag versions (10.9.0-a2) handle the
-+                # upgrade for us; we need only to ensure that we're not both
-+                # attempting to upgrade server.xml at the same time.
-+                # Hopefully this is guaranteed for us.
-                 self.ajp_secret = connector.attrib[oldattr]
-                 connector.attrib[secretattr] = self.ajp_secret
-                 del connector.attrib[oldattr]
-             else:
--                # Generate password, don't use special chars to not break XML
-+                # Generate password, don't use special chars to not break XML.
-+                #
-+                # If we hit this case, pkispawn was run on an older Dogtag
-+                # version and we're stuck migrating, choosing a password
-+                # ourselves. Dogtag can't generate one randomly because a
-+                # Dogtag administrator might've configured AJP and might
-+                # not be using IPA.
-+                #
-+                # Newer Dogtag versions will generate a random password
-+                # during pkispawn.
-                 self.ajp_secret = ipautil.ipa_generate_password(special=None)
-                 connector.attrib[secretattr] = self.ajp_secret
- 
--- 
-2.26.2
-
-From 1e804bf19da4ee274e735fd49452d4df5d73a002 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 17 Jun 2020 16:00:25 -0400
-Subject: [PATCH] Configure PKI AJP Secret with 256-bit secret
-
-By default, PKI's AJP secret is generated as a 75-bit password. By
-generating it in IPA, we can guarantee the strength of the AJP secret.
-It makes sense to use a stronger AJP secret because it typically
-isn't rotated; access to AJP allows an attacker to impersonate an admin
-while talking to PKI.
-
-Fixes: https://pagure.io/freeipa/issue/8372
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
-Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
-Related: https://github.com/dogtagpki/pki/pull/437
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- install/share/ipaca_customize.ini   | 1 +
- install/share/ipaca_default.ini     | 2 ++
- ipaserver/install/dogtaginstance.py | 4 +++-
- 3 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini
-index 6d58579af..948734241 100644
---- a/install/share/ipaca_customize.ini
-+++ b/install/share/ipaca_customize.ini
-@@ -12,6 +12,7 @@
- #
- # Predefined variables
- #  - ipa_ca_subject
-+#  - ipa_ajp_secret
- #  - ipa_fqdn
- #  - ipa_subject_base
- #  - pki_admin_password
-diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
-index 2b9900286..a51256116 100644
---- a/install/share/ipaca_default.ini
-+++ b/install/share/ipaca_default.ini
-@@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt
- 
- ## dynamic values
- # ipa_ca_subject=
-+# ipa_ajp_secret=
- # ipa_subject_base=
- # ipa_fqdn=
- # ipa_ocsp_uri=
-@@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s
- pki_replication_password=
- 
- pki_enable_proxy=True
-+pki_ajp_secret=%(ipa_ajp_secret)s
- pki_restart_configured_instance=False
- pki_security_domain_hostname=%(ipa_fqdn)s
- pki_security_domain_https_port=443
-diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
-index aa3baeb7c..361d80a8c 100644
---- a/ipaserver/install/dogtaginstance.py
-+++ b/ipaserver/install/dogtaginstance.py
-@@ -840,7 +840,9 @@ class PKIIniLoader:
-             pki_subsystem_type=subsystem.lower(),
-             home_dir=os.path.expanduser("~"),
-             # for softhsm2 testing
--            softhsm2_so=paths.LIBSOFTHSM2_SO
-+            softhsm2_so=paths.LIBSOFTHSM2_SO,
-+            # Configure a more secure AJP password by default
-+            ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
-         )
- 
-     @classmethod
--- 
-2.26.2
-
diff --git a/SOURCES/0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch b/SOURCES/0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch
new file mode 100644
index 0000000..151805c
--- /dev/null
+++ b/SOURCES/0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch
@@ -0,0 +1,119 @@
+From 6d7b2d7d1b4711255ea72d62d27b5c5f4ec7c6e1 Mon Sep 17 00:00:00 2001
+From: Sergey Orlov <sorlov@redhat.com>
+Date: Tue, 16 Feb 2021 12:32:55 +0100
+Subject: [PATCH] ipatests: skip tests for AD trust with shared secret in FIPS
+ mode
+
+Related to https://pagure.io/freeipa/issue/8715
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipatests/test_integration/test_trust.py | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
+index 3e522617d..c8a348212 100644
+--- a/ipatests/test_integration/test_trust.py
++++ b/ipatests/test_integration/test_trust.py
+@@ -5,6 +5,7 @@ from __future__ import absolute_import
+ import re
+ import textwrap
+ import time
++import functools
+ 
+ import pytest
+ 
+@@ -13,6 +14,7 @@ from ipaplatform.paths import paths
+ 
+ from ipatests.test_integration.base import IntegrationTest
+ from ipatests.pytest_ipa.integration import tasks
++from ipatests.pytest_ipa.integration import fips
+ from ipapython.dn import DN
+ from collections import namedtuple
+ from contextlib import contextmanager
+@@ -20,6 +22,18 @@ from contextlib import contextmanager
+ TestDataRule = namedtuple('TestDataRule',
+                           ['name', 'ruletype', 'user', 'subject'])
+ 
++
++def skip_in_fips_mode_due_to_issue_8715(test_method):
++    @functools.wraps(test_method)
++    def wrapper(instance):
++        if fips.is_fips_enabled(instance.master):
++            pytest.skip('Skipping in FIPS mode due to '
++                        'https://pagure.io/freeipa/issue/8715')
++        else:
++            test_method(instance)
++    return wrapper
++
++
+ class BaseTestTrust(IntegrationTest):
+     num_clients = 1
+     topology = 'line'
+@@ -751,6 +765,7 @@ class TestTrust(BaseTestTrust):
+ 
+     # Test for one-way forest trust with shared secret
+ 
++    @skip_in_fips_mode_due_to_issue_8715
+     def test_establish_forest_trust_with_shared_secret(self):
+         tasks.configure_dns_for_trust(self.master, self.ad)
+         tasks.configure_windows_dns_for_trust(self.ad, self.master)
+@@ -775,6 +790,7 @@ class TestTrust(BaseTestTrust):
+         tasks.establish_trust_with_ad(
+             self.master, self.ad_domain, shared_secret=self.shared_secret)
+ 
++    @skip_in_fips_mode_due_to_issue_8715
+     def test_trustdomains_found_in_forest_trust_with_shared_secret(self):
+         result = self.master.run_command(
+             ['ipa', 'trust-fetch-domains', self.ad.domain.name],
+@@ -783,6 +799,7 @@ class TestTrust(BaseTestTrust):
+         self.check_trustdomains(
+             self.ad_domain, [self.ad_domain, self.ad_subdomain])
+ 
++    @skip_in_fips_mode_due_to_issue_8715
+     def test_user_gid_uid_resolution_in_forest_trust_with_shared_secret(self):
+         """Check that user has SID-generated UID"""
+         # Using domain name since it is lowercased realm name for AD domains
+@@ -801,6 +818,7 @@ class TestTrust(BaseTestTrust):
+         assert re.search(
+             testuser_regex, result.stdout_text), result.stdout_text
+ 
++    @skip_in_fips_mode_due_to_issue_8715
+     def test_remove_forest_trust_with_shared_secret(self):
+         ps_cmd = (
+             '[System.DirectoryServices.ActiveDirectory.Forest]'
+@@ -823,6 +841,7 @@ class TestTrust(BaseTestTrust):
+ 
+     # Test for one-way external trust with shared secret
+ 
++    @skip_in_fips_mode_due_to_issue_8715
+     def test_establish_external_trust_with_shared_secret(self):
+         tasks.configure_dns_for_trust(self.master, self.ad)
+         tasks.configure_windows_dns_for_trust(self.ad, self.master)
+@@ -838,6 +857,7 @@ class TestTrust(BaseTestTrust):
+             self.master, self.ad_domain, shared_secret=self.shared_secret,
+             extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
+ 
++    @skip_in_fips_mode_due_to_issue_8715
+     def test_trustdomains_found_in_external_trust_with_shared_secret(self):
+         result = self.master.run_command(
+             ['ipa', 'trust-fetch-domains', self.ad.domain.name],
+@@ -846,6 +866,7 @@ class TestTrust(BaseTestTrust):
+         self.check_trustdomains(
+             self.ad_domain, [self.ad_domain])
+ 
++    @skip_in_fips_mode_due_to_issue_8715
+     def test_user_uid_resolution_in_external_trust_with_shared_secret(self):
+         """Check that user has SID-generated UID"""
+         # Using domain name since it is lowercased realm name for AD domains
+@@ -864,6 +885,7 @@ class TestTrust(BaseTestTrust):
+         assert re.search(
+             testuser_regex, result.stdout_text), result.stdout_text
+ 
++    @skip_in_fips_mode_due_to_issue_8715
+     def test_remove_external_trust_with_shared_secret(self):
+         self.ad.run_command(
+             ['netdom.exe', 'trust', self.master.domain.name,
+-- 
+2.29.2
+
diff --git a/SOURCES/0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch b/SOURCES/0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch
deleted file mode 100644
index f87b301..0000000
--- a/SOURCES/0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-From a090b429fda35c5a9c3cfb672ab42a5985d00ff9 Mon Sep 17 00:00:00 2001
-From: Petr Vobornik <pvoborni@redhat.com>
-Date: Mon, 8 Jun 2020 19:27:30 +0200
-Subject: [PATCH] baseuser: fix ipanthomedirectorydrive option name
-
-It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.
-
-This fixes showing the field in Web UI and also should fix CLI as it
-probably never worked.
-
-Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- API.txt                       | 8 ++++----
- ipaserver/plugins/baseuser.py | 2 +-
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/API.txt b/API.txt
-index 5354a33a0..300b3d9b1 100644
---- a/API.txt
-+++ b/API.txt
-@@ -5085,7 +5085,7 @@ option: Str('in_role*', cli_name='in_roles')
- option: Str('in_sudorule*', cli_name='in_sudorules')
- option: Str('initials?', autofill=False)
- option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
--option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
-+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
- option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
- option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
- option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
-@@ -5147,7 +5147,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
- option: Str('homedirectory?', autofill=False, cli_name='homedir')
- option: Str('initials?', autofill=False)
- option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
--option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
-+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
- option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
- option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
- option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
-@@ -6185,7 +6185,7 @@ option: Str('in_role*', cli_name='in_roles')
- option: Str('in_sudorule*', cli_name='in_sudorules')
- option: Str('initials?', autofill=False)
- option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
--option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
-+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
- option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
- option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
- option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
-@@ -6250,7 +6250,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
- option: Str('homedirectory?', autofill=False, cli_name='homedir')
- option: Str('initials?', autofill=False)
- option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
--option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
-+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
- option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
- option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
- option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
-diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
-index a0ed65874..e1b7763f0 100644
---- a/ipaserver/plugins/baseuser.py
-+++ b/ipaserver/plugins/baseuser.py
-@@ -420,7 +420,7 @@ class baseuser(LDAPObject):
-             label=_('SMB Home Directory'),
-             flags=['no_create'],
-             ),
--        StrEnum('ipanthomedirectoryrive?',
-+        StrEnum('ipanthomedirectorydrive?',
-                 cli_name='smb_home_drive',
-                 label=_('SMB Home Directory Drive'),
-                 flags=['no_create'],
--- 
-2.26.2
-
-From 691b3cddb275821630f443f22706fa75e7c7a5c8 Mon Sep 17 00:00:00 2001
-From: Petr Vobornik <pvoborni@redhat.com>
-Date: Mon, 8 Jun 2020 19:11:33 +0200
-Subject: [PATCH] webui: hide user attributes for SMB services section if empty
-
-This section should be hidded if user object hasn't ipantuserattrs
-object class. I.e. when trusts are not enabled.
-
-Web UI framework already supports hidding of sections if the
-section contains no visible field. So to achieve it we simply needs
-to hide the fields. Given that attributelevelrights
-contains rights only for attributes of current object classes, all
-of these are regarded as not writable.
-
-We can leverage feature of input_widget that it gets hidden
-when the attribute is not writable and has no value and widget's
-"hidden_if_empty" is set to true. Thus doing it here.
-
-For this to work, it is also required to fix an issue with
-"ipanthomedirectorydrive" which is optional (in API) but Web UI
-doesn't offer "empty" ("") value. Adding it here.
-
-fixes: https://pagure.io/freeipa/issue/8336
-
-Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
-Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- install/ui/src/freeipa/user.js | 20 +++++++++++---------
- 1 file changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
-index fb626f2a1..8f1f5cd85 100644
---- a/install/ui/src/freeipa/user.js
-+++ b/install/ui/src/freeipa/user.js
-@@ -367,36 +367,39 @@ return {
-                 {
-                     name: 'smb_attributes',
-                     label: '@i18n:objects.smb_attributes.title',
--                    show_cond: ['oc_ipantuserattrs'],
-                     fields: [{
-                             name: 'ipantlogonscript',
-                             tooltip: {
-                                 title: '@i18n:objects.smb_attributes.ipantlogonscript_tooltip'
--                            }
-+                            },
-+                            hidden_if_empty: true
-                         },
-                         {
-                             name: 'ipantprofilepath',
-                             tooltip: {
-                                 title: '@i18n:objects.smb_attributes.ipantprofilepath_tooltip'
--                            }
-+                            },
-+                            hidden_if_empty: true
-                         },
-                         {
-                             name: 'ipanthomedirectory',
-                             tooltip: {
-                                 title: '@i18n:objects.smb_attributes.ipanthomedirectory_tooltip'
--                            }
-+                            },
-+                            hidden_if_empty: true
-                         },
-                         {
-                             name: 'ipanthomedirectorydrive',
-                             $type: 'select',
-                             options: IPA.create_options([
--                                'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:',
--                                'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:',
--                                'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
-+                                '', 'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:',
-+                                'I:', 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:',
-+                                'R:', 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
-                             ]),
-                             tooltip: {
-                                 title: '@i18n:objects.smb_attributes.ipanthomedirectorydrive_tooltip'
--                            }
-+                            },
-+                            hidden_if_empty: true
-                         }
-                     ]
-                 }
-@@ -482,7 +485,6 @@ return {
-                     IPA.user.self_service_other_user_evaluator,
-                     IPA.user.preserved_user_evaluator,
-                     IPA.user.is_locked_evaluator,
--                    IPA.object_class_evaluator,
-                     IPA.cert.certificate_evaluator
-                 ],
-                 summary_conditions: [
--- 
-2.26.2
-
diff --git a/SOURCES/0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch b/SOURCES/0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch
new file mode 100644
index 0000000..fe28854
--- /dev/null
+++ b/SOURCES/0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch
@@ -0,0 +1,347 @@
+From a0626e09b3eaf5d030982e2ff03e95841ad1b4b9 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Wed, 3 Feb 2021 15:52:05 -0500
+Subject: [PATCH] ipa-cert-fix: Don't hardcode the NSS certificate nickname
+
+The nickname of the 389-ds certificate was hardcoded as
+Server-Cert which failed if the user had installed a
+third-party certificate using ipa-server-certinstall.
+
+Instead pull the nickname from the DS configuration and
+retrieve it based on that.
+
+https://pagure.io/freeipa/issue/8600
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipaserver/install/ipa_cert_fix.py | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
+index 2f2c15613..29af89cd5 100644
+--- a/ipaserver/install/ipa_cert_fix.py
++++ b/ipaserver/install/ipa_cert_fix.py
+@@ -203,9 +203,12 @@ def expired_ipa_certs(now):
+         certs.append((IPACertType.HTTPS, cert))
+ 
+     # LDAPS
+-    ds_dbdir = dsinstance.config_dirname(realm_to_serverid(api.env.realm))
++    serverid = realm_to_serverid(api.env.realm)
++    ds = dsinstance.DsInstance(realm_name=api.env.realm)
++    ds_dbdir = dsinstance.config_dirname(serverid)
++    ds_nickname = ds.get_server_cert_nickname(serverid)
+     db = NSSDatabase(nssdir=ds_dbdir)
+-    cert = db.get_cert('Server-Cert')
++    cert = db.get_cert(ds_nickname)
+     if cert.not_valid_after <= now:
+         certs.append((IPACertType.LDAPS, cert))
+ 
+@@ -344,11 +347,13 @@ def install_ipa_certs(subject_base, ca_subject_dn, certs):
+         elif certtype is IPACertType.HTTPS:
+             shutil.copyfile(cert_path, paths.HTTPD_CERT_FILE)
+         elif certtype is IPACertType.LDAPS:
+-            ds_dbdir = dsinstance.config_dirname(
+-                realm_to_serverid(api.env.realm))
++            serverid = realm_to_serverid(api.env.realm)
++            ds = dsinstance.DsInstance(realm_name=api.env.realm)
++            ds_dbdir = dsinstance.config_dirname(serverid)
+             db = NSSDatabase(nssdir=ds_dbdir)
+-            db.delete_cert('Server-Cert')
+-            db.import_pem_cert('Server-Cert', EMPTY_TRUST_FLAGS, cert_path)
++            ds_nickname = ds.get_server_cert_nickname(serverid)
++            db.delete_cert(ds_nickname)
++            db.import_pem_cert(ds_nickname, EMPTY_TRUST_FLAGS, cert_path)
+         elif certtype is IPACertType.KDC:
+             shutil.copyfile(cert_path, paths.KDC_CERT)
+ 
+-- 
+2.29.2
+
+From 660507fda2394b17d709c47a05ce5df548a47990 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 4 Feb 2021 08:25:48 -0500
+Subject: [PATCH] ipatests: test third-party 389-ds cert with ipa-cert-fix
+
+ipa-cert-fix was hardcoded to use Server-Cert as the nickname
+so would fail if a third-party certificate was installed for DS.
+
+https://pagure.io/freeipa/issue/8600
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ .../test_integration/test_ipa_cert_fix.py     | 57 +++++++++++++++++++
+ 1 file changed, 57 insertions(+)
+
+diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
+index 2f7de5526..f9e5fe6e2 100644
+--- a/ipatests/test_integration/test_ipa_cert_fix.py
++++ b/ipatests/test_integration/test_ipa_cert_fix.py
+@@ -11,6 +11,17 @@ import time
+ from ipaplatform.paths import paths
+ from ipatests.pytest_ipa.integration import tasks
+ from ipatests.test_integration.base import IntegrationTest
++from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
++
++
++def server_install_teardown(func):
++    def wrapped(*args):
++        master = args[0].master
++        try:
++            func(*args)
++        finally:
++            ipa_certs_cleanup(master)
++    return wrapped
+ 
+ 
+ class TestIpaCertFix(IntegrationTest):
+@@ -94,3 +105,49 @@ class TestIpaCertFix(IntegrationTest):
+             else:
+                 # timeout
+                 raise AssertionError('Timeout: Failed to renew all the certs')
++
++
++class TestIpaCertFixThirdParty(CALessBase):
++    """
++    Test that ipa-cert-fix works with an installation with custom certs.
++    """
++
++    @classmethod
++    def install(cls, mh):
++        cls.nickname = 'ca1/server'
++
++        super(TestIpaCertFixThirdParty, cls).install(mh)
++        tasks.install_master(cls.master, setup_dns=True)
++
++    @server_install_teardown
++    def test_third_party_certs(self):
++        self.create_pkcs12(self.nickname,
++                           password=self.cert_password,
++                           filename='server.p12')
++        self.prepare_cacert('ca1')
++
++        # We have a chain length of one. If this is extended then the
++        # additional cert names will need to be calculated.
++        nick_chain = self.nickname.split('/')
++        ca_cert = '%s.crt' % nick_chain[0]
++
++        # Add the CA to the IPA store
++        self.copy_cert(self.master, ca_cert)
++        self.master.run_command(['ipa-cacert-manage', 'install', ca_cert])
++
++        # Apply the new cert chain otherwise ipa-server-certinstall will fail
++        self.master.run_command(['ipa-certupdate'])
++
++        # Install the updated certs and restart the world
++        self.copy_cert(self.master, 'server.p12')
++        args = ['ipa-server-certinstall',
++                '-p', self.master.config.dirman_password,
++                '--pin', self.master.config.admin_password,
++                '-d', 'server.p12']
++        self.master.run_command(args)
++        self.master.run_command(['ipactl', 'restart',])
++
++        # Run ipa-cert-fix. This is basically a no-op but tests that
++        # the DS nickname is used and not a hardcoded value.
++        result = self.master.run_command(['ipa-cert-fix', '-v'],)
++        assert self.nickname in result.stderr_text
+-- 
+2.29.2
+
+From 4cb6f0ba0df928eea60b20892a6fc85373627946 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 5 Feb 2021 09:00:54 -0500
+Subject: [PATCH] Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
+
+Related: https://github.com/dogtagpki/pki/issues/3387
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ freeipa.spec.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 93e473ac4..0e261285b 100755
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -128,11 +128,11 @@
+ %if 0%{?rhel} == 8
+ # PKIConnection has been modified to always validate certs.
+ # https://pagure.io/freeipa/issue/8379
+-%global pki_version 10.9.0-0.4
++%global pki_version 10.10.4-1
+ %else
+ # New KRA profile, ACME support
+ # https://pagure.io/freeipa/issue/8545
+-%global pki_version 10.10.0-2
++%global pki_version 10.10.3-1
+ %endif
+ 
+ # RHEL 8.3+, F32+ has 0.79.13
+-- 
+2.29.2
+
+From f3463728f2196589d36e14cedccb26c03730a7c0 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Wed, 10 Feb 2021 16:07:13 -0500
+Subject: [PATCH] Don't renew non-IPA issued certs in ipa-cert-fix
+
+If the Apache, 389-ds or KDC certificate was issued by
+a third party there is nothing we can do, regardless of
+whether it is expired or not.
+
+Report which certificates will not be renewed so the
+admin can manually do do (likely in the event of a
+third-party certificate).
+
+https://pagure.io/freeipa/issue/8600
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipaserver/install/ipa_cert_fix.py | 53 +++++++++++++++++++++++++------
+ 1 file changed, 43 insertions(+), 10 deletions(-)
+
+diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
+index 29af89cd5..210cf80f1 100644
+--- a/ipaserver/install/ipa_cert_fix.py
++++ b/ipaserver/install/ipa_cert_fix.py
+@@ -43,6 +43,7 @@ from ipapython.certdb import NSSDatabase, EMPTY_TRUST_FLAGS
+ from ipapython.dn import DN
+ from ipapython.ipaldap import realm_to_serverid
+ from ipaserver.install import ca, cainstance, dsinstance
++from ipaserver.install.certs import is_ipa_issued_cert
+ from ipapython import directivesetter
+ from ipapython import ipautil
+ 
+@@ -104,6 +105,13 @@ class IPACertFix(AdminTool):
+ 
+         api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
+         api.finalize()
++
++        if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)):
++            print(
++                "The LDAP server is not running; cannot proceed."
++            )
++            return 1
++
+         api.Backend.ldap2.connect()  # ensure DS is up
+ 
+         subject_base = dsinstance.DsInstance().find_subject_base()
+@@ -113,7 +121,7 @@ class IPACertFix(AdminTool):
+         ca_subject_dn = ca.lookup_ca_subject(api, subject_base)
+ 
+         now = datetime.datetime.now() + datetime.timedelta(weeks=2)
+-        certs, extra_certs = expired_certs(now)
++        certs, extra_certs, non_renewed = expired_certs(now)
+ 
+         if not certs and not extra_certs:
+             print("Nothing to do.")
+@@ -121,7 +129,7 @@ class IPACertFix(AdminTool):
+ 
+         print(msg)
+ 
+-        print_intentions(certs, extra_certs)
++        print_intentions(certs, extra_certs, non_renewed)
+ 
+         response = ipautil.user_input('Enter "yes" to proceed')
+         if response.lower() != 'yes':
+@@ -133,7 +141,10 @@ class IPACertFix(AdminTool):
+             fix_certreq_directives(certs)
+             run_cert_fix(certs, extra_certs)
+         except ipautil.CalledProcessError:
+-            if any(x[0] is IPACertType.LDAPS for x in extra_certs):
++            if any(
++                x[0] is IPACertType.LDAPS
++                for x in extra_certs + non_renewed
++            ):
+                 # The DS cert was expired.  This will cause
+                 # 'pki-server cert-fix' to fail at the final
+                 # restart.  Therefore ignore the CalledProcessError
+@@ -152,13 +163,15 @@ class IPACertFix(AdminTool):
+             print("Becoming renewal master.")
+             cainstance.CAInstance().set_renewal_master()
+ 
++        print("Restarting IPA")
+         ipautil.run(['ipactl', 'restart'], raiseonerr=True)
+ 
+         return 0
+ 
+ 
+ def expired_certs(now):
+-    return expired_dogtag_certs(now), expired_ipa_certs(now)
++    expired_ipa, non_renew_ipa = expired_ipa_certs(now)
++    return expired_dogtag_certs(now), expired_ipa, non_renew_ipa
+ 
+ 
+ def expired_dogtag_certs(now):
+@@ -191,6 +204,7 @@ def expired_ipa_certs(now):
+ 
+     """
+     certs = []
++    non_renewed = []
+ 
+     # IPA RA
+     cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
+@@ -200,7 +214,10 @@ def expired_ipa_certs(now):
+     # Apache HTTPD
+     cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
+     if cert.not_valid_after <= now:
+-        certs.append((IPACertType.HTTPS, cert))
++        if not is_ipa_issued_cert(api, cert):
++            non_renewed.append((IPACertType.HTTPS, cert))
++        else:
++            certs.append((IPACertType.HTTPS, cert))
+ 
+     # LDAPS
+     serverid = realm_to_serverid(api.env.realm)
+@@ -210,18 +227,24 @@ def expired_ipa_certs(now):
+     db = NSSDatabase(nssdir=ds_dbdir)
+     cert = db.get_cert(ds_nickname)
+     if cert.not_valid_after <= now:
+-        certs.append((IPACertType.LDAPS, cert))
++        if not is_ipa_issued_cert(api, cert):
++            non_renewed.append((IPACertType.LDAPS, cert))
++        else:
++            certs.append((IPACertType.LDAPS, cert))
+ 
+     # KDC
+     cert = x509.load_certificate_from_file(paths.KDC_CERT)
+     if cert.not_valid_after <= now:
+-        certs.append((IPACertType.KDC, cert))
++        if not is_ipa_issued_cert(api, cert):
++            non_renewed.append((IPACertType.HTTPS, cert))
++        else:
++            certs.append((IPACertType.KDC, cert))
+ 
+-    return certs
++    return certs, non_renewed
+ 
+ 
+-def print_intentions(dogtag_certs, ipa_certs):
+-    print("The following certificates will be renewed: ")
++def print_intentions(dogtag_certs, ipa_certs, non_renewed):
++    print("The following certificates will be renewed:")
+     print()
+ 
+     for certid, cert in dogtag_certs:
+@@ -230,6 +253,16 @@ def print_intentions(dogtag_certs, ipa_certs):
+     for certtype, cert in ipa_certs:
+         print_cert_info("IPA", certtype.value, cert)
+ 
++    if non_renewed:
++        print(
++            "The following certificates will NOT be renewed because "
++            "they were not issued by the IPA CA:"
++        )
++        print()
++
++        for certtype, cert in non_renewed:
++            print_cert_info("IPA", certtype.value, cert)
++
+ 
+ def print_cert_info(context, desc, cert):
+     print("{} {} certificate:".format(context, desc))
+-- 
+2.29.2
+
diff --git a/SOURCES/0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch b/SOURCES/0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch
new file mode 100644
index 0000000..ed56ec8
--- /dev/null
+++ b/SOURCES/0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch
@@ -0,0 +1,135 @@
+From 80ccac79b9d123e158a5ba60f9853611d0854188 Mon Sep 17 00:00:00 2001
+From: Sergey Orlov <sorlov@redhat.com>
+Date: Wed, 17 Feb 2021 16:48:33 +0100
+Subject: [PATCH] ipatests: test Samba mount with NTLM authentication
+
+Related to https://pagure.io/freeipa/issue/8636
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipatests/pytest_ipa/integration/__init__.py | 17 ++++++
+ ipatests/test_integration/test_smb.py       | 63 +++++++++++++++++++++
+ 2 files changed, 80 insertions(+)
+
+diff --git a/ipatests/pytest_ipa/integration/__init__.py b/ipatests/pytest_ipa/integration/__init__.py
+index 55291ae8b..f62b667bd 100644
+--- a/ipatests/pytest_ipa/integration/__init__.py
++++ b/ipatests/pytest_ipa/integration/__init__.py
+@@ -28,12 +28,14 @@ import os
+ import tempfile
+ import shutil
+ import re
++import functools
+ 
+ import pytest
+ from pytest_multihost import make_multihost_fixture
+ 
+ from ipapython import ipautil
+ from ipaplatform.paths import paths
++from . import fips
+ from .config import Config
+ from .env_config import get_global_config
+ from . import tasks
+@@ -478,3 +480,18 @@ def del_compat_attrs(cls):
+         del cls.ad_subdomains
+         del cls.ad_treedomains
+     del cls.ad_domains
++
++
++def skip_if_fips(reason='Not supported in FIPS mode', host='master'):
++    if callable(reason):
++        raise TypeError('Invalid decorator usage, add "()"')
++
++    def decorator(test_method):
++        @functools.wraps(test_method)
++        def wrapper(instance, *args, **kwargs):
++            if fips.is_fips_enabled(getattr(instance, host)):
++                pytest.skip(reason)
++            else:
++                test_method(instance, *args, **kwargs)
++        return wrapper
++    return decorator
+diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
+index 37725ab15..749a96325 100644
+--- a/ipatests/test_integration/test_smb.py
++++ b/ipatests/test_integration/test_smb.py
+@@ -19,6 +19,7 @@ from ipatests.test_integration.base import IntegrationTest
+ from ipatests.pytest_ipa.integration import tasks
+ from ipaplatform.osinfo import osinfo
+ from ipaplatform.paths import paths
++from ipatests.pytest_ipa.integration import skip_if_fips
+ 
+ 
+ def wait_smbd_functional(host):
+@@ -378,6 +379,68 @@ class TestSMB(IntegrationTest):
+         finally:
+             self.cleanup_mount(mountpoint)
+ 
++    def check_repeated_smb_mount(self, options):
++        mountpoint = '/mnt/smb'
++        unc = '//{}/homes'.format(self.smbserver.hostname)
++        test_file = 'ntlm_test'
++        test_file_server_path = '/home/{}/{}'.format(self.ipa_user1, test_file)
++        test_file_client_path = '{}/{}'.format(mountpoint, test_file)
++
++        self.smbclient.run_command(['mkdir', '-p', mountpoint])
++        self.smbserver.put_file_contents(test_file_server_path, '')
++        try:
++            for i in [1, 2]:
++                res = self.smbclient.run_command([
++                    'mount', '-t', 'cifs', unc, mountpoint, '-o', options],
++                    raiseonerr=False)
++                assert res.returncode == 0, (
++                    'Mount failed at iteration {}. Output: {}'
++                    .format(i, res.stdout_text + res.stderr_text))
++                assert self.smbclient.transport.file_exists(
++                    test_file_client_path)
++                self.smbclient.run_command(['umount', mountpoint])
++        finally:
++            self.cleanup_mount(mountpoint)
++            self.smbserver.run_command(['rm', '-f', test_file_server_path])
++
++    @skip_if_fips()
++    def test_ntlm_authentication_with_auto_domain(self):
++        """Repeatedly try to authenticate with username and password with
++        automatic domain discovery.
++
++        This is a regression test for https://pagure.io/freeipa/issue/8636
++        """
++        tasks.kdestroy_all(self.smbclient)
++
++        mount_options = 'user={user},pass={password},domainauto'.format(
++            user=self.ipa_user1,
++            password=self.ipa_user1_password
++        )
++
++        self.check_repeated_smb_mount(mount_options)
++
++    @skip_if_fips()
++    def test_ntlm_authentication_with_upn_with_lowercase_domain(self):
++        tasks.kdestroy_all(self.smbclient)
++
++        mount_options = 'user={user}@{domain},pass={password}'.format(
++            user=self.ipa_user1,
++            password=self.ipa_user1_password,
++            domain=self.master.domain.name.lower()
++        )
++        self.check_repeated_smb_mount(mount_options)
++
++    @skip_if_fips()
++    def test_ntlm_authentication_with_upn_with_uppercase_domain(self):
++        tasks.kdestroy_all(self.smbclient)
++
++        mount_options = 'user={user}@{domain},pass={password}'.format(
++            user=self.ipa_user1,
++            password=self.ipa_user1_password,
++            domain=self.master.domain.name.upper()
++        )
++        self.check_repeated_smb_mount(mount_options)
++
+     def test_uninstall_samba(self):
+         self.smbserver.run_command(['ipa-client-samba', '--uninstall', '-U'])
+         res = self.smbserver.run_command(
+-- 
+2.29.2
+
diff --git a/SOURCES/0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch b/SOURCES/0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch
deleted file mode 100644
index b67d1ef..0000000
--- a/SOURCES/0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 42dd1628a1211363c860917e474ecc5b9c1fdb84 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Thu, 2 Jul 2020 15:50:00 +0300
-Subject: [PATCH] selinux: allow oddjobd to set up ipa_helper_t context for
- execution
-
-On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires
-SELinux policy permission to use 'noatsecure'. This comes most likely
-from execve() setup by glibc.
-
-Add SELinux interface ipa_helper_noatsecure() that can be called by
-oddjob's SELinux policy definition.
-
-In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to
-access SELinux configuration and produce AVC for that. Allow reading
-general userspace SELinux configuration.
-
-Fixes: https://pagure.io/freeipa/issue/8395
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- selinux/ipa.if | 18 ++++++++++++++++++
- selinux/ipa.te |  1 +
- 2 files changed, 19 insertions(+)
-
-diff --git a/selinux/ipa.if b/selinux/ipa.if
-index ea971b8fa..783db8b78 100644
---- a/selinux/ipa.if
-+++ b/selinux/ipa.if
-@@ -419,3 +419,21 @@ ifndef(`dirsrv_systemctl',`
-         ps_process_pattern($1, dirsrv_t)
-     ')
- ')
-+
-+
-+########################################
-+## <summary>
-+##	Allow ipa_helper noatsecure
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`ipa_helper_noatsecure',`
-+    gen_require(`
-+	type ipa_helper_t;
-+    ')
-+    allow $1 ipa_helper_t:process { noatsecure };
-+')
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 587e5e585..383979094 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -115,6 +115,7 @@ optional_policy(`
- 
- 
- allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown };
-+seutil_read_config(ipa_helper_t);
- 
- #kernel bug
- dontaudit ipa_helper_t self:capability2  block_suspend;
--- 
-2.26.2
-
-From 0d70addbbf2a99e7398a518bc98d5fe109469bb5 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Fri, 3 Jul 2020 17:20:49 +0300
-Subject: [PATCH] selinux: support running ipa-custodia with PrivateTmp=yes
-
-Related: https://pagure.io/freeipa/issue/8395
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- selinux/ipa.te | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 383979094..a3381217a 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -390,3 +390,7 @@ optional_policy(`
- 	sssd_search_lib(ipa_custodia_t)
- 	sssd_stream_connect(ipa_custodia_t)
- ')
-+
-+optional_policy(`
-+       systemd_private_tmp(ipa_custodia_tmp_t)
-+')
--- 
-2.26.2
-
diff --git a/SOURCES/0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch b/SOURCES/0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch
deleted file mode 100644
index c1c7764..0000000
--- a/SOURCES/0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-From 128500198d3782a76616cf1d971d5aeb17e8c1da Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Thu, 11 Jun 2020 22:42:38 +1000
-Subject: [PATCH] fix iPAddress cert issuance for >1 host/service
-
-The 'cert_request' command accumulates DNS names from the CSR,
-before checking that all IP addresses in the CSR are reachable from
-those DNS names.  Before adding a DNS name to the set, we check that
-that it corresponds to the FQDN of a known host/service principal
-(including principal aliases).  When a DNS name maps to a
-"alternative" principal (i.e.  not the one given via the 'principal'
-argument), this check was not being performed correctly.
-Specifically, we were looking for the 'krbprincipalname' field on
-the RPC response object directly, instead of its 'result' field.
-
-To resolve the issue, dereference the RPC response to its 'result'
-field before invoking the '_dns_name_matches_principal' subroutine.
-
-Fixes: https://pagure.io/freeipa/issue/8368
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaserver/plugins/cert.py                     |  6 +-
- .../test_cert_request_ip_address.py           | 62 +++++++++++++++++--
- 2 files changed, 61 insertions(+), 7 deletions(-)
-
-diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
-index d353bc3ea..fe7ea34f5 100644
---- a/ipaserver/plugins/cert.py
-+++ b/ipaserver/plugins/cert.py
-@@ -827,13 +827,13 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
-                 try:
-                     if principal_type == HOST:
-                         alt_principal_obj = api.Command['host_show'](
--                            name, all=True)
-+                            name, all=True)['result']
-                     elif principal_type == KRBTGT:
-                         alt_principal = kerberos.Principal(
-                             (u'host', name), principal.realm)
-                     elif principal_type == SERVICE:
-                         alt_principal_obj = api.Command['service_show'](
--                            alt_principal, all=True)
-+                            alt_principal, all=True)['result']
-                 except errors.NotFound:
-                     # We don't want to issue any certificates referencing
-                     # machines we don't know about. Nothing is stored in this
-@@ -866,7 +866,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
-                         pass
- 
-                     # Now check write access and caacl
--                    altdn = alt_principal_obj['result']['dn']
-+                    altdn = alt_principal_obj['dn']
-                     if not ldap.can_write(altdn, "usercertificate"):
-                         raise errors.ACIError(info=_(
-                             "Insufficient privilege to create a certificate "
-diff --git a/ipatests/test_xmlrpc/test_cert_request_ip_address.py b/ipatests/test_xmlrpc/test_cert_request_ip_address.py
-index bf4de05bf..c0475d30d 100644
---- a/ipatests/test_xmlrpc/test_cert_request_ip_address.py
-+++ b/ipatests/test_xmlrpc/test_cert_request_ip_address.py
-@@ -28,10 +28,16 @@ from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker
- from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
- from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
- 
--host_fqdn = f'iptest.{api.env.domain}'
-+host_shortname = 'iptest'
-+host_fqdn = f'{host_shortname}.{api.env.domain}'
- host_princ = f'host/{host_fqdn}'
- host_ptr = f'{host_fqdn}.'
- 
-+host2_shortname = 'iptest2'
-+host2_fqdn = f'{host2_shortname}.{api.env.domain}'
-+host2_princ = f'host/{host2_fqdn}'
-+host2_ptr = f'{host2_fqdn}.'
-+
- other_fqdn = f'other.{api.env.domain}'
- other_ptr = f'{other_fqdn}.'
- 
-@@ -39,6 +45,10 @@ ipv4_address = '169.254.0.42'
- ipv4_revzone_s = '0.254.169.in-addr.arpa.'
- ipv4_revrec_s = '42'
- 
-+host2_ipv4_address = '169.254.0.43'
-+host2_ipv4_revzone_s = '0.254.169.in-addr.arpa.'
-+host2_ipv4_revrec_s = '43'
-+
- ipv6_address = 'fe80::8f18:bdab:4299:95fa'
- ipv6_revzone_s = '0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.'
- ipv6_revrec_s = 'a.f.5.9.9.9.2.4.b.a.d.b.8.1.f.8'
-@@ -46,7 +56,13 @@ ipv6_revrec_s = 'a.f.5.9.9.9.2.4.b.a.d.b.8.1.f.8'
- 
- @pytest.fixture(scope='class')
- def host(request, xmlrpc_setup):
--    tr = HostTracker('iptest')
-+    tr = HostTracker(host_shortname)
-+    return tr.make_fixture(request)
-+
-+
-+@pytest.fixture(scope='class')
-+def host2(request, xmlrpc_setup):
-+    tr = HostTracker(host2_shortname)
-     return tr.make_fixture(request)
- 
- 
-@@ -88,6 +104,12 @@ def ipv6_revzone(host):
-     yield from _zone_setup(host, ipv6_revzone_s)
- 
- 
-+@pytest.fixture(scope='class')
-+def host2_ipv4_ptr(host2, ipv4_revzone):
-+    yield from _record_setup(
-+        host2, ipv4_revzone, host2_ipv4_revrec_s, ptrrecord=host2_ptr)
-+
-+
- @pytest.fixture(scope='class')
- def ipv4_ptr(host, ipv4_revzone):
-     yield from _record_setup(
-@@ -100,16 +122,22 @@ def ipv6_ptr(host, ipv6_revzone):
-         host, ipv6_revzone, ipv6_revrec_s, ptrrecord=host_ptr)
- 
- 
-+@pytest.fixture(scope='class')
-+def host2_ipv4_a(host2):
-+    yield from _record_setup(
-+        host2, api.env.domain, host2_shortname, arecord=host2_ipv4_address)
-+
-+
- @pytest.fixture(scope='class')
- def ipv4_a(host):
-     yield from _record_setup(
--        host, api.env.domain, 'iptest', arecord=ipv4_address)
-+        host, api.env.domain, host_shortname, arecord=ipv4_address)
- 
- 
- @pytest.fixture(scope='class')
- def ipv6_aaaa(host):
-     yield from _record_setup(
--        host, api.env.domain, 'iptest', aaaarecord=ipv6_address)
-+        host, api.env.domain, host_shortname, aaaarecord=ipv6_address)
- 
- 
- @pytest.fixture(scope='class')
-@@ -210,6 +238,12 @@ csr_cname2 = csr([
-     x509.DNSName(f'cname2.{api.env.domain}'),
-     x509.IPAddress(ipaddress.ip_address(ipv4_address)),
- ])
-+csr_two_dnsname_two_ip = csr([
-+    x509.DNSName(host_fqdn),
-+    x509.IPAddress(ipaddress.ip_address(ipv4_address)),
-+    x509.DNSName(host2_fqdn),
-+    x509.IPAddress(ipaddress.ip_address(host2_ipv4_address)),
-+])
- 
- 
- @pytest.fixture
-@@ -449,3 +483,23 @@ class TestIPAddressCNAME(XMLRPC_test):
-     def test_two_levels(self, host, csr_cname2):
-         with pytest.raises(errors.ValidationError, match=PAT_FWD):
-             host.run_command('cert_request', csr_cname2, principal=host_princ)
-+
-+
-+@pytest.mark.tier1
-+class TestTwoHostsTwoIPAddresses(XMLRPC_test):
-+    """
-+    Test certificate issuance with CSR containing two hosts
-+    and two IP addresses (one for each host).
-+
-+    """
-+    def test_host_exists(
-+        self, host, host2, ipv4_a, ipv4_ptr, host2_ipv4_a, host2_ipv4_ptr,
-+    ):
-+        # for convenience, this test also establishes the DNS
-+        # record fixtures, which have class scope
-+        host.ensure_exists()
-+        host2.ensure_exists()
-+
-+    def test_issuance(self, host, csr_two_dnsname_two_ip):
-+        host.run_command(
-+            'cert_request', csr_two_dnsname_two_ip, principal=host_princ)
--- 
-2.26.2
-
diff --git a/SOURCES/0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch b/SOURCES/0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch
new file mode 100644
index 0000000..8663740
--- /dev/null
+++ b/SOURCES/0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch
@@ -0,0 +1,79 @@
+From 20bb855a57080145d0d5555294381c890ef605bb Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Tue, 16 Feb 2021 16:53:24 +0100
+Subject: [PATCH] ipaserver: don't ignore zonemgr option on install
+
+Fix zonemgr option in ipaserver install being
+ignored because of an incorrect condition.
+
+Fixes: https://pagure.io/freeipa/issue/8718
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipaserver/install/bindinstance.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
+index 3b446ce76..19941cd00 100644
+--- a/ipaserver/install/bindinstance.py
++++ b/ipaserver/install/bindinstance.py
+@@ -355,7 +355,7 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None,
+         else:
+             update_policy = get_dns_forward_zone_update_policy(api.env.realm)
+ 
+-    if zonemgr is None:
++    if not zonemgr:
+         zonemgr = 'hostmaster.%s' % name
+ 
+     if ns_hostname:
+@@ -682,7 +682,7 @@ class BindInstance(service.Service):
+         self.forward_policy = forward_policy
+         self.reverse_zones = reverse_zones
+ 
+-        if zonemgr is not None:
++        if not zonemgr:
+             self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
+         else:
+             self.zonemgr = normalize_zonemgr(zonemgr)
+-- 
+2.29.2
+
+From 82043e1fd052618608d3b7786473a632478795ee Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Tue, 16 Feb 2021 18:24:26 +0100
+Subject: [PATCH] ipatests: check that zonemgr is set correctly during server
+ install
+
+Add test to check that zonemgr is correctly
+set when installing IPA server.
+
+Related: https://pagure.io/freeipa/issue/8718
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_installation.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index 6e8af024c..18c5bd243 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -1171,6 +1171,13 @@ class TestInstallMasterDNS(IntegrationTest):
+             extra_args=['--zonemgr', 'me@example.org'],
+         )
+ 
++        tasks.kinit_admin(self.master)
++        result = self.master.run_command(
++            ['ipa', 'dnszone-show', self.master.domain.name]
++        ).stdout_text
++
++        assert "Administrator e-mail address: me.example.org" in result
++
+     def test_server_install_lock_bind_recursion(self):
+         """Test if server installer lock Bind9 recursion
+ 
+-- 
+2.29.2
+
diff --git a/SOURCES/0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch b/SOURCES/0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch
deleted file mode 100644
index 72a73cb..0000000
--- a/SOURCES/0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 9ded9e2573a00c388533f2a09365c499a4e2961e Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Fri, 19 Jun 2020 08:48:56 -0400
-Subject: [PATCH] Specify cert_paths when calling PKIConnection
-
-PKIConnection now defaults to specifying verify=True. We've introduced
-a new parameter, cert_paths, to specify additional paths (directories or
-files) to load as certificates. Specify the IPA CA certificate file so
-we can guarantee connections succeed and validate the peer's certificate.
-
-Point to IPA CA certificate during pkispawn
-
-Bump pki_version to 10.9.0-0.4 (aka -b2)
-
-Fixes: https://pagure.io/freeipa/issue/8379
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
-Related: https://github.com/dogtagpki/pki/pull/443
-Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- freeipa.spec.in                       |  6 +++---
- install/tools/ipa-pki-wait-running.in |  3 ++-
- ipaserver/install/cainstance.py       |  7 +++++++
- ipaserver/install/dogtaginstance.py   |  3 ++-
- ipaserver/plugins/dogtag.py           | 11 +++++------
- 5 files changed, 19 insertions(+), 11 deletions(-)
-
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index 74e752ea5..d00b9d640 100755
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -112,9 +112,9 @@
- # Fedora
- %endif
- 
--# 10.7.3 supports LWCA key replication using AES
--# https://pagure.io/freeipa/issue/8020
--%global pki_version 10.7.3-1
-+# PKIConnection has been modified to always validate certs.
-+# https://pagure.io/freeipa/issue/8379
-+%global pki_version 10.9.0-0.4
- 
- # https://pagure.io/certmonger/issue/90
- %global certmonger_version 0.79.7-1
-diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in
-index 69f5ec296..4f0f2f34a 100644
---- a/install/tools/ipa-pki-wait-running.in
-+++ b/install/tools/ipa-pki-wait-running.in
-@@ -59,7 +59,8 @@ def get_conn(hostname, subsystem):
-     """
-     conn = PKIConnection(
-         hostname=hostname,
--        subsystem=subsystem
-+        subsystem=subsystem,
-+        cert_paths=paths.IPA_CA_CRT
-     )
-     logger.info(
-         "Created connection %s://%s:%s/%s",
-diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
-index 706bc28cc..9294f1dba 100644
---- a/ipaserver/install/cainstance.py
-+++ b/ipaserver/install/cainstance.py
-@@ -509,6 +509,13 @@ class CAInstance(DogtagInstance):
-         else:
-             pki_pin = None
- 
-+        # When spawning a CA instance, always point to IPA_CA_CRT if it
-+        # exists. Later, when we're performing step 2 of an external CA
-+        # installation, we'll overwrite this key to point to the real
-+        # external CA.
-+        if os.path.exists(paths.IPA_CA_CRT):
-+            cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT
-+
-         if self.clone:
-             if self.no_db_setup:
-                 cfg.update(
-diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
-index 361d80a8c..7e295665c 100644
---- a/ipaserver/install/dogtaginstance.py
-+++ b/ipaserver/install/dogtaginstance.py
-@@ -70,7 +70,8 @@ def get_security_domain():
-     connection = PKIConnection(
-         protocol='https',
-         hostname=api.env.ca_host,
--        port='8443'
-+        port='8443',
-+        cert_paths=paths.IPA_CA_CRT
-     )
-     domain_client = pki.system.SecurityDomainClient(connection)
-     info = domain_client.get_security_domain_info()
-diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
-index 4de26d76f..b300f6b18 100644
---- a/ipaserver/plugins/dogtag.py
-+++ b/ipaserver/plugins/dogtag.py
-@@ -2082,13 +2082,12 @@ class kra(Backend):
-             'https',
-             self.kra_host,
-             str(self.kra_port),
--            'kra')
-+            'kra',
-+            cert_paths=paths.IPA_CA_CRT
-+        )
- 
--        connection.session.cert = (paths.RA_AGENT_PEM, paths.RA_AGENT_KEY)
--        # uncomment the following when this commit makes it to release
--        # https://git.fedorahosted.org/cgit/pki.git/commit/?id=71ae20c
--        # connection.set_authentication_cert(paths.RA_AGENT_PEM,
--        #                                    paths.RA_AGENT_KEY)
-+        connection.set_authentication_cert(paths.RA_AGENT_PEM,
-+                                           paths.RA_AGENT_KEY)
- 
-         try:
-             yield KRAClient(connection, crypto)
--- 
-2.26.2
-
diff --git a/SOURCES/0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch b/SOURCES/0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch
new file mode 100644
index 0000000..0531b15
--- /dev/null
+++ b/SOURCES/0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch
@@ -0,0 +1,318 @@
+From 7f30ddb1b7e30c22f9b7d14d2658b58a0ea6b459 Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Tue, 2 Feb 2021 17:33:57 +0530
+Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs
+
+Test moves system date to expire certs. Then calls ipa-cert-fix
+to renew them. This certs include subsystem, audit-signing,
+OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
+
+related: https://pagure.io/freeipa/issue/7885
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ .../test_integration/test_ipa_cert_fix.py     | 60 +++++++++++++++++++
+ 1 file changed, 60 insertions(+)
+
+diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
+index f9e5fe6e2..da68af573 100644
+--- a/ipatests/test_integration/test_ipa_cert_fix.py
++++ b/ipatests/test_integration/test_ipa_cert_fix.py
+@@ -8,12 +8,16 @@ Module provides tests for ipa-cert-fix CLI.
+ import pytest
+ import time
+ 
++import logging
+ from ipaplatform.paths import paths
+ from ipatests.pytest_ipa.integration import tasks
+ from ipatests.test_integration.base import IntegrationTest
+ from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
+ 
+ 
++logger = logging.getLogger(__name__)
++
++
+ def server_install_teardown(func):
+     def wrapped(*args):
+         master = args[0].master
+@@ -24,6 +28,26 @@ def server_install_teardown(func):
+     return wrapped
+ 
+ 
++def check_status(host, cert_count, state, timeout=600):
++    """Helper method to check that if all the certs are in given state
++    :param host: the host
++    :param cert_count: no of cert to look for
++    :param state: state to check for
++    :param timeout: max time in seconds to wait for the state
++    """
++    for _i in range(0, timeout, 10):
++        result = host.run_command(['getcert', 'list'])
++        count = result.stdout_text.count(f"status: {state}")
++        logger.info("cert count in %s state : %s", state, count)
++        if int(count) == cert_count:
++            break
++        time.sleep(10)
++    else:
++        raise RuntimeError("request timed out")
++
++    return count
++
++
+ class TestIpaCertFix(IntegrationTest):
+     @classmethod
+     def uninstall(cls, mh):
+@@ -106,6 +130,42 @@ class TestIpaCertFix(IntegrationTest):
+                 # timeout
+                 raise AssertionError('Timeout: Failed to renew all the certs')
+ 
++    def test_renew_expired_cert_on_master(self, expire_cert_critical):
++        """Test if ipa-cert-fix renews expired certs
++
++        Test moves system date to expire certs. Then calls ipa-cert-fix
++        to renew them. This certs include subsystem, audit-signing,
++        OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
++
++        related: https://pagure.io/freeipa/issue/7885
++        """
++        # wait for cert expiry
++        check_status(self.master, 8, "CA_UNREACHABLE")
++
++        self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
++
++        check_status(self.master, 9, "MONITORING")
++
++        # second iteration of ipa-cert-fix
++        result = self.master.run_command(
++            ['ipa-cert-fix', '-v'],
++            stdin_text='yes\n'
++        )
++        assert "Nothing to do" in result.stdout_text
++        check_status(self.master, 9, "MONITORING")
++
++    def test_ipa_cert_fix_non_ipa(self):
++        """Test ipa-cert-fix doesn't work on non ipa system
++
++        ipa-cert-fix tool should not work on non ipa system.
++
++        related: https://pagure.io/freeipa/issue/7885
++        """
++        result = self.master.run_command(['ipa-cert-fix', '-v'],
++                                         stdin_text='yes\n',
++                                         raiseonerr=False)
++        assert result.returncode == 2
++
+ 
+ class TestIpaCertFixThirdParty(CALessBase):
+     """
+-- 
+2.29.2
+
+From 36a60dbb35cb4429f00528f79bec8b7982a30c74 Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Thu, 11 Feb 2021 16:54:22 +0530
+Subject: [PATCH] Move fixture outside the class and add setup_kra capability
+
+Moved fixture to use across multiple classes. Added capability
+to install the KRA to the fixture
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ .../test_integration/test_ipa_cert_fix.py     | 46 ++++++++++++-------
+ 1 file changed, 30 insertions(+), 16 deletions(-)
+
+diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
+index da68af573..591dc5031 100644
+--- a/ipatests/test_integration/test_ipa_cert_fix.py
++++ b/ipatests/test_integration/test_ipa_cert_fix.py
+@@ -48,6 +48,33 @@ def check_status(host, cert_count, state, timeout=600):
+     return count
+ 
+ 
++@pytest.fixture
++def expire_cert_critical():
++    """
++    Fixture to expire the certs by moving the system date using
++    date -s command and revert it back
++    """
++
++    hosts = dict()
++
++    def _expire_cert_critical(host, setup_kra=False):
++        hosts['host'] = host
++        # Do not install NTP as the test plays with the date
++        tasks.install_master(host, setup_dns=False,
++                             extra_args=['--no-ntp'])
++        if setup_kra:
++            tasks.install_kra(host)
++        host.run_command(['systemctl', 'stop', 'chronyd'])
++        host.run_command(['date', '-s', '+3Years+1day'])
++
++    yield _expire_cert_critical
++
++    host = hosts.pop('host')
++    tasks.uninstall_master(host)
++    host.run_command(['date', '-s', '-3Years-1day'])
++    host.run_command(['systemctl', 'start', 'chronyd'])
++
++
+ class TestIpaCertFix(IntegrationTest):
+     @classmethod
+     def uninstall(cls, mh):
+@@ -55,22 +82,6 @@ class TestIpaCertFix(IntegrationTest):
+         # the fixture
+         pass
+ 
+-    @pytest.fixture
+-    def expire_cert_critical(self):
+-        """
+-        Fixture to expire the certs by moving the system date using
+-        date -s command and revert it back
+-        """
+-        # Do not install NTP as the test plays with the date
+-        tasks.install_master(self.master, setup_dns=False,
+-                             extra_args=['--no-ntp'])
+-        self.master.run_command(['systemctl', 'stop', 'chronyd'])
+-        self.master.run_command(['date','-s', '+3Years+1day'])
+-        yield
+-        tasks.uninstall_master(self.master)
+-        self.master.run_command(['date','-s', '-3Years-1day'])
+-        self.master.run_command(['systemctl', 'start', 'chronyd'])
+-
+     def test_missing_csr(self, expire_cert_critical):
+         """
+         Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
+@@ -82,6 +93,7 @@ class TestIpaCertFix(IntegrationTest):
+         - call getcert resubmit in order to create the CSR in certmonger file
+         - use ipa-cert-fix, no issue should be seen
+         """
++        expire_cert_critical(self.master)
+         # pki must be stopped in order to edit CS.cfg
+         self.master.run_command(['ipactl', 'stop'])
+         self.master.run_command(['sed', '-i', r'/ca\.sslserver\.certreq=/d',
+@@ -139,6 +151,8 @@ class TestIpaCertFix(IntegrationTest):
+ 
+         related: https://pagure.io/freeipa/issue/7885
+         """
++        expire_cert_critical(self.master)
++
+         # wait for cert expiry
+         check_status(self.master, 8, "CA_UNREACHABLE")
+ 
+-- 
+2.29.2
+
+From c84e0547e1a693ba0e9edbfeea7bafdb2fb2b4a2 Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Thu, 11 Feb 2021 16:59:53 +0530
+Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs with kra
+ installed
+
+This test check if ipa-cert-fix renews certs with kra
+certificate installed.
+
+related: https://pagure.io/freeipa/issue/7885
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ .../test_integration/test_ipa_cert_fix.py     | 25 +++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
+index 591dc5031..b2e92d4dc 100644
+--- a/ipatests/test_integration/test_ipa_cert_fix.py
++++ b/ipatests/test_integration/test_ipa_cert_fix.py
+@@ -225,3 +225,28 @@ class TestIpaCertFixThirdParty(CALessBase):
+         # the DS nickname is used and not a hardcoded value.
+         result = self.master.run_command(['ipa-cert-fix', '-v'],)
+         assert self.nickname in result.stderr_text
++
++
++class TestCertFixKRA(IntegrationTest):
++    @classmethod
++    def uninstall(cls, mh):
++        # Uninstall method is empty as the uninstallation is done in
++        # the fixture
++        pass
++
++    def test_renew_expired_cert_with_kra(self, expire_cert_critical):
++        """Test if ipa-cert-fix renews expired certs with kra installed
++
++        This test check if ipa-cert-fix renews certs with kra
++        certificate installed.
++
++        related: https://pagure.io/freeipa/issue/7885
++        """
++        expire_cert_critical(self.master, setup_kra=True)
++
++        # check if all subsystem cert expired
++        check_status(self.master, 11, "CA_UNREACHABLE")
++
++        self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
++
++        check_status(self.master, 12, "MONITORING")
+-- 
+2.29.2
+
+From 260fbcb03297ef1ed5418b16c0df0587d2989b22 Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Tue, 2 Mar 2021 11:42:36 +0530
+Subject: [PATCH] ipatests: update nightly definition for ipa_cert_fix suite
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml         | 2 +-
+ ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml | 2 +-
+ ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml       | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+index ebd539246..8a88698eb 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+@@ -1687,5 +1687,5 @@ jobs:
+         build_url: '{fedora-latest-ipa-4-9/build_url}'
+         test_suite: test_integration/test_ipa_cert_fix.py
+         template: *ci-ipa-4-9-latest
+-        timeout: 3600
++        timeout: 7200
+         topology: *master_1repl
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+index d4b597d6e..14f0c4292 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+@@ -1821,5 +1821,5 @@ jobs:
+         selinux_enforcing: True
+         test_suite: test_integration/test_ipa_cert_fix.py
+         template: *ci-ipa-4-9-latest
+-        timeout: 3600
++        timeout: 7200
+         topology: *master_1repl
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+index 1fd589e6a..b7f8d2b3e 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+@@ -1687,5 +1687,5 @@ jobs:
+         build_url: '{fedora-previous-ipa-4-9/build_url}'
+         test_suite: test_integration/test_ipa_cert_fix.py
+         template: *ci-ipa-4-9-previous
+-        timeout: 3600
++        timeout: 7200
+         topology: *master_1repl
+-- 
+2.29.2
+
diff --git a/SOURCES/0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch b/SOURCES/0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch
deleted file mode 100644
index c94ebee..0000000
--- a/SOURCES/0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d83b760d1f76a3ba8e527dd27551e51a600b22c0 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Wed, 15 Jul 2020 10:23:35 +0200
-Subject: [PATCH] Add missing SELinux rule for ipa-custodia.sock
-
-A SELinux rule for ipa_custodia_stream_connect(httpd_t) was not copied
-from upstream rules. It breaks installations on systems that don't have
-ipa_custodia_stream_connect in SELinux domain for apache, e.g. RHEL 8.3.
-
-Fixes: https://pagure.io/freeipa/issue/8412
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index a3381217a4..c4c3fa805e 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -378,6 +378,13 @@ optional_policy(`
- 	ipa_search_lib(ipa_custodia_t)
- ')
- 
-+optional_policy(`
-+    gen_require(`
-+        type httpd_t;
-+    ')
-+    ipa_custodia_stream_connect(httpd_t)
-+')
-+
- optional_policy(`
- 	pki_manage_tomcat_etc_rw(ipa_custodia_t)
- 	pki_read_tomcat_cert(ipa_custodia_t)
diff --git a/SOURCES/0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch b/SOURCES/0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch
new file mode 100644
index 0000000..a4e36a9
--- /dev/null
+++ b/SOURCES/0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch
@@ -0,0 +1,37 @@
+From caf748860860293e010e695d72f6b3b3d8509f8a Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Tue, 2 Mar 2021 08:44:35 +0100
+Subject: [PATCH] ipatests: use whole date when calling journalctl --since
+
+The test test_commands.py::TestIPACommand::test_ssh_key_connection
+is checking the content of the journal using journalctl --since ...
+but provides only the time, not the whole date with year-month-day.
+As a consequence, if the test is executed around midnight it may
+find nothing in the journal because it's looking for logs after 11:50PM,
+which is a date in the future.
+
+The fix provides a complete date with year-month-day hours:min:sec.
+
+Fixes: https://pagure.io/freeipa/issue/8728
+Reviewed-By: Francois Cami <fcami@redhat.com>
+---
+ ipatests/test_integration/test_commands.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
+index 45f642bf2..b7ffb926f 100644
+--- a/ipatests/test_integration/test_commands.py
++++ b/ipatests/test_integration/test_commands.py
+@@ -642,7 +642,8 @@ class TestIPACommand(IntegrationTest):
+         # start to look at logs a bit before "now"
+         # https://pagure.io/freeipa/issue/8432
+         since = time.strftime(
+-            '%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple()
++            '%Y-%m-%d %H:%M:%S',
++            (datetime.now() - timedelta(seconds=10)).timetuple()
+         )
+ 
+         tasks.run_ssh_cmd(
+-- 
+2.29.2
+
diff --git a/SOURCES/0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch b/SOURCES/0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch
deleted file mode 100644
index 5a96294..0000000
--- a/SOURCES/0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch
+++ /dev/null
@@ -1,189 +0,0 @@
-From ca880cfb117fc870a6e2710b9e31b2f67d5651e1 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Wed, 29 Jul 2020 13:35:49 +0200
-Subject: [PATCH] ipa-client-install: use the authselect backup during
- uninstall
-
-When ipa-client-install is run on a system with no existing
-authselect configuration (for instance a fedora 31 new install),
-uninstallation is picking sssd profile but this may lead to
-a configuration with differences compared to the pre-ipa-client
-state.
-
-Now that authselect provides an option to backup the existing
-configuration prior to setting a profile, the client install
-can save the backup name and uninstall is able to apply the
-backup in order to go back to the pre-ipa-client state.
-
-Fixes: https://pagure.io/freeipa/issue/8189
-Reviewed-By: Francois Cami <fcami@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
----
- ipaplatform/redhat/authconfig.py | 37 ++++++++++++++------------------
- 1 file changed, 16 insertions(+), 21 deletions(-)
-
-diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py
-index 758376f2b..89f452d66 100644
---- a/ipaplatform/redhat/authconfig.py
-+++ b/ipaplatform/redhat/authconfig.py
-@@ -27,6 +27,7 @@ from ipaplatform.paths import paths
- from ipapython import ipautil
- from ipapython.admintool import ScriptError
- import os
-+import time
- 
- FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow']
- 
-@@ -103,28 +104,16 @@ class RedHatAuthSelect(RedHatAuthToolBase):
-     def configure(self, sssd, mkhomedir, statestore, sudo=True):
-         # In the statestore, the following keys are used for the
-         # 'authselect' module:
-+        # Old method:
-         # profile: name of the profile configured pre-installation
-         # features_list: list of features configured pre-installation
-         # mkhomedir: True if installation was called with --mkhomedir
-         # profile and features_list are used when reverting to the
-         # pre-install state
--        cfg = self._parse_authselect_output()
--        if cfg:
--            statestore.backup_state('authselect', 'profile', cfg[0])
--            statestore.backup_state(
--                    'authselect', 'features_list', " ".join(cfg[1]))
--        else:
--            # cfg = None means that the current conf is not managed by
--            # authselect but by authconfig.
--            # As we are using authselect to configure the host,
--            # it will not be possible to revert to a custom authconfig
--            # configuration later (during uninstall)
--            # Best thing to do will be to use sssd profile at this time
--            logger.warning(
--                "WARNING: The configuration pre-client installation is not "
--                "managed by authselect and cannot be backed up. "
--                "Uninstallation may not be able to revert to the original "
--                "state.")
-+        # New method:
-+        # backup: name of the authselect backup
-+        backup_name = "pre_ipaclient_{}".format(time.strftime("%Y%m%d%H%M%S"))
-+        statestore.backup_state('authselect', 'backup', backup_name)
- 
-         cmd = [paths.AUTHSELECT, "select", "sssd"]
-         if mkhomedir:
-@@ -133,6 +122,7 @@ class RedHatAuthSelect(RedHatAuthToolBase):
-         if sudo:
-             cmd.append("with-sudo")
-         cmd.append("--force")
-+        cmd.append("--backup={}".format(backup_name))
- 
-         ipautil.run(cmd)
- 
-@@ -179,10 +169,15 @@ class RedHatAuthSelect(RedHatAuthToolBase):
-             else:
-                 features = []
- 
--        cmd = [paths.AUTHSELECT, "select", profile]
--        cmd.extend(features)
--        cmd.append("--force")
--        ipautil.run(cmd)
-+        backup = statestore.restore_state('authselect', 'backup')
-+        if backup:
-+            cmd = [paths.AUTHSELECT, "backup-restore", backup]
-+            ipautil.run(cmd)
-+        else:
-+            cmd = [paths.AUTHSELECT, "select", profile]
-+            cmd.extend(features)
-+            cmd.append("--force")
-+            ipautil.run(cmd)
- 
-     def backup(self, path):
-         current = self._get_authselect_current_output()
--- 
-2.26.2
-
-# Not needed for 4.7.8 release
-#
-#From 3eaab97e317584bc47d4a27a607267ed90df7ff7 Mon Sep 17 00:00:00 2001
-#From: Florence Blanc-Renaud <flo@redhat.com>
-#Date: Wed, 29 Jul 2020 13:40:26 +0200
-#Subject: [PATCH] ipatests: remove the xfail for test_nfs.py
-#
-#Related: https://pagure.io/freeipa/issue/8189
-#Reviewed-By: Francois Cami <fcami@redhat.com>
-#Reviewed-By: Michal Polovka <mpolovka@redhat.com>
-#---
-# ipatests/test_integration/test_nfs.py | 4 ----
-# 1 file changed, 4 deletions(-)
-#
-#diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
-#index 7272b0d44..832c56cca 100644
-#--- a/ipatests/test_integration/test_nfs.py
-#+++ b/ipatests/test_integration/test_nfs.py
-#@@ -363,10 +363,6 @@ class TestIpaClientAutomountFileRestore(IntegrationTest):
-#         cmd = self.clients[0].run_command(sha256nsswitch_cmd)
-#         assert cmd.stdout_text == orig_sha256
-# 
-#-    @pytest.mark.xfail(
-#-        reason="https://pagure.io/freeipa/issue/8189",
-#-        strict=True
-#-    )
-#     def test_nsswitch_backup_restore_sssd(self):
-#         self.nsswitch_backup_restore()
-# 
-#-- 
-#2.26.2
-
-From 4baf6b292f28481ece483bb8ecbd6a0807d9d45a Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Wed, 29 Jul 2020 17:57:53 +0200
-Subject: [PATCH] ipatests: fix test_authselect
-
-Before the code fix, install/uninstall on a config without
-any authselect profile was not able to restore the exact
-state but configured sssd profile instead.
-
-Now that the code is doing a pre-install backup, uninstall
-restores the exact state and the test needs to be updated
-accordingly.
-
-Related: https://pagure.io/freeipa/issue/8189
-Reviewed-By: Francois Cami <fcami@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
----
- ipatests/test_integration/test_authselect.py | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/ipatests/test_integration/test_authselect.py b/ipatests/test_integration/test_authselect.py
-index bdf7d9f77..cba23e707 100644
---- a/ipatests/test_integration/test_authselect.py
-+++ b/ipatests/test_integration/test_authselect.py
-@@ -100,7 +100,9 @@ class TestClientInstallation(IntegrationTest):
-             ['rm', '-f', '/etc/authselect/authselect.conf'])
-         result = self._install_client()
-         assert result.returncode == 0
--        assert self.msg_warn_install in result.stderr_text
-+        # With the fix for 8189, there is no warning any more
-+        # because install is performing a pre-install backup
-+        assert self.msg_warn_install not in result.stderr_text
-         # Client installation must configure the 'sssd' profile
-         # with sudo
-         check_authselect_profile(self.client, default_profile, ('with-sudo',))
-@@ -109,12 +111,13 @@ class TestClientInstallation(IntegrationTest):
-         """
-         Test client un-installation when there was no authselect profile
-         """
--        # As the client did not have any authselect profile before install,
--        # uninstall must print a warning about restoring 'sssd' profile
--        # by default
-+        # The client did not have any authselect profile before install,
-+        # but uninstall must be able to restore the backup
-+        # Check that no profile is configured after uninstall
-         result = self._uninstall_client()
-         assert result.returncode == 0
--        check_authselect_profile(self.client, default_profile)
-+        assert not self.client.transport.file_exists(
-+            '/etc/authselect/authselect.conf')
- 
-     def test_install_client_preconfigured_profile(self):
-         """
--- 
-2.26.2
-
diff --git a/SOURCES/0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch b/SOURCES/0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
similarity index 79%
rename from SOURCES/0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch
rename to SOURCES/0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
index 366fd17..128c9c4 100644
--- a/SOURCES/0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch
+++ b/SOURCES/0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
@@ -1,30 +1,239 @@
-Adapted version due to missing patches:
+From 2832810891acfaca68142df7271d6f0a50a588eb Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 19 Feb 2021 15:37:47 +0200
+Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
 
-  commit 1f1e7dbe6131b3cdc0ba81b454c7729126bfa6ee
-  Author: Slava Aseev <ptrnine@altlinux.org>
-  Date:   Mon Nov 23 18:23:01 2020 +0300
-  
-      ipa-kdb: handle dates up to 2106-02-07 06:28:16
+Calling to ipadb_get_connection() will remove LDAP context if any error
+happens. This means upper layers must always verify that LDAP context
+exists after such calls.
+
+ipadb_get_user_auth() may re-read global configuration and that may fail
+and cause IPA context to have NULL LDAP context.
+
+Fixes: https://pagure.io/freeipa/issue/8681
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb.c            |  1 +
+ daemons/ipa-kdb/ipa_kdb_mspac.c      | 32 +++++++++++++++-------------
+ daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
+ 3 files changed, 37 insertions(+), 22 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
+index 43ba955ac..6e1e3e351 100644
+--- a/daemons/ipa-kdb/ipa_kdb.c
++++ b/daemons/ipa-kdb/ipa_kdb.c
+@@ -57,6 +57,7 @@ static void ipadb_context_free(krb5_context kcontext,
+         /* ldap free lcontext */
+         if ((*ctx)->lcontext) {
+             ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
++            (*ctx)->lcontext = NULL;
+         }
+         free((*ctx)->supp_encs);
+         free((*ctx)->def_encs);
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 31f617129..81a8fd483 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -418,7 +418,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+                                         krb5_timestamp authtime,
+                                         struct netr_SamInfo3 *info3)
+ {
+-    LDAP *lcontext = ipactx->lcontext;
+     LDAPDerefRes *deref_results = NULL;
+     struct dom_sid sid;
+     gid_t prigid = -1;
+@@ -435,7 +434,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+     bool is_idobject = false;
+     krb5_principal princ;
  
-  commit 44c222aca9bb0056004f15dfb187d3f249ed0452
-  Author: Alexander Bokovoy <abokovoy@redhat.com>
-  Date:   Thu Dec 17 12:22:47 2020 +0200
-  
-      ipa-kdb: use predefined filters for a wild-card searches
+-    ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
++    ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
+                                      &objectclasses);
+     if (ret == 0 && objectclasses != NULL) {
+         for (c = 0; objectclasses[c] != NULL; c++) {
+@@ -472,13 +471,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+     }
+ 
+     if (is_host) {
+-        ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
++        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
+         if (ret) {
+             /* fqdn is mandatory for hosts */
+             return ret;
+         }
+     } else if (is_service) {
+-        ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
++        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
++                                     "krbCanonicalName", &strres);
+         if (ret) {
+             /* krbCanonicalName is mandatory for services */
+             return ret;
+@@ -498,7 +498,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+             return ENOENT;
+         }
+     } else {
+-        ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
++        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
+         if (ret) {
+             /* uid is mandatory */
+             return ret;
+@@ -511,7 +511,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+     if (is_host || is_service) {
+         prigid = 515; /* Well known RID for domain computers group */
+     } else {
+-        ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
++        ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
++                                     "gidNumber", &intres);
+         if (ret) {
+             /* gidNumber is mandatory */
+             return ret;
+@@ -544,7 +545,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+     info3->base.kickoff_time = INT64_MAX;
+ #endif
+ 
+-    ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
++    ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
+                                     "krbLastPwdChange", &timeres);
+     switch (ret) {
+     case 0:
+@@ -562,7 +563,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+     info3->base.allow_password_change = info3->base.last_password_change;
+     info3->base.force_password_change = INT64_MAX;
+ 
+-    ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
++    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
+     switch (ret) {
+     case 0:
+         info3->base.full_name.string = talloc_strdup(memctx, strres);
+@@ -575,7 +576,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+         return ret;
+     }
+ 
+-    ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                  "ipaNTLogonScript", &strres);
+     switch (ret) {
+     case 0:
+@@ -589,7 +590,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+         return ret;
+     }
+ 
+-    ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                  "ipaNTProfilePath", &strres);
+     switch (ret) {
+     case 0:
+@@ -603,7 +604,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+         return ret;
+     }
+ 
+-    ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                  "ipaNTHomeDirectory", &strres);
+     switch (ret) {
+     case 0:
+@@ -617,7 +618,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+         return ret;
+     }
+ 
+-    ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                  "ipaNTHomeDirectoryDrive", &strres);
+     switch (ret) {
+     case 0:
+@@ -648,7 +649,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+             info3->base.rid = 515;
+         }
+     } else {
+-        ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                      "ipaNTSecurityIdentifier", &strres);
+         if (ret) {
+             /* SID is mandatory */
+@@ -665,7 +666,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+         }
+     }
+ 
+-    ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
++    ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
+     switch (ret) {
+     LDAPDerefRes *dres;
+     LDAPDerefVal *dval;
+@@ -2511,7 +2512,7 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
+ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+ {
+     struct ipadb_adtrusts *t;
+-    LDAP *lc = ipactx->lcontext;
++    LDAP *lc = NULL;
+     char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
+                       "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
+                       "ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
+@@ -2545,6 +2546,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+         goto done;
+     }
+ 
++    lc = ipactx->lcontext;
+     for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
+         dnstr = ldap_get_dn(lc, le);
+ 
+diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
+index d1fa51578..cf1b4f53e 100644
+--- a/daemons/ipa-kdb/ipa_kdb_principals.c
++++ b/daemons/ipa-kdb/ipa_kdb_principals.c
+@@ -333,6 +333,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
+     if (gcfg != NULL)
+         gua = gcfg->user_auth;
+ 
++    /* lcontext == NULL means ipadb_get_global_config() failed to load
++     * global config and cleared the ipactx */
++    if (ipactx->lcontext == NULL)
++        return IPADB_USER_AUTH_NONE;
++
+     /* Get the user's user_auth settings if not disabled. */
+     if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
+         ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
+@@ -607,8 +612,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
+         free(entry);
+         return KRB5_KDB_DBNOTINITED;
+     }
+-    lcontext = ipactx->lcontext;
+-    if (!lcontext) {
++
++    entry->magic = KRB5_KDB_MAGIC_NUMBER;
++    entry->len = KRB5_KDB_V1_BASE_LENGTH;
++
++    /* Get User Auth configuration. */
++    ua = ipadb_get_user_auth(ipactx, lentry);
++
++    /* ipadb_get_user_auth() calls into ipadb_get_global_config()
++     * and that might fail, causing lcontext to become NULL */
++    if (!ipactx->lcontext) {
+         krb5_klog_syslog(LOG_INFO,
+                          "No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
+         ret = ipadb_get_connection(ipactx);
+@@ -620,11 +633,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
+         }
+     }
+ 
+-    entry->magic = KRB5_KDB_MAGIC_NUMBER;
+-    entry->len = KRB5_KDB_V1_BASE_LENGTH;
+-
+-    /* Get User Auth configuration. */
+-    ua = ipadb_get_user_auth(ipactx, lentry);
++    /* If any code below would result in invalidating ipactx->lcontext,
++     * lcontext must be updated with the new ipactx->lcontext value.
++     * We rely on the fact that none of LDAP-parsing helpers does it. */
++    lcontext = ipactx->lcontext;
+ 
+     /* ignore mask for now */
+ 
+-- 
+2.29.2
 
-  commit 78a7ab0daf0d5ebd388046aec6e1c9328e0564a8
-  Author: Robbie Harwood <rharwood@redhat.com>
-  Date:   Tue Nov 10 14:07:47 2020 -0500
-  
-      ipa-kdb: implement AS-REQ lifetime jitter
-
-  commit d6a8fc290aa93fc5d53025f4400a9736366175eb
-  Author: Rob Crittenden <rcritten@redhat.com>
-  Date:   Thu Sep 24 22:39:36 2020 -0400
-  
-      Pass the user to the password policy check in the kdb driver
-
-From 701d0fb0415497fe9fe8fbf25fa800041e2a2b40 Mon Sep 17 00:00:00 2001
+From 0da9de495ca41a1bf0926aef7c9c75c3e53dcd63 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Tue, 23 Feb 2021 10:06:25 +0200
 Subject: [PATCH] ipa-kdb: fix compiler warnings
@@ -38,7 +247,6 @@ In the same way, SID structures have own requirements.
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 Reviewed-By: Robbie Harwood <rharwood@redhat.com>
 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 ---
  daemons/ipa-kdb/ipa_kdb_audit_as.c   | 4 ++--
  daemons/ipa-kdb/ipa_kdb_mspac.c      | 6 +++---
@@ -50,10 +258,10 @@ diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_
 index ed48ea758..ec2046bfe 100644
 --- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
 +++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
-@@ -110,13 +110,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
-         }
+@@ -112,13 +112,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
  
-         if (client->last_failed + ied->pol->lockout_duration > authtime &&
+         if (krb5_ts_after(krb5_ts_incr(client->last_failed,
+                         ied->pol->lockout_duration), authtime) &&
 -            (client->fail_auth_count >= ied->pol->max_fail && 
 +            (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail &&
               ied->pol->max_fail != 0)) {
@@ -67,10 +275,10 @@ index ed48ea758..ec2046bfe 100644
              client->fail_auth_count++;
              client->mask |= KMASK_FAIL_AUTH_COUNT;
 diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index c6ac593ca..050100430 100644
+index 81a8fd483..9691b14f6 100644
 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c
 +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -147,9 +147,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
+@@ -148,9 +148,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
  
  char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
  {
@@ -82,7 +290,7 @@ index c6ac593ca..050100430 100644
      uint32_t ia;
      char *buf;
  
-@@ -2606,7 +2606,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+@@ -2612,7 +2612,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
  
          t[n].upn_suffixes_len = NULL;
          if (t[n].upn_suffixes != NULL) {
@@ -92,10 +300,10 @@ index c6ac593ca..050100430 100644
              for (; t[n].upn_suffixes[len] != NULL; len++);
  
 diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
-index d1fa51578..59337a4ca 100644
+index cf1b4f53e..0a98ff054 100644
 --- a/daemons/ipa-kdb/ipa_kdb_principals.c
 +++ b/daemons/ipa-kdb/ipa_kdb_principals.c
-@@ -491,7 +491,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
+@@ -494,7 +494,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
      l = len;
      for (i = 0; i < count; i++) {
          ret = snprintf(ap, l, "%s ", authinds[i]);
@@ -104,7 +312,7 @@ index d1fa51578..59337a4ca 100644
              ret = ENOMEM;
              goto cleanup;
          }
-@@ -2064,7 +2064,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
+@@ -2086,7 +2086,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
      char *s = NULL;
      size_t ai_size = 0;
      int cnt = 0;
@@ -113,7 +321,7 @@ index d1fa51578..59337a4ca 100644
  
      ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
      if (ret) {
-@@ -2445,7 +2445,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
+@@ -2467,7 +2467,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
  {
      krb5_error_code kerr;
      LDAPMod *m = NULL;
@@ -126,7 +334,7 @@ diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpo
 index 4965e6d7f..6f21ef867 100644
 --- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
 +++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
-@@ -328,7 +328,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
+@@ -361,7 +361,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
      }
  
      if (ied->pol->max_fail == 0 ||
@@ -138,7 +346,7 @@ index 4965e6d7f..6f21ef867 100644
 -- 
 2.29.2
 
-From d454ca8f004954f19622fe61ad9e2854359f3784 Mon Sep 17 00:00:00 2001
+From c7ce801b590e29263e9b1904995c603735007771 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Wed, 24 Feb 2021 20:51:40 +0200
 Subject: [PATCH] ipa-kdb: add missing prototypes
@@ -152,7 +360,6 @@ We also default to -Werror=implicit-function-declaration
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 Reviewed-By: Robbie Harwood <rharwood@redhat.com>
 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 ---
  daemons/ipa-kdb/ipa_kdb_kdcpolicy.c     |  4 ++++
  daemons/ipa-kdb/ipa_kdb_mspac.c         | 20 ++++++++++++--------
@@ -160,25 +367,25 @@ Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
  3 files changed, 20 insertions(+), 8 deletions(-)
 
 diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
-index 7f03f2f03..6976f9ba9 100644
+index a89f8bbda..aa61a2d1b 100644
 --- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
 +++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
-@@ -9,6 +9,10 @@
- #include "ipa_krb5.h"
- #include "ipa_kdb.h"
+@@ -14,6 +14,10 @@
+ #define ONE_DAY_SECONDS (24 * 60 * 60)
+ #define JITTER_WINDOW_SECONDS (1 * 60 * 60)
  
 +krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
 +                                        int maj_ver, int min_ver,
 +                                        krb5_plugin_vtable vtable);
 +
- static krb5_error_code
- ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
-                        const krb5_kdc_req *request,
+ static void
+ jitter(krb5_deltat baseline, krb5_deltat *lifetime_out)
+ {
 diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index 050100430..c05fb717a 100644
+index 9691b14f6..47b12a16f 100644
 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c
 +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -2403,9 +2403,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
+@@ -2408,9 +2408,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
      *mspac = NULL;
  }
  
@@ -192,21 +399,21 @@ index 050100430..c05fb717a 100644
  {
      int len, i;
      char **source;
-@@ -2436,9 +2437,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
+@@ -2441,9 +2442,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
      return 0;
  }
  
 -krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
--                                                   char **sid_blacklist_incoming,
--                                                   char **sid_blacklist_outgoing)
+-                                                   char **sid_blocklist_incoming,
+-                                                   char **sid_blocklist_outgoing)
 +static krb5_error_code
 +ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
-+                                   char **sid_blacklist_incoming,
-+                                   char **sid_blacklist_outgoing)
++                                   char **sid_blocklist_incoming,
++                                   char **sid_blocklist_outgoing)
  {
      krb5_error_code kerr;
  
-@@ -2459,7 +2461,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
+@@ -2464,7 +2466,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
      return 0;
  }
  
@@ -216,7 +423,7 @@ index 050100430..c05fb717a 100644
  {
      char *attrs[] = { NULL };
      char *filter = "(objectclass=ipaNTTrustedDomain)";
-@@ -2504,7 +2507,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blacklist_incoming, char ***si
+@@ -2509,7 +2512,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
      }
  }
  
@@ -225,9 +432,9 @@ index 050100430..c05fb717a 100644
 +ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
  {
      struct ipadb_adtrusts *t;
-     LDAP *lc = ipactx->lcontext;
+     LDAP *lc = NULL;
 diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
-index b21aa163f..2369e16f8 100644
+index d23a14a0b..8c8a3a001 100644
 --- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
 +++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
 @@ -53,3 +53,7 @@ struct ipadb_adtrusts {
@@ -242,7 +449,7 @@ index b21aa163f..2369e16f8 100644
 -- 
 2.29.2
 
-From da98a6fcb81ee3ac7df8bb238a0793809c2be3fd Mon Sep 17 00:00:00 2001
+From f340baa4283c76957d9e0a85896c7fa3a994bba6 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Wed, 24 Feb 2021 20:52:15 +0200
 Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
@@ -254,7 +461,6 @@ Replace few tabs by spaces and mark static code as static.
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 Reviewed-By: Robbie Harwood <rharwood@redhat.com>
 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 ---
  daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
  1 file changed, 14 insertions(+), 11 deletions(-)
@@ -317,7 +523,7 @@ index bc6b26578..3a3060c92 100644
 -- 
 2.29.2
 
-From aa7f99c08ff41f216d60152d6235922c561c2881 Mon Sep 17 00:00:00 2001
+From 2968609fd9f8f91b704dc8167d39ecc67beb8ddd Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Wed, 24 Feb 2021 20:55:41 +0200
 Subject: [PATCH] ipa-kdb: mark test functions as static
@@ -327,16 +533,15 @@ No need to define missing prototypes to single use test functions.
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 Reviewed-By: Robbie Harwood <rharwood@redhat.com>
 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 ---
  daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++--------
  1 file changed, 5 insertions(+), 8 deletions(-)
 
 diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
-index 368a2f978..960200b6e 100644
+index 2a174ce6b..0b51ffb96 100644
 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
 +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
-@@ -180,7 +180,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
+@@ -181,7 +181,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
                                    krb5_data realm,
                                    struct PAC_LOGON_INFO_CTR *info);
  
@@ -345,7 +550,7 @@ index 368a2f978..960200b6e 100644
  {
      krb5_error_code kerr;
      krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
-@@ -315,10 +315,7 @@ void test_filter_logon_info(void **state)
+@@ -316,10 +316,7 @@ void test_filter_logon_info(void **state)
  
  }
  
@@ -357,7 +562,7 @@ index 368a2f978..960200b6e 100644
  {
      bool with_pac;
      bool with_pad;
-@@ -436,7 +433,7 @@ void test_get_authz_data_types(void **state)
+@@ -437,7 +434,7 @@ void test_get_authz_data_types(void **state)
      krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
  }
  
@@ -366,7 +571,7 @@ index 368a2f978..960200b6e 100644
  {
      int ret;
      struct dom_sid sid;
-@@ -468,7 +465,7 @@ void test_string_to_sid(void **state)
+@@ -469,7 +466,7 @@ void test_string_to_sid(void **state)
      assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
  }
  
@@ -375,7 +580,7 @@ index 368a2f978..960200b6e 100644
  {
      struct test_ctx *test_ctx;
      char *str_sid;
-@@ -494,7 +491,7 @@ void test_dom_sid_string(void **state)
+@@ -495,7 +492,7 @@ void test_dom_sid_string(void **state)
  }
  
  
@@ -387,239 +592,3 @@ index 368a2f978..960200b6e 100644
 -- 
 2.29.2
 
-From 79baa0932d1349d46d162e7478fa4e3c8e88dc09 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Fri, 19 Feb 2021 15:37:47 +0200
-Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
-
-Calling to ipadb_get_connection() will remove LDAP context if any error
-happens. This means upper layers must always verify that LDAP context
-exists after such calls.
-
-ipadb_get_user_auth() may re-read global configuration and that may fail
-and cause IPA context to have NULL LDAP context.
-
-Fixes: https://pagure.io/freeipa/issue/8681
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Robbie Harwood <rharwood@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb.c            |  1 +
- daemons/ipa-kdb/ipa_kdb_mspac.c      | 32 +++++++++++++++-------------
- daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
- 3 files changed, 37 insertions(+), 22 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
-index 33d2a6773..e7b8d7dbf 100644
---- a/daemons/ipa-kdb/ipa_kdb.c
-+++ b/daemons/ipa-kdb/ipa_kdb.c
-@@ -56,6 +56,7 @@ static void ipadb_context_free(krb5_context kcontext,
-         /* ldap free lcontext */
-         if ((*ctx)->lcontext) {
-             ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
-+            (*ctx)->lcontext = NULL;
-         }
-         free((*ctx)->supp_encs);
-         free((*ctx)->def_encs);
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index c05fb717a..1e59189ed 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -416,7 +416,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
-                                         TALLOC_CTX *memctx,
-                                         struct netr_SamInfo3 *info3)
- {
--    LDAP *lcontext = ipactx->lcontext;
-     LDAPDerefRes *deref_results = NULL;
-     struct dom_sid sid;
-     gid_t prigid = -1;
-@@ -433,7 +432,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
-     bool is_idobject = false;
-     krb5_principal princ;
- 
--    ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
-+    ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
-                                      &objectclasses);
-     if (ret == 0 && objectclasses != NULL) {
-         for (c = 0; objectclasses[c] != NULL; c++) {
-@@ -470,13 +469,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
-     }
- 
-     if (is_host) {
--        ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
-+        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
-         if (ret) {
-             /* fqdn is mandatory for hosts */
-             return ret;
-         }
-     } else if (is_service) {
--        ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
-+        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
-+                                     "krbCanonicalName", &strres);
-         if (ret) {
-             /* krbCanonicalName is mandatory for services */
-             return ret;
-@@ -496,7 +496,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
-             return ENOENT;
-         }
-     } else {
--        ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
-+        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
-         if (ret) {
-             /* uid is mandatory */
-             return ret;
-@@ -509,7 +509,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
-     if (is_host || is_service) {
-         prigid = 515; /* Well known RID for domain computers group */
-     } else {
--        ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
-+        ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
-+                                     "gidNumber", &intres);
-         if (ret) {
-             /* gidNumber is mandatory */
-             return ret;
-@@ -540,7 +541,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
-     info3->base.kickoff_time = -1;
- #endif
- 
--    ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
-+    ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
-                                     "krbLastPwdChange", &timeres);
-     switch (ret) {
-     case 0:
-@@ -557,7 +558,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
-     info3->base.allow_password_change = 0;
-     info3->base.force_password_change = -1;
- 
--    ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
-+    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
-     switch (ret) {
-     case 0:
-         info3->base.full_name.string = talloc_strdup(memctx, strres);
-@@ -570,7 +571,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
-         return ret;
-     }
- 
--    ret = ipadb_ldap_attr_to_str(lcontext, lentry,
-+    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
-                                  "ipaNTLogonScript", &strres);
-     switch (ret) {
-     case 0:
-@@ -584,7 +585,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
-         return ret;
-     }
- 
--    ret = ipadb_ldap_attr_to_str(lcontext, lentry,
-+    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
-                                  "ipaNTProfilePath", &strres);
-     switch (ret) {
-     case 0:
-@@ -598,7 +599,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
-         return ret;
-     }
- 
--    ret = ipadb_ldap_attr_to_str(lcontext, lentry,
-+    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
-                                  "ipaNTHomeDirectory", &strres);
-     switch (ret) {
-     case 0:
-@@ -612,7 +613,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
-         return ret;
-     }
- 
--    ret = ipadb_ldap_attr_to_str(lcontext, lentry,
-+    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
-                                  "ipaNTHomeDirectoryDrive", &strres);
-     switch (ret) {
-     case 0:
-@@ -643,7 +644,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
-             info3->base.rid = 515;
-         }
-     } else {
--        ret = ipadb_ldap_attr_to_str(lcontext, lentry,
-+        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
-                                      "ipaNTSecurityIdentifier", &strres);
-         if (ret) {
-             /* SID is mandatory */
-@@ -660,7 +661,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
-         }
-     }
- 
--    ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
-+    ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
-     switch (ret) {
-     LDAPDerefRes *dres;
-     LDAPDerefVal *dval;
-@@ -2511,7 +2512,7 @@ static krb5_error_code
- ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
- {
-     struct ipadb_adtrusts *t;
--    LDAP *lc = ipactx->lcontext;
-+    LDAP *lc = NULL;
-     char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
-                       "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
-                       "ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
-@@ -2545,6 +2546,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
-         goto done;
-     }
- 
-+    lc = ipactx->lcontext;
-     for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
-         dnstr = ldap_get_dn(lc, le);
- 
-diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
-index 59337a4ca..0a98ff054 100644
---- a/daemons/ipa-kdb/ipa_kdb_principals.c
-+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
-@@ -335,6 +335,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
-     if (gcfg != NULL)
-         gua = gcfg->user_auth;
- 
-+    /* lcontext == NULL means ipadb_get_global_config() failed to load
-+     * global config and cleared the ipactx */
-+    if (ipactx->lcontext == NULL)
-+        return IPADB_USER_AUTH_NONE;
-+
-     /* Get the user's user_auth settings if not disabled. */
-     if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
-         ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
-@@ -608,8 +613,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
-         free(entry);
-         return KRB5_KDB_DBNOTINITED;
-     }
--    lcontext = ipactx->lcontext;
--    if (!lcontext) {
-+
-+    entry->magic = KRB5_KDB_MAGIC_NUMBER;
-+    entry->len = KRB5_KDB_V1_BASE_LENGTH;
-+
-+    /* Get User Auth configuration. */
-+    ua = ipadb_get_user_auth(ipactx, lentry);
-+
-+    /* ipadb_get_user_auth() calls into ipadb_get_global_config()
-+     * and that might fail, causing lcontext to become NULL */
-+    if (!ipactx->lcontext) {
-         krb5_klog_syslog(LOG_INFO,
-                          "No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
-         ret = ipadb_get_connection(ipactx);
-@@ -621,11 +634,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
-         }
-     }
- 
--    entry->magic = KRB5_KDB_MAGIC_NUMBER;
--    entry->len = KRB5_KDB_V1_BASE_LENGTH;
--
--    /* Get User Auth configuration. */
--    ua = ipadb_get_user_auth(ipactx, lentry);
-+    /* If any code below would result in invalidating ipactx->lcontext,
-+     * lcontext must be updated with the new ipactx->lcontext value.
-+     * We rely on the fact that none of LDAP-parsing helpers does it. */
-+    lcontext = ipactx->lcontext;
- 
-     /* ignore mask for now */
- 
--- 
-2.29.2
-
diff --git a/SOURCES/0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch b/SOURCES/0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch
deleted file mode 100644
index 4144d57..0000000
--- a/SOURCES/0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 66a5a0efd538e31a190ca6ecb775bc1dfc4ee232 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Wed, 29 Jul 2020 13:42:43 -0400
-Subject: [PATCH] Replace SSLCertVerificationError with CertificateError for
- py36
-
-This exception was added in python 3.7. Use CertificateError
-instead which is an alias and will work with older python releases.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1858318
-
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipaserver/install/server/upgrade.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
-index 2c36bc0e2..2c1517865 100644
---- a/ipaserver/install/server/upgrade.py
-+++ b/ipaserver/install/server/upgrade.py
-@@ -667,7 +667,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
- 
-     try:
-         cert.match_hostname(expect)
--    except ssl.SSLCertVerificationError:
-+    except ssl.CertificateError:
-         if certs.is_ipa_issued_cert(api, cert):
-             request_id = certmonger.get_request_id(
-                 {'cert-file': paths.HTTPD_CERT_FILE})
--- 
-2.26.2
-
diff --git a/SOURCES/0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch b/SOURCES/0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch
new file mode 100644
index 0000000..06b42e5
--- /dev/null
+++ b/SOURCES/0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch
@@ -0,0 +1,64 @@
+From 061e0b63ef3a72ba3261b42ec5f2ce290070c613 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Mon, 15 Mar 2021 16:55:08 +0100
+Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
+ (2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: https://pagure.io/freeipa/issue/8530
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Armando Neto <abiagion@redhat.com>
+---
+ ipaclient/install/client.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
+index 0e478fa26..9bdfbddaf 100644
+--- a/ipaclient/install/client.py
++++ b/ipaclient/install/client.py
+@@ -2205,7 +2205,7 @@ def install_check(options):
+     # available.
+     if options.conf_sudo:
+         try:
+-            subprocess.Popen(['sudo -V'])
++            subprocess.Popen(['sudo', '-V'])
+         except FileNotFoundError:
+             logger.info(
+                 "The sudo binary does not seem to be present on this "
+-- 
+2.30.2
+
+From 4b917833fdd62cce2fd72809fd5c963194efba3e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Mon, 15 Mar 2021 17:00:05 +0100
+Subject: [PATCH] ipatests: check for the "no sudo present" string absence
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When sudo is installed, no warning should be output about sudo not
+being available (obviously). Check that the relevant string is
+not present.
+
+Fixes: https://pagure.io/freeipa/issue/8530
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Armando Neto <abiagion@redhat.com>
+---
+ ipatests/test_integration/test_installation.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index a50a59f1a..a5ff17a0d 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -1620,3 +1620,5 @@ class TestInstallWithoutSudo(IntegrationTest):
+         tasks.install_packages(self.clients[0], ['sudo'])
+         for pkg in ('sudo', 'libsss_sudo'):
+             assert tasks.is_package_installed(self.clients[0], pkg)
++        result = tasks.install_client(self.master, self.clients[0])
++        assert self.no_sudo_str not in result.stderr_text
+-- 
+2.30.2
+
diff --git a/SOURCES/0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch b/SOURCES/0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch
deleted file mode 100644
index 1298351..0000000
--- a/SOURCES/0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From c72ef1ed965aca79da4576d9579dec5459e14b99 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Fri, 8 May 2020 15:27:01 +0200
-Subject: [PATCH] SELinux: Backport dirsrv_systemctl interface
-
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- selinux/ipa.if | 27 +++++++++++++++++++++++++++
- 1 file changed, 27 insertions(+)
-
-diff --git a/selinux/ipa.if b/selinux/ipa.if
-index cefae5d90..ea971b8fa 100644
---- a/selinux/ipa.if
-+++ b/selinux/ipa.if
-@@ -392,3 +392,30 @@ ifndef(`apache_manage_pid_files',`
- 		manage_sock_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
- 	')
- ')
-+
-+########################################
-+## <summary>
-+##	Execute dirsrv server in the dirsrv domain.
-+##  Backport from https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed to transition.
-+##	</summary>
-+## </param>
-+#
-+ifndef(`dirsrv_systemctl',`
-+    interface(`dirsrv_systemctl',`
-+        gen_require(`
-+            type dirsrv_unit_file_t;
-+            type dirsrv_t;
-+        ')
-+
-+        systemd_exec_systemctl($1)
-+        init_reload_services($1)
-+        allow $1 dirsrv_unit_file_t:file read_file_perms;
-+        allow $1 dirsrv_unit_file_t:service manage_service_perms;
-+
-+        ps_process_pattern($1, dirsrv_t)
-+    ')
-+')
--- 
-2.26.2
-
-From f76c56c6072418c78f138678b1c4dd917fea6ee1 Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Thu, 7 May 2020 16:17:12 +0200
-Subject: [PATCH] Allow ipa-adtrust-install restart sssd and dirsrv services
-
-Allow ipa_helper_t connect to init using /run/systemd/private socket.
-Allow ipa_helper_t read init process state.
-Allow ipa_helper_t manage sssd and dirsrv units.
-
-See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
-See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- selinux/ipa.te | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index b1e29c8e2..587e5e585 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -147,6 +147,9 @@ auth_use_nsswitch(ipa_helper_t)
- 
- files_list_tmp(ipa_helper_t)
- 
-+init_read_state(ipa_helper_t)
-+init_stream_connect(ipa_helper_t)
-+
- ipa_manage_pid_files(ipa_helper_t)
- ipa_read_lib(ipa_helper_t)
- 
-@@ -156,6 +159,10 @@ optional_policy(`
-     dirsrv_stream_connect(ipa_helper_t)
- ')
- 
-+optional_policy(`
-+    dirsrv_systemctl(ipa_helper_t)
-+')
-+
- optional_policy(`
-     ldap_stream_connect(ipa_helper_t)
- ')
-@@ -182,6 +189,7 @@ optional_policy(`
- 
- optional_policy(`
-     sssd_manage_lib_files(ipa_helper_t)
-+    sssd_systemctl(ipa_helper_t)
- ')
- 
- ########################################
--- 
-2.26.2
-
diff --git a/SOURCES/0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch b/SOURCES/0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch
deleted file mode 100644
index ac9ddfe..0000000
--- a/SOURCES/0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 81c955e561dd42ab70a39bf636c90e82a9d7d899 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 3 Aug 2020 18:52:07 +0200
-Subject: [PATCH] CAless installation: set the perms on KDC cert file
-
-In CA less installation, the KDC certificate file does not have
-the expected 644 permissions. As a consequence, WebUI login
-fails.
-
-The fix makes sure that the KDC cert file is saved with 644 perms.
-
-Fixes: https://pagure.io/freeipa/issue/8440
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaserver/install/krbinstance.py | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
-index 09d14693c..1910ff374 100644
---- a/ipaserver/install/krbinstance.py
-+++ b/ipaserver/install/krbinstance.py
-@@ -536,6 +536,8 @@ class KrbInstance(service.Service):
-         certs.install_pem_from_p12(self.pkcs12_info[0],
-                                    self.pkcs12_info[1],
-                                    paths.KDC_CERT)
-+        # The KDC cert needs to be readable by everyone
-+        os.chmod(paths.KDC_CERT, 0o644)
-         certs.install_key_from_p12(self.pkcs12_info[0],
-                                    self.pkcs12_info[1],
-                                    paths.KDC_KEY)
--- 
-2.26.2
-
-From 295dd4235f693b7b4b4270b46a28cb6e7b3d00b4 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 3 Aug 2020 18:53:47 +0200
-Subject: [PATCH] ipatests: check KDC cert permissions in CA less install
-
-The KDC certificate file must be stored with 644 permissions.
-Add a test checking the file permissions on server + replica.
-
-Related: https://pagure.io/freeipa/issue/8440
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipatests/test_integration/test_caless.py | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
-index a7b2cbbbc..1ea7d9896 100644
---- a/ipatests/test_integration/test_caless.py
-+++ b/ipatests/test_integration/test_caless.py
-@@ -1527,6 +1527,13 @@ class TestCertInstall(CALessBase):
-         assert result.returncode == 0
- 
- 
-+def verify_kdc_cert_perms(host):
-+    """Verify that the KDC cert pem file has 0644 perms"""
-+    cmd = host.run_command(['stat', '-c',
-+                           '"%a %G:%U"', paths.KDC_CERT])
-+    assert "644 root:root" in cmd.stdout_text
-+
-+
- class TestPKINIT(CALessBase):
-     """Install master and replica with PKINIT"""
-     num_replicas = 1
-@@ -1540,6 +1547,7 @@ class TestPKINIT(CALessBase):
-         result = cls.install_server(pkinit_pkcs12_exists=True,
-                                     pkinit_pin=_DEFAULT)
-         assert result.returncode == 0
-+        verify_kdc_cert_perms(cls.master)
- 
-     @replica_install_teardown
-     def test_server_replica_install_pkinit(self):
-@@ -1549,6 +1557,7 @@ class TestPKINIT(CALessBase):
-                                       pkinit_pin=_DEFAULT)
-         assert result.returncode == 0
-         self.verify_installation()
-+        verify_kdc_cert_perms(self.replicas[0])
- 
- 
- class TestServerReplicaCALessToCAFull(CALessBase):
--- 
-2.26.2
-
diff --git a/SOURCES/0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch b/SOURCES/0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch
deleted file mode 100644
index b2655a8..0000000
--- a/SOURCES/0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From b95817e35716bbab000633043817202e17d7c53e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Thu, 6 Aug 2020 17:07:36 +0200
-Subject: [PATCH] IPA-EPN: Use a helper to retrieve LDAP attributes from an
- entry
-
-Allow for empty attributes.
-
-Reviewed-By: Francois Cami <fcami@redhat.com>
----
- ipaclient/install/ipa_epn.py | 22 +++++++++++++++-------
- 1 file changed, 15 insertions(+), 7 deletions(-)
-
-diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
-index 65f9f3d47..0d1ae2add 100644
---- a/ipaclient/install/ipa_epn.py
-+++ b/ipaclient/install/ipa_epn.py
-@@ -122,22 +122,30 @@ class EPNUserList:
-         """Return len(self)."""
-         return len(self._expiring_password_user_dq)
- 
-+    def get_ldap_attr(self, entry, attr):
-+        """Get a single value from a multi-valued attr in a safe way"""
-+        return str(entry.get(attr, [""]).pop(0))
-+
-     def add(self, entry):
-         """Parses and appends an LDAP user entry with the uid, cn,
-            givenname, sn, krbpasswordexpiration and mail attributes.
-         """
-         try:
-             self._sorted = False
-+            if entry.get("mail") is None:
-+                logger.error("IPA-EPN: No mail address defined for: %s",
-+                             entry.dn)
-+                return
-             self._expiring_password_user_dq.append(
-                 dict(
--                    uid=str(entry["uid"].pop(0)),
--                    cn=str(entry["cn"].pop(0)),
--                    givenname=str(entry["givenname"].pop(0)),
--                    sn=str(entry["sn"].pop(0)),
--                    krbpasswordexpiration=str(
--                        entry["krbpasswordexpiration"].pop(0)
-+                    uid=self.get_ldap_attr(entry, "uid"),
-+                    cn=self.get_ldap_attr(entry, "cn"),
-+                    givenname=self.get_ldap_attr(entry, "givenname"),
-+                    sn=self.get_ldap_attr(entry, "sn"),
-+                    krbpasswordexpiration=(
-+                        self.get_ldap_attr(entry,"krbpasswordexpiration")
-                     ),
--                    mail=str(entry["mail"]),
-+                    mail=str(entry.get("mail")),
-                 )
-             )
-         except IndexError as e:
--- 
-2.26.2
-
-From 8e810d8cf38ec60d76178bd673e218fb05d56c8e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Thu, 6 Aug 2020 17:13:19 +0200
-Subject: [PATCH] IPA-EPN: fix configuration file typo
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Francois Cami <fcami@redhat.com>
----
- client/share/epn.conf | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/client/share/epn.conf b/client/share/epn.conf
-index 0e590dfc3..e3645801c 100644
---- a/client/share/epn.conf
-+++ b/client/share/epn.conf
-@@ -23,7 +23,7 @@ smtp_port = 25
- # Default None (empty value).
- # smtp_password =
- 
--# pecifies the number of seconds to wait for SMTP to respond.
-+# Specifies the number of seconds to wait for SMTP to respond.
- smtp_timeout = 60
- 
- # Specifies the type of secure connection to make. Options are: none,
--- 
-2.26.2
-
-From 1b1dbcbe9d83ba35f3cfdd01399f123816ec6e5b Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 6 Aug 2020 18:57:10 -0400
-Subject: [PATCH] IPA-EPN: Test that users without givenname and/or mail are
- handled
-
-The admin user does not have a givenname by default, allow for that.
-
-Report errors for users without a default e-mail address.
-
-Update the SHA256 hash with the typo fix.
-
-Reviewed-By: Francois Cami <fcami@redhat.com>
----
- ipatests/test_integration/test_epn.py | 22 +++++++++++++++++++++-
- 1 file changed, 21 insertions(+), 1 deletion(-)
-
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index 18f73c722..c5c73835a 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -240,7 +240,7 @@ class TestEPN(IntegrationTest):
-         assert epn_conf in cmd1.stdout_text
-         assert epn_template in cmd1.stdout_text
-         cmd2 = self.master.run_command(["sha256sum", epn_conf])
--        ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
-+        ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
-         assert cmd2.stdout_text.find(ck) == 0
- 
-     def test_EPN_smoketest_1(self):
-@@ -591,3 +591,23 @@ class TestEPN(IntegrationTest):
-         self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
-         result = tasks.ipa_epn(self.master, raiseonerr=False)
-         assert "smtp_delay cannot be less than zero" in result.stderr_text
-+
-+    def test_EPN_admin(self):
-+        """The admin user is special and has no givenName by default
-+           It also doesn't by default have an e-mail address
-+           Check --dry-run output.
-+        """
-+        epn_conf = textwrap.dedent('''
-+            [global]
-+        ''')
-+        self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
-+        self.master.run_command(
-+            ['ipa', 'user-mod', 'admin', '--password-expiration',
-+             datetime_to_generalized_time(
-+                 datetime.datetime.utcnow() + datetime.timedelta(days=7)
-+             )]
-+        )
-+        (unused, stderr_text, _unused) = self._check_epn_output(
-+            self.master, dry_run=True
-+        )
-+        assert "uid=admin" in stderr_text
--- 
-2.26.2
-
diff --git a/SOURCES/0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch b/SOURCES/0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch
deleted file mode 100644
index b905262..0000000
--- a/SOURCES/0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch
+++ /dev/null
@@ -1,404 +0,0 @@
-From 9479a393a71fe1de7d62ca2b50a7d3d8698d4ba1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 4 Aug 2020 11:05:31 +0200
-Subject: [PATCH] ipatests: tasks.py: fix ipa-epn invocation
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-tasks.py::ipa_epn would previously fail to invoke ipa-epn with
-from_nbdays=0.
-
-Related: https://pagure.io/freeipa/issue/8449
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipatests/pytest_ipa/integration/tasks.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
-index a3f7cc838..c0a592750 100755
---- a/ipatests/pytest_ipa/integration/tasks.py
-+++ b/ipatests/pytest_ipa/integration/tasks.py
-@@ -1470,9 +1470,9 @@ def ipa_epn(
-         cmd.append("--dry-run")
-     if mailtest:
-         cmd.append("--mail-test")
--    if from_nbdays:
-+    if from_nbdays is not None:
-         cmd.extend(("--from-nbdays", str(from_nbdays)))
--    if to_nbdays:
-+    if to_nbdays is not None:
-         cmd.extend(("--to-nbdays", str(to_nbdays)))
-     return host.run_command(cmd, raiseonerr=raiseonerr)
- 
--- 
-2.26.2
-
-From 3b8fdd87760cfb8ec739c67298f012cf0bd3ac39 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Wed, 5 Aug 2020 10:02:31 +0200
-Subject: [PATCH] ipatests: test_epn: test_EPN_nbdays enhancements
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Enhance test_EPN_nbdays so that it checks:
-* that no emails get sent when using --dry-run
-* that --from-nbdays implies --dry-run
-* that --to-nbdays requires --from-nbdays
-* illegal inputs for nbdays:
-** from-nbdays > to-nbdays
-** non-numerical input
-** decimal input
-
-Fixes: https://pagure.io/freeipa/issue/8449
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipatests/test_integration/test_epn.py | 130 +++++++++++++++++++++++---
- 1 file changed, 117 insertions(+), 13 deletions(-)
-
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index f4c123c6d..18f73c722 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -15,6 +15,13 @@
- # You should have received a copy of the GNU General Public License
- # along with this program.  If not, see <http://www.gnu.org/licenses/>.
- 
-+######
-+# This test suite will _expectedly_ fail if run at the end of the UTC day
-+# because users would be created during day N and then EPN output checked
-+# during day N+1. This is expected and should be ignored as it does not
-+# reflect a product bug. -- fcami
-+######
-+
- from __future__ import print_function, absolute_import
- 
- import base64
-@@ -178,12 +185,14 @@ class TestEPN(IntegrationTest):
-         from_nbdays=None,
-         to_nbdays=None,
-         raiseonerr=True,
-+        validatejson=True
-     ):
-         result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run,
-                                from_nbdays=from_nbdays,
-                                to_nbdays=to_nbdays)
--        json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
--        return (result.stdout_text, result.stderr_text)
-+        if validatejson:
-+            json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
-+        return (result.stdout_text, result.stderr_text, result.returncode)
- 
-     @classmethod
-     def install(cls, mh):
-@@ -244,12 +253,12 @@ class TestEPN(IntegrationTest):
-         ''')
-         self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
-         # check EPN on client (LDAP+GSSAPI)
--        (stdout_text, unused) = self._check_epn_output(
-+        (stdout_text, unused, _unused) = self._check_epn_output(
-             self.clients[0], dry_run=True
-         )
-         assert len(json.loads(stdout_text)) == 0
-         # check EPN on master (LDAPI)
--        (stdout_text, unused) = self._check_epn_output(
-+        (stdout_text, unused, _unused) = self._check_epn_output(
-             self.master, dry_run=True
-         )
-         assert len(json.loads(stdout_text)) == 0
-@@ -292,10 +301,10 @@ class TestEPN(IntegrationTest):
-                 ),
-             ],
-         )
--        (stdout_text_client, unused) = self._check_epn_output(
-+        (stdout_text_client, unused, _unused) = self._check_epn_output(
-             self.clients[0], dry_run=True
-         )
--        (stdout_text_master, unused) = self._check_epn_output(
-+        (stdout_text_master, unused, _unused) = self._check_epn_output(
-             self.master, dry_run=True
-         )
-         assert stdout_text_master == stdout_text_client
-@@ -331,10 +340,10 @@ class TestEPN(IntegrationTest):
-                 password=None,
-             )
- 
--        (stdout_text_client, unused) = self._check_epn_output(
-+        (stdout_text_client, unused, _unused) = self._check_epn_output(
-             self.clients[0], dry_run=True
-         )
--        (stdout_text_master, unused) = self._check_epn_output(
-+        (stdout_text_master, unused, _unused) = self._check_epn_output(
-             self.master, dry_run=True
-         )
-         assert stdout_text_master == stdout_text_client
-@@ -344,22 +353,117 @@ class TestEPN(IntegrationTest):
-         expected_users = ["user1", "user3", "user7", "user14", "user28"]
-         assert sorted(user_lst) == sorted(expected_users)
- 
--    def test_EPN_nbdays(self):
-+    def test_EPN_nbdays_0(self, cleanupmail):
-         """Test the to/from nbdays options (implies --dry-run)
- 
-            We have a set of users installed with varying expiration
-            dates. Confirm that to/from nbdays finds them.
-+
-+           Make sure --dry-run does not accidentally send emails.
-         """
- 
--        # Compare the notify_ttls values
-+        # Use the notify_ttls values with a 1-day sliding window
-         for i in self.notify_ttls:
-             user_list = []
--            (stdout_text_client, unused) = self._check_epn_output(
--                self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True)
-+            (stdout_text_client, unused, _unused) = self._check_epn_output(
-+                self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True
-+            )
-             for user in json.loads(stdout_text_client):
-                 user_list.append(user["uid"])
-             assert len(user_list) == 1
--            assert user_list[0] == "user%d" % i
-+            userid = "user{id}".format(id=i)
-+            assert user_list[0] == userid
-+
-+            # Check that the user list is expected for any given notify_ttls.
-+            (stdout_text_client, unused, _unused) = self._check_epn_output(
-+                self.clients[0], to_nbdays=i
-+            )
-+            user_list = [user["uid"] for user in json.loads(stdout_text_client)]
-+            assert len(user_list) == 1
-+            assert user_list[0] == "user{id}".format(id=i - 1)
-+
-+            # make sure no emails were sent
-+            result = self.clients[0].run_command(['ls', '-lha', '/var/mail/'])
-+            assert userid not in result.stdout_text
-+
-+    def test_EPN_nbdays_1(self, cleanupmail):
-+        """Test that for a given range, we find the users in that range"""
-+
-+        # Use hardcoded date ranges for now
-+        for date_range in [(0, 5), (7, 15), (1, 20)]:
-+            expected_user_list = ["user{i}".format(i=i)
-+                                  for i in range(date_range[0], date_range[1])]
-+            (stdout_text_client, unused, _unused) = self._check_epn_output(
-+                self.clients[0],
-+                from_nbdays=date_range[0],
-+                to_nbdays=date_range[1]
-+            )
-+            user_list = [user["uid"] for user in json.loads(stdout_text_client)]
-+            for user in expected_user_list:
-+                assert user in user_list
-+            for user in user_list:
-+                assert user in expected_user_list
-+
-+    # Test the to/from nbdays options behavior with illegal input
-+
-+    def test_EPN_nbdays_input_0(self):
-+        """Make sure that --to-nbdays implies --dry-run ;
-+           therefore check that the output is valid JSON and contains the
-+           expected user.
-+        """
-+
-+        (stdout_text_client, unused, _unused) = self._check_epn_output(
-+            self.clients[0], to_nbdays=5, dry_run=False
-+        )
-+        assert len(json.loads(stdout_text_client)) == 1
-+        assert json.loads(stdout_text_client)[0]["uid"] == "user4"
-+
-+    def test_EPN_nbdays_input_1(self):
-+        """Make sure that --from-nbdays cannot be used without --to-nbdays"""
-+
-+        (unused, stderr_text_client, rc) = \
-+            self._check_epn_output(
-+            self.clients[0], from_nbdays=3,
-+            raiseonerr=False, validatejson=False
-+        )
-+        assert "You cannot specify --from-nbdays without --to-nbdays" \
-+            in stderr_text_client
-+        assert rc > 0
-+
-+    @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
-+    def test_EPN_nbdays_input_2(self):
-+        """alpha input"""
-+
-+        (unused, stderr, rc) = self._check_epn_output(
-+            self.clients[0], to_nbdays="abc",
-+            raiseonerr=False, validatejson=False
-+        )
-+        assert "error: --to-nbdays must be an integer." in stderr
-+        assert rc > 0
-+
-+    @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
-+    def test_EPN_nbdays_input_3(self):
-+        """from_nbdays > to_nbdays"""
-+
-+        (unused, stderr, rc) = self._check_epn_output(
-+            self.clients[0], from_nbdays=9, to_nbdays=7,
-+            raiseonerr=False, validatejson=False
-+        )
-+        assert "error: --from-nbdays must be smaller than --to-nbdays." in \
-+            stderr
-+        assert rc > 0
-+
-+    @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
-+    def test_EPN_nbdays_input_4(self):
-+        """decimal input"""
-+
-+        (unused, stderr, rc) = self._check_epn_output(
-+            self.clients[0], to_nbdays=7.3,
-+            raiseonerr=False, validatejson=False
-+        )
-+        logger.info(stderr)
-+        assert rc > 0
-+        assert "error: --to-nbdays must be an integer." in stderr
- 
-     # From here the tests build on one another:
-     #  1) add auth
--- 
-2.26.2
-
-From b4266023e04729db12de2f7e0de4da9e1d00db38 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Fri, 7 Aug 2020 19:08:39 +0200
-Subject: [PATCH] ipatests: test_epn: update error messages
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Update error messages in the test.
-
-Fixes: https://pagure.io/freeipa/issue/8449
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipatests/test_integration/test_epn.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index e03521193..af662140a 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -458,7 +458,7 @@ class TestEPN(IntegrationTest):
-             self.clients[0], to_nbdays="abc",
-             raiseonerr=False, validatejson=False
-         )
--        assert "error: --to-nbdays must be an integer." in stderr
-+        assert "error: --to-nbdays must be a positive integer." in stderr
-         assert rc > 0
- 
-     @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
-@@ -483,7 +483,7 @@ class TestEPN(IntegrationTest):
-         )
-         logger.info(stderr)
-         assert rc > 0
--        assert "error: --to-nbdays must be an integer." in stderr
-+        assert "error: --to-nbdays must be a positive integer." in stderr
- 
-     # From here the tests build on one another:
-     #  1) add auth
--- 
-2.26.2
-
-From 2809084a44e3b174fa48a611e79f04358e1d6dca Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Wed, 5 Aug 2020 09:05:31 +0200
-Subject: [PATCH] IPA-EPN: enhance input validation
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Enhance input validation:
-* make sure --from-nbdays and --to-nbdays are integer
-* make sure --from-nbdays < --to-nbdays
-
-Fixes: https://pagure.io/freeipa/issue/8444
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipaclient/install/ipa_epn.py          | 28 +++++++++++++++++++++++++--
- ipatests/test_integration/test_epn.py |  3 ---
- 2 files changed, 26 insertions(+), 5 deletions(-)
-
-diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
-index 82d7b3f57..88c926e88 100644
---- a/ipaclient/install/ipa_epn.py
-+++ b/ipaclient/install/ipa_epn.py
-@@ -246,9 +246,33 @@ class EPN(admintool.AdminTool):
- 
-     def validate_options(self):
-         super(EPN, self).validate_options(needs_root=True)
--        if self.options.to_nbdays:
-+        if self.options.to_nbdays is not None:
-+            try:
-+                if int(self.options.to_nbdays) < 0:
-+                    raise RuntimeError('Input is negative.')
-+            except Exception as e:
-+                self.option_parser.error(
-+                    "--to-nbdays must be a positive integer. "
-+                    "{error}".format(error=e)
-+                )
-             self.options.dry_run = True
--        if self.options.from_nbdays and not self.options.to_nbdays:
-+        if self.options.from_nbdays is not None:
-+            try:
-+                if int(self.options.from_nbdays) < 0:
-+                    raise RuntimeError('Input is negative.')
-+            except Exception as e:
-+                self.option_parser.error(
-+                    "--from-nbdays must be a positive integer. "
-+                    "{error}".format(error=e)
-+                )
-+        if self.options.from_nbdays is not None and \
-+                self.options.to_nbdays is not None:
-+            if int(self.options.from_nbdays) >= int(self.options.to_nbdays):
-+                self.option_parser.error(
-+                    "--from-nbdays must be smaller than --to-nbdays."
-+                )
-+        if self.options.from_nbdays is not None and \
-+                self.options.to_nbdays is None:
-             self.option_parser.error(
-                 "You cannot specify --from-nbdays without --to-nbdays"
-             )
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index af662140a..fc26888cb 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -450,7 +450,6 @@ class TestEPN(IntegrationTest):
-             in stderr_text_client
-         assert rc > 0
- 
--    @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
-     def test_EPN_nbdays_input_2(self):
-         """alpha input"""
- 
-@@ -461,7 +460,6 @@ class TestEPN(IntegrationTest):
-         assert "error: --to-nbdays must be a positive integer." in stderr
-         assert rc > 0
- 
--    @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
-     def test_EPN_nbdays_input_3(self):
-         """from_nbdays > to_nbdays"""
- 
-@@ -473,7 +471,6 @@ class TestEPN(IntegrationTest):
-             stderr
-         assert rc > 0
- 
--    @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
-     def test_EPN_nbdays_input_4(self):
-         """decimal input"""
- 
--- 
-2.26.2
-
diff --git a/SOURCES/0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch b/SOURCES/0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch
deleted file mode 100644
index 3871c56..0000000
--- a/SOURCES/0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From 3cf7fb1014ae40fd5a5278f27577a8196a4af051 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Fri, 7 Aug 2020 07:51:53 +0200
-Subject: [PATCH] ipatests: test_epn: add test_EPN_connection_refused
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add a test for EPN behavior when the configured SMTP does not
-accept connections.
-
-Fixes: https://pagure.io/freeipa/issue/8445
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipatests/test_integration/test_epn.py | 27 ++++++++++++++++++++++++---
- 1 file changed, 24 insertions(+), 3 deletions(-)
-
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index c5c73835a..1a25d3710 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -182,14 +182,20 @@ class TestEPN(IntegrationTest):
-         self,
-         host,
-         dry_run=False,
-+        mailtest=False,
-         from_nbdays=None,
-         to_nbdays=None,
-         raiseonerr=True,
-         validatejson=True
-     ):
--        result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run,
--                               from_nbdays=from_nbdays,
--                               to_nbdays=to_nbdays)
-+        result = tasks.ipa_epn(
-+            host,
-+            from_nbdays=from_nbdays,
-+            to_nbdays=to_nbdays,
-+            mailtest=mailtest,
-+            dry_run=dry_run,
-+            raiseonerr=raiseonerr
-+        )
-         if validatejson:
-             json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
-         return (result.stdout_text, result.stderr_text, result.returncode)
-@@ -243,6 +249,21 @@ class TestEPN(IntegrationTest):
-         ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
-         assert cmd2.stdout_text.find(ck) == 0
- 
-+    @pytest.mark.xfail(reason='freeipa ticket 8445', strict=True)
-+    def test_EPN_connection_refused(self):
-+        """Test EPN behavior when the configured SMTP is down
-+        """
-+
-+        self.master.run_command(["systemctl", "stop", "postfix"])
-+        (unused, stderr_text, rc) = self._check_epn_output(
-+            self.master, mailtest=True,
-+            raiseonerr=False, validatejson=False
-+        )
-+        self.master.run_command(["systemctl", "start", "postfix"])
-+        assert "IPA-EPN: Could not connect to the configured SMTP server" in \
-+            stderr_text
-+        assert rc > 0
-+
-     def test_EPN_smoketest_1(self):
-         """No users except admin. Check --dry-run output.
-            With the default configuration, the result should be an empty list.
--- 
-2.26.2
-
-From 53f330b053740b169d211aa16b3b36fb61157bbd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Fri, 7 Aug 2020 06:19:31 +0200
-Subject: [PATCH] IPA-EPN: Fix SMTP connection error handling
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Enhance error message when SMTP is down.
-
-Fixes: https://pagure.io/freeipa/issue/8445
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaclient/install/ipa_epn.py          | 17 ++++++++++-------
- ipatests/test_integration/test_epn.py |  1 -
- 2 files changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
-index 0d1ae2add..82d7b3f57 100644
---- a/ipaclient/install/ipa_epn.py
-+++ b/ipaclient/install/ipa_epn.py
-@@ -38,6 +38,7 @@ from email.mime.multipart import MIMEMultipart
- from email.mime.text import MIMEText
- from email.header import Header
- from email.utils import make_msgid
-+from socket import error as socketerror
- 
- from ipaplatform.paths import paths
- from ipalib import api, errors
-@@ -640,13 +641,15 @@ class MTAClient:
-                     port=self._smtp_port,
-                     timeout=self._smtp_timeout,
-                 )
--        except smtplib.SMTPException as e:
--            logger.error(
--                "IPA-EPN: Unable to connect to %s:%s: %s",
--                self._smtp_hostname,
--                self._smtp_port,
--                e,
--            )
-+        except (socketerror, smtplib.SMTPException) as e:
-+            msg = \
-+                "IPA-EPN: Could not connect to the configured SMTP server: " \
-+                "{host}:{port}: {error}".format(
-+                    host=self._smtp_hostname,
-+                    port=self._smtp_port,
-+                    error=e
-+                )
-+            raise admintool.ScriptError(msg)
- 
-         try:
-             self._conn.ehlo()
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index 1a25d3710..e03521193 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -249,7 +249,6 @@ class TestEPN(IntegrationTest):
-         ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
-         assert cmd2.stdout_text.find(ck) == 0
- 
--    @pytest.mark.xfail(reason='freeipa ticket 8445', strict=True)
-     def test_EPN_connection_refused(self):
-         """Test EPN behavior when the configured SMTP is down
-         """
--- 
-2.26.2
-
diff --git a/SOURCES/0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch b/SOURCES/0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch
deleted file mode 100644
index 8f8c1df..0000000
--- a/SOURCES/0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From 4a97145c3a76a4d9ebf52b3905410a0bd7bec856 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Tue, 4 Aug 2020 15:09:56 -0400
-Subject: [PATCH] Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
-
-It was previously being set to 0444 which triggered a warning
-in freeipa-healthcheck.
-
-Even root needs DAC_OVERRIDE capability to write to a 0o444 file
-which may not be available in some environments.
-
-https://pagure.io/freeipa/issue/8441
-
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/install/certs.py          | 2 +-
- ipaserver/install/server/install.py | 5 ++---
- 2 files changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
-index 22ee79bd1..51d9f9221 100644
---- a/ipaserver/install/certs.py
-+++ b/ipaserver/install/certs.py
-@@ -329,7 +329,7 @@ class CertDB:
-         ipautil.backup_file(cacert_fname)
-         root_nicknames = self.find_root_cert(nickname)[:-1]
-         with open(cacert_fname, "w") as f:
--            os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
-+            os.fchmod(f.fileno(), 0o644)
-             for root in root_nicknames:
-                 result = self.run_certutil(["-L", "-n", root, "-a"],
-                                            capture_output=True)
-diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
-index b53c58e2a..6a593602f 100644
---- a/ipaserver/install/server/install.py
-+++ b/ipaserver/install/server/install.py
-@@ -891,9 +891,8 @@ def install(installer):
- 
-         ca.install_step_0(False, None, options, custodia=custodia)
-     else:
--        # Put the CA cert where other instances expect it
--        x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
--        os.chmod(paths.IPA_CA_CRT, 0o444)
-+        # /etc/ipa/ca.crt is created as a side-effect of
-+        # dsinstance::enable_ssl() via export_ca_cert()
- 
-         if not options.no_pkinit:
-             x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)
--- 
-2.26.2
-
-From da2079ce2cc841aec56da872131112eb24326f81 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Tue, 4 Aug 2020 15:12:20 -0400
-Subject: [PATCH] ipatests: Check permissions of /etc/ipa/ca.crt new
- installations
-
-It should be 0644 root:root for both CA-ful and CA-less installs.
-
-https://pagure.io/freeipa/issue/8441
-
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipatests/test_integration/test_caless.py       |  8 ++++++++
- ipatests/test_integration/test_installation.py | 10 ++++++++++
- 2 files changed, 18 insertions(+)
-
-diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
-index 1ea7d9896..16dfbb320 100644
---- a/ipatests/test_integration/test_caless.py
-+++ b/ipatests/test_integration/test_caless.py
-@@ -394,6 +394,14 @@ class CALessBase(IntegrationTest):
-                          host, cert_from_ldap.public_bytes(x509.Encoding.PEM))
-             assert cert_from_ldap == expected_cacrt
- 
-+            result = host.run_command(
-+                ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
-+            )
-+            (owner, group, mode) = result.stdout_text.strip().split(':')
-+            assert owner == "root"
-+            assert group == "root"
-+            assert mode == "644"
-+
-             # Verify certmonger was not started
-             result = host.run_command(['getcert', 'list'], raiseonerr=False)
-             assert result.returncode == 0
-diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
-index 100a5a766..fb1990083 100644
---- a/ipatests/test_integration/test_installation.py
-+++ b/ipatests/test_integration/test_installation.py
-@@ -346,6 +346,16 @@ class TestInstallCA(IntegrationTest):
-         status = tasks.wait_for_request(self.master, request_id[0], 300)
-         assert status == "MONITORING"
- 
-+    def test_ipa_ca_crt_permissions(self):
-+        """Verify that /etc/ipa/ca.cert is mode 0644 root:root"""
-+        result = self.master.run_command(
-+            ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
-+        )
-+        out = str(result.stdout_text.strip())
-+        (owner, group, mode) = out.split(':')
-+        assert mode == "644"
-+        assert owner == "root"
-+        assert group == "root"
- 
- class TestInstallWithCA_KRA1(InstallTestBase1):
- 
--- 
-2.26.2
-
diff --git a/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch b/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
deleted file mode 100644
index 2e1c708..0000000
--- a/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 438285470610dee4aa6a56523df22307840ede87 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Mon, 7 Sep 2020 11:07:21 +0200
-Subject: [PATCH] SELinux Policy: let custodia replicate keys
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Enhance the SELinux policy so that custodia can replicate sub-CA keys
-and certificates:
-allow ipa_custodia_t self:tcp_socket { bind create };
-allow ipa_custodia_t node_t:tcp_socket node_bind;
-allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
-allow ipa_custodia_t pki_tomcat_cert_t:file create;
-allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
-allow ipa_custodia_t self:process execmem;
-
-Found by: test_replica_promotion::TestSubCAkeyReplication
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- selinux/ipa.te | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index c4c3fa805..3fa4ba980 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -72,6 +72,9 @@ logging_log_file(ipa_custodia_log_t)
- type ipa_custodia_tmp_t;
- files_tmp_file(ipa_custodia_tmp_t)
- 
-+type pki_tomcat_cert_t;
-+type node_t;
-+
- ########################################
- #
- # ipa_otpd local policy
-@@ -323,10 +326,18 @@ optional_policy(`
- allow ipa_custodia_t self:capability { setgid setuid };
- allow ipa_custodia_t self:fifo_file rw_fifo_file_perms;
- allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read };
-+allow ipa_custodia_t self:process execmem;
- allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;
- allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
-+allow ipa_custodia_t self:tcp_socket { bind create };
- allow ipa_custodia_t self:udp_socket create_socket_perms;
- 
-+allow ipa_custodia_t node_t:tcp_socket node_bind;
-+
-+allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
-+allow ipa_custodia_t pki_tomcat_cert_t:file create;
-+allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
-+
- manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
- manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
- logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
--- 
-2.26.2
-
diff --git a/SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch b/SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
deleted file mode 100644
index a95c32b..0000000
--- a/SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-Adapted version of d1c860e59b52. to make it apply without commits
-
-34b4d9bce5 - ipatests: Test ipa user login with wrong password
-ab36d79adc - ipatests: Test for ipa-nis-manage CLI tool.
-
-From d1c860e59b5237178066ed963cc2fa50d99cd690 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Wed, 16 Sep 2020 17:07:21 +0200
-Subject: [PATCH] ipatests: check that pkispawn log is not empty
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Since commits:
-https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
-https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
-pkispawn will not honor the pki_log_level configuration item.
-All 10.9 Dogtag versions have these commits.
-This affects FreeIPA in that it makes debugging Dogtag installation issues next
-to impossible.
-Adding --debug to the pkispawn CLI is required to revert to the previous
-behavior.
-Therefore check that the log is not empty and contains DEBUG+INFO lines.
-
-Fixes: https://pagure.io/freeipa/issue/8503
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipatests/test_integration/test_commands.py | 23 ++++++++++++++++++++++
- 1 file changed, 23 insertions(+)
-
-diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
-index fa6abd81e..3a12bcde2 100644
---- a/ipatests/test_integration/test_commands.py
-+++ b/ipatests/test_integration/test_commands.py
-@@ -1295,3 +1295,26 @@ class TestIPACommand(IntegrationTest):
-             assert msg2 not in result.stderr_text
-         finally:
-             bashrc_backup.restore()
-+
-+    def test_pkispawn_log_is_present(self):
-+        """
-+        This testcase checks if pkispawn logged properly.
-+        It is a candidate from being moved out of test_commands.
-+        """
-+        result = self.master.run_command(
-+            ["ls", "/var/log/pki/"]
-+        )
-+        pkispawnlogfile = None
-+        for file in result.stdout_text.splitlines():
-+            if file.startswith("pki-ca-spawn"):
-+                pkispawnlogfile = file
-+                break
-+        assert pkispawnlogfile is not None
-+        pkispawnlogfile = os.path.sep.join(("/var/log/pki", pkispawnlogfile))
-+        pkispawnlog = self.master.get_file_contents(
-+            pkispawnlogfile, encoding='utf-8'
-+        )
-+        # Totally arbitrary. pkispawn debug logs tend to be > 10KiB.
-+        assert len(pkispawnlog) > 1024
-+        assert "DEBUG" in pkispawnlog
-+        assert "INFO" in pkispawnlog
--- 
-2.26.2
-
-From 97c6d2d2c2359b8ff5585afa0d2e5f5599cd5048 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Thu, 17 Sep 2020 07:31:59 +0200
-Subject: [PATCH] dogtaginstance.py: add --debug to pkispawn
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Since commits:
-https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
-https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
-pkispawn will not honor the pki_log_level configuration item.
-All 10.9 Dogtag versions have these commits.
-This affects FreeIPA in that it makes debugging Dogtag installation issues next
-to impossible.
-Adding --debug to the pkispawn CLI is required to revert to the previous
-behavior.
-
-Fixes: https://pagure.io/freeipa/issue/8503
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaserver/install/dogtaginstance.py | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
-index 524262ad7..03fdd7c0b 100644
---- a/ipaserver/install/dogtaginstance.py
-+++ b/ipaserver/install/dogtaginstance.py
-@@ -183,7 +183,8 @@ class DogtagInstance(service.Service):
-         subsystem = self.subsystem
-         args = [paths.PKISPAWN,
-                 "-s", subsystem,
--                "-f", cfg_file]
-+                "-f", cfg_file,
-+                "--debug"]
- 
-         with open(cfg_file) as f:
-             logger.debug(
--- 
-2.26.2
-
diff --git a/SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch b/SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
deleted file mode 100644
index d271d98..0000000
--- a/SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
+++ /dev/null
@@ -1,549 +0,0 @@
-From 52929cbadf0252fcac1019b74663a2808061ea1b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Thu, 17 Sep 2020 11:30:45 +0200
-Subject: [PATCH] ipatests: enhance TestSubCAkeyReplication
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-enhance the test suite so that it covers:
-- deleting subCAs (disabling them first)
-- checking what happens when creating a dozen+ subCAs at a time
-- adding a subCA that already exists and expect failure
-
-Related: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- .../test_replica_promotion.py                 | 52 +++++++++++++++++--
- 1 file changed, 47 insertions(+), 5 deletions(-)
-
-diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
-index 82117054f..f0b72e1f8 100644
---- a/ipatests/test_integration/test_replica_promotion.py
-+++ b/ipatests/test_integration/test_replica_promotion.py
-@@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest):
-         SERVER_CERT_NICK: 'u,u,u',
-     }
- 
--    def add_subca(self, host, name, subject):
-+    def add_subca(self, host, name, subject, raiseonerr=True):
-         result = host.run_command([
-             'ipa', 'ca-add', name,
-             '--subject', subject,
--            '--desc', self.SUBCA_DESC,
-+            '--desc', self.SUBCA_DESC],
-+            raiseonerr=raiseonerr
-+        )
-+        if raiseonerr:
-+            assert "ipa: ERROR:" not in result.stderr_text
-+            auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
-+            return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
-+        else:
-+            assert "ipa: ERROR:" in result.stderr_text
-+            assert result.returncode != 0
-+            return result
-+
-+    def del_subca(self, host, name):
-+        host.run_command([
-+            'ipa', 'ca-disable', name
-         ])
--        auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
--        return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
-+        result = host.run_command([
-+            'ipa', 'ca-del', name
-+        ])
-+        assert "Deleted CA \"{}\"".format(name) in result.stdout_text
- 
-     def check_subca(self, host, name, cert_nick):
--        host.run_command(['ipa', 'ca-show', name])
-+        result = host.run_command(['ipa', 'ca-show', name])
-+        # ipa ca-show returns 0 even if the cert cannot be found locally.
-+        assert "ipa: ERROR:" not in result.stderr_text
-         tasks.run_certutil(
-             host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR
-         )
-@@ -627,6 +645,30 @@ class TestSubCAkeyReplication(IntegrationTest):
-         ssl = replica.run_command(ssl_cmd)
-         assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text
- 
-+    def test_del_subca_master_on_replica(self):
-+        self.del_subca(self.replicas[0], self.SUBCA_MASTER)
-+
-+    def test_del_subca_replica(self):
-+        self.del_subca(self.replicas[0], self.SUBCA_REPLICA)
-+
-+    def test_scale_add_subca(self):
-+        master = self.master
-+        replica = self.replicas[0]
-+
-+        subcas = {}
-+        for i in range(0, 16):
-+            name = "_".join((self.SUBCA_MASTER, str(i)))
-+            cn = "_".join((self.SUBCA_MASTER_CN, str(i)))
-+            subcas[name] = self.add_subca(master, name, cn)
-+            self.add_subca(master, name, cn, raiseonerr=False)
-+
-+        # give replication some time
-+        time.sleep(15)
-+
-+        for name in subcas:
-+            self.check_subca(replica, name, subcas[name])
-+            self.del_subca(replica, name)
-+
- 
- class TestReplicaInstallCustodia(IntegrationTest):
-     """
--- 
-2.26.2
-
-From 5a5962426d8174212f0b7efef1a9e53aaecb5901 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Fri, 18 Sep 2020 11:55:37 +0200
-Subject: [PATCH] SELinux: Add dedicated policy for ipa-pki-retrieve-key
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add proper labeling, transition and policy for ipa-pki-retrieve-key.
-Make sure tomcat_t can execute ipa-pki-retrieve-key.
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.fc |  1 +
- selinux/ipa.te | 28 ++++++++++++++++++++++++++++
- 2 files changed, 29 insertions(+)
-
-diff --git a/selinux/ipa.fc b/selinux/ipa.fc
-index a98cc4665..1176f383c 100644
---- a/selinux/ipa.fc
-+++ b/selinux/ipa.fc
-@@ -30,5 +30,6 @@
- /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat		--	gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
- /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped	--	gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
- /usr/libexec/ipa/custodia/ipa-custodia-ra-agent		--	gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0)
-+/usr/libexec/ipa/ipa-pki-retrieve-key				--	gen_context(system_u:object_r:ipa_pki_retrieve_key_exec_t,s0)
- 
- /var/log/ipa-custodia.audit.log(/.*)?				--	gen_context(system_u:object_r:ipa_custodia_log_t,s0)
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 3fa4ba980..26daed293 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -75,6 +75,9 @@ files_tmp_file(ipa_custodia_tmp_t)
- type pki_tomcat_cert_t;
- type node_t;
- 
-+type ipa_pki_retrieve_key_exec_t;
-+init_script_file(ipa_pki_retrieve_key_exec_t)
-+
- ########################################
- #
- # ipa_otpd local policy
-@@ -412,3 +415,28 @@ optional_policy(`
- optional_policy(`
-        systemd_private_tmp(ipa_custodia_tmp_t)
- ')
-+
-+optional_policy(`
-+    gen_require(`
-+        type tomcat_t;
-+    ')
-+    can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
-+    pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
-+')
-+
-+optional_policy(`
-+    gen_require(`
-+        type devlog_t;
-+    ')
-+
-+    dontaudit ipa_custodia_t devlog_t:lnk_file read_lnk_file_perms;
-+')
-+
-+optional_policy(`
-+    java_exec(ipa_custodia_pki_tomcat_exec_t)
-+    # allow Java to read system status and RNG
-+    dev_read_urand(ipa_custodia_t)
-+    dev_read_rand(ipa_custodia_t)
-+    kernel_read_network_state(ipa_custodia_t)
-+    dev_read_sysfs(ipa_custodia_t)
-+')
--- 
-2.26.2
-
-From c126610ea6605a1ff36cecf2e2f5b2cb97130831 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Fri, 18 Sep 2020 17:45:39 +0200
-Subject: [PATCH] SELinux Policy: let custodia_t map custodia_tmp_t
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is used by the JVM perf counters.
-
-Related: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 26daed293..0a9ccaf83 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -347,6 +347,7 @@ logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
- 
- manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
- manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
-+mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
- files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
- 
- kernel_dgram_send(ipa_custodia_t)
--- 
-2.26.2
-
-From 310dbd6eec337f0747d73fa87363083a742fc5dc Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Mon, 21 Sep 2020 11:32:52 +0200
-Subject: [PATCH] SELinux Policy: ipa_pki_retrieve_key_exec_t =>
- ipa_pki_retrieve_key_t
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of
-ipa_pki_retrieve_key_exec_t.
-As suggested by Ondrej Mosnáček.
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 0a9ccaf83..92a3b2359 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -78,6 +78,8 @@ type node_t;
- type ipa_pki_retrieve_key_exec_t;
- init_script_file(ipa_pki_retrieve_key_exec_t)
- 
-+type ipa_pki_retrieve_key_t;
-+
- ########################################
- #
- # ipa_otpd local policy
-@@ -422,7 +424,7 @@ optional_policy(`
-         type tomcat_t;
-     ')
-     can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
--    pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
-+    pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_t)
- ')
- 
- optional_policy(`
--- 
-2.26.2
-
-From 0518c63768b50973f3d3129547f5b4b95335f4a8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Mon, 21 Sep 2020 11:37:12 +0200
-Subject: [PATCH] SELinux Policy: ipa_custodia_pki_tomcat_exec_t =>
- ipa_custodia_pki_tomcat_t
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by
-ipa_custodia_pki_tomcat_t.
-As suggested by Ondrej Mosnáček.
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 92a3b2359..b2c618a53 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -63,6 +63,8 @@ init_script_file(ipa_custodia_dmldap_exec_t)
- type ipa_custodia_pki_tomcat_exec_t;
- init_script_file(ipa_custodia_pki_tomcat_exec_t)
- 
-+type ipa_custodia_pki_tomcat_t;
-+
- type ipa_custodia_ra_agent_exec_t;
- init_script_file(ipa_custodia_ra_agent_exec_t)
- 
-@@ -436,7 +438,7 @@ optional_policy(`
- ')
- 
- optional_policy(`
--    java_exec(ipa_custodia_pki_tomcat_exec_t)
-+    java_exec(ipa_custodia_pki_tomcat_t)
-     # allow Java to read system status and RNG
-     dev_read_urand(ipa_custodia_t)
-     dev_read_rand(ipa_custodia_t)
--- 
-2.26.2
-
-From 25cf7af0d41bbd34621f37c95802675b42baeae9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 22 Sep 2020 11:36:13 +0200
-Subject: [PATCH] SELinux Policy: flag ipa_pki_retrieve_key_exec_t as
- domain_type
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index b2c618a53..42b010133 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -78,6 +78,7 @@ type pki_tomcat_cert_t;
- type node_t;
- 
- type ipa_pki_retrieve_key_exec_t;
-+domain_type(ipa_pki_retrieve_key_exec_t)
- init_script_file(ipa_pki_retrieve_key_exec_t)
- 
- type ipa_pki_retrieve_key_t;
--- 
-2.26.2
-
-From 7ad04841245668e3126cb1718ef7ec1b744526e8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 22 Sep 2020 13:12:05 +0200
-Subject: [PATCH] SELinux Policy: make interfaces for kernel modules
- non-optional
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Interfaces for kernel modules do not need to be in an optional module.
-Also make sure ipa_custodia_t can log.
-Suggested by Lukas Vrabec.
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 16 +++++++++-------
- 1 file changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 42b010133..f984a0f94 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -78,10 +78,9 @@ type pki_tomcat_cert_t;
- type node_t;
- 
- type ipa_pki_retrieve_key_exec_t;
--domain_type(ipa_pki_retrieve_key_exec_t)
--init_script_file(ipa_pki_retrieve_key_exec_t)
--
- type ipa_pki_retrieve_key_t;
-+domain_type(ipa_pki_retrieve_key_t)
-+init_script_file(ipa_pki_retrieve_key_exec_t)
- 
- ########################################
- #
-@@ -356,6 +355,7 @@ mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
- files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
- 
- kernel_dgram_send(ipa_custodia_t)
-+kernel_read_network_state(ipa_custodia_t)
- 
- auth_read_passwd(ipa_custodia_t)
- 
-@@ -366,6 +366,10 @@ can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t)
- corecmd_exec_bin(ipa_custodia_t)
- corecmd_mmap_bin_files(ipa_custodia_t)
- 
-+dev_read_urand(ipa_custodia_t)
-+dev_read_rand(ipa_custodia_t)
-+dev_read_sysfs(ipa_custodia_t)
-+
- domain_use_interactive_fds(ipa_custodia_t)
- 
- files_mmap_usr_files(ipa_custodia_t)
-@@ -377,6 +381,8 @@ files_read_etc_files(ipa_custodia_t)
- libs_exec_ldconfig(ipa_custodia_t)
- libs_ldconfig_exec_entry_type(ipa_custodia_t)
- 
-+logging_send_syslog_msg(ipa_custodia_t)
-+
- miscfiles_read_generic_certs(ipa_custodia_t)
- miscfiles_read_localization(ipa_custodia_t)
- 
-@@ -441,8 +447,4 @@ optional_policy(`
- optional_policy(`
-     java_exec(ipa_custodia_pki_tomcat_t)
-     # allow Java to read system status and RNG
--    dev_read_urand(ipa_custodia_t)
--    dev_read_rand(ipa_custodia_t)
--    kernel_read_network_state(ipa_custodia_t)
--    dev_read_sysfs(ipa_custodia_t)
- ')
--- 
-2.26.2
-
-From 6a31605c1d249416ed7627755bca23a1cc45a581 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 22 Sep 2020 13:34:40 +0200
-Subject: [PATCH] SELinux Policy: Allow tomcat_t to read kerberos keytabs
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is required to fix:
-avc: denied  { search } for  pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
-
-Macros suggested by: Ondrej Mosnacek
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index f984a0f94..fa577191c 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -448,3 +448,11 @@ optional_policy(`
-     java_exec(ipa_custodia_pki_tomcat_t)
-     # allow Java to read system status and RNG
- ')
-+
-+optional_policy(`
-+    gen_require(`
-+        type tomcat_t;
-+    ')
-+    kerberos_read_config(tomcat_t)
-+    kerberos_read_keytab(tomcat_t)
-+')
--- 
-2.26.2
-
diff --git a/SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch b/SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
deleted file mode 100644
index 6ec25a7..0000000
--- a/SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 58c3343a67a3922dcc84d3d4b1deca515c48a6f8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Wed, 23 Sep 2020 09:17:53 +0200
-Subject: [PATCH] SELinux: do not double-define node_t and pki_tomcat_cert_t
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-node_t and pki_tomcat_cert_t are defined in other modules.
-Do not double-define them.
-
-Fixes: https://pagure.io/freeipa/issue/8513
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- selinux/ipa.te | 25 ++++++++++++++++---------
- 1 file changed, 16 insertions(+), 9 deletions(-)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index fa577191c..d80e64a0b 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t)
- type ipa_custodia_tmp_t;
- files_tmp_file(ipa_custodia_tmp_t)
- 
--type pki_tomcat_cert_t;
--type node_t;
--
- type ipa_pki_retrieve_key_exec_t;
- type ipa_pki_retrieve_key_t;
- domain_type(ipa_pki_retrieve_key_t)
-@@ -339,12 +336,6 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
- allow ipa_custodia_t self:tcp_socket { bind create };
- allow ipa_custodia_t self:udp_socket create_socket_perms;
- 
--allow ipa_custodia_t node_t:tcp_socket node_bind;
--
--allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
--allow ipa_custodia_t pki_tomcat_cert_t:file create;
--allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
--
- manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
- manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
- logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
-@@ -456,3 +447,19 @@ optional_policy(`
-     kerberos_read_config(tomcat_t)
-     kerberos_read_keytab(tomcat_t)
- ')
-+
-+optional_policy(`
-+    gen_require(`
-+        type node_t;
-+    ')
-+    allow ipa_custodia_t node_t:tcp_socket node_bind;
-+')
-+
-+optional_policy(`
-+    gen_require(`
-+        type pki_tomcat_cert_t;
-+    ')
-+    allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
-+    allow ipa_custodia_t pki_tomcat_cert_t:file create;
-+    allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
-+')
--- 
-2.26.2
-
diff --git a/SOURCES/0021-Fix-nsslapd-db-lock-tuning-of-BDB-backend_rhbz#1882472.patch b/SOURCES/0021-Fix-nsslapd-db-lock-tuning-of-BDB-backend_rhbz#1882472.patch
deleted file mode 100644
index 8fe58a4..0000000
--- a/SOURCES/0021-Fix-nsslapd-db-lock-tuning-of-BDB-backend_rhbz#1882472.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-Adapted patch for ipatests/test_integration/test_installation.py due to
-missing commit 930f4b3d1dc03f9e365b007b027d65e146a08f05 (Prevent local account
-takeover).
-
-From 87e5c0500b76b7cbeecedc0c28d44095c7063186 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Thu, 24 Sep 2020 12:32:37 +0200
-Subject: [PATCH] Fix nsslapd-db-lock tuning of BDB backend
-
-nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
-entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
-working. Installations with 389-DS 1.4.3 and newer are affected.
-
-Low lock count can affect performance during high load, e.g. mass-import
-of users or lots of concurrent connections.
-
-Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.
-
-Fixes: https://pagure.io/freeipa/issue/8515
-See: https://pagure.io/freeipa/issue/5914
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Francois Cami <fcami@redhat.com>
-Reviewed-By: Francois Cami <fcami@redhat.com>
----
- freeipa.spec.in                               | 17 ++++++-----------
- install/share/Makefile.am                     |  1 +
- install/share/ldbm-tuning.ldif                |  4 ++++
- install/updates/10-db-locks.update            | 10 ++++++++++
- install/updates/Makefile.am                   |  1 +
- ipapython/ipaldap.py                          |  1 +
- ipaserver/install/dsinstance.py               |  9 ++++-----
- .../test_customized_ds_config_install.py      |  3 ++-
- .../test_integration/test_installation.py     | 19 +++++++++++++++++++
- 9 files changed, 48 insertions(+), 17 deletions(-)
- create mode 100644 install/share/ldbm-tuning.ldif
- create mode 100644 install/updates/10-db-locks.update
-
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index 1db7d6457..8e6736b60 100755
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -55,10 +55,9 @@
- %global selinux_policy_version 3.14.3-21
- %global slapi_nis_version 0.56.1-4
- %global python_ldap_version 3.1.0-1
--# python3-lib389
--# Fix for "Installation fails: Replica Busy"
--# https://pagure.io/389-ds-base/issue/49818
--%global ds_version 1.4.0.16
-+# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
-+# https://pagure.io/freeipa/issue/8515
-+%global ds_version 1.4.3
- # Fix for TLS 1.3 PHA, RHBZ#1775158
- %global httpd_version 2.4.37-21
- 
-@@ -89,13 +88,9 @@
- 
- # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
- %global python_ldap_version 3.1.0-1
--# Fix for create suffix
--# https://pagure.io/389-ds-base/issue/49984
--%if 0%{?fedora} >= 30
--%global ds_version 1.4.1.1
--%else
--%global ds_version 1.4.0.21
--%endif
-+# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
-+# https://pagure.io/freeipa/issue/8515
-+%global ds_version 1.4.3
- 
- # Fix for TLS 1.3 PHA, RHBZ#1775146
- %if 0%{?fedora} >= 31
-diff --git a/install/share/Makefile.am b/install/share/Makefile.am
-index 53bd8f5d5..53485edfa 100644
---- a/install/share/Makefile.am
-+++ b/install/share/Makefile.am
-@@ -102,6 +102,7 @@ dist_app_DATA =				\
- 	ipaca_default.ini		\
- 	ipaca_customize.ini		\
- 	ipaca_softhsm2.ini		\
-+	ldbm-tuning.ldif		\
- 	$(NULL)
- 
- kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
-diff --git a/install/share/ldbm-tuning.ldif b/install/share/ldbm-tuning.ldif
-new file mode 100644
-index 000000000..765ccb01a
---- /dev/null
-+++ b/install/share/ldbm-tuning.ldif
-@@ -0,0 +1,4 @@
-+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
-+changetype: modify
-+replace: nsslapd-db-locks
-+nsslapd-db-locks: 50000
-diff --git a/install/updates/10-db-locks.update b/install/updates/10-db-locks.update
-new file mode 100644
-index 000000000..31d2e4352
---- /dev/null
-+++ b/install/updates/10-db-locks.update
-@@ -0,0 +1,10 @@
-+# Fix nsslapd-db-locks move
-+# https://pagure.io/freeipa/issue/8515
-+
-+# replace 389-DS default with 50000 locks
-+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
-+replace: nsslapd-db-locks:10000::50000
-+
-+# remove setting from old location
-+dn: cn=config,cn=ldbm database,cn=plugins,cn=config
-+remove: nsslapd-db-locks: 50000
-diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
-index 8a4d9cc6c..957ad4fa2 100644
---- a/install/updates/Makefile.am
-+++ b/install/updates/Makefile.am
-@@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/updates
- app_DATA =				\
- 	05-pre_upgrade_plugins.update	\
- 	10-config.update		\
-+	10-db-locks.update		\
- 	10-enable-betxn.update		\
- 	10-ipapwd.update		\
- 	10-selinuxusermap.update	\
-diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
-index 3eac95a87..5c43413cc 100644
---- a/ipapython/ipaldap.py
-+++ b/ipapython/ipaldap.py
-@@ -753,6 +753,7 @@ class LDAPClient:
-         'nsslapd-anonlimitsdn': True,
-         'nsslapd-minssf-exclude-rootdse': True,
-         'nsslapd-enable-upgrade-hash': True,
-+        'nsslapd-db-locks': True,
-     })
- 
-     time_limit = -1.0   # unlimited
-diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
-index 3fc0de371..065c6f78f 100644
---- a/ipaserver/install/dsinstance.py
-+++ b/ipaserver/install/dsinstance.py
-@@ -226,6 +226,7 @@ class DsInstance(service.Service):
- 
-         self.step("creating directory server instance", self.__create_instance)
-         self.step("configure autobind for root", self.__root_autobind)
-+        self.step("tune ldbm plugin", self.__tune_ldbm)
-         self.step("stopping directory server", self.__stop_instance)
-         self.step("updating configuration in dse.ldif", self.__update_dse_ldif)
-         self.step("starting directory server", self.__start_instance)
-@@ -592,6 +593,9 @@ class DsInstance(service.Service):
-         # Done!
-         logger.debug("completed creating DS instance")
- 
-+    def __tune_ldbm(self):
-+        self._ldap_mod("ldbm-tuning.ldif")
-+
-     def __update_dse_ldif(self):
-         """
-         This method updates dse.ldif right after instance creation. This is
-@@ -610,11 +614,6 @@ class DsInstance(service.Service):
-             temp_filename = new_dse_ldif.name
-             with open(dse_filename, "r") as input_file:
-                 parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
--                parser.replace_value(
--                        'cn=config,cn=ldbm database,cn=plugins,cn=config',
--                        'nsslapd-db-locks',
--                        [b'50000']
--                        )
-                 if self.config_ldif:
-                     # parse modifications from ldif file supplied by the admin
-                     with open(self.config_ldif, "r") as config_ldif:
-diff --git a/ipatests/test_integration/test_customized_ds_config_install.py b/ipatests/test_integration/test_customized_ds_config_install.py
-index a2fcc7dd2..95195a014 100644
---- a/ipatests/test_integration/test_customized_ds_config_install.py
-+++ b/ipatests/test_integration/test_customized_ds_config_install.py
-@@ -4,7 +4,8 @@ from ipatests.pytest_ipa.integration import tasks
- 
- DIRSRV_CONFIG_MODS = """
- # https://fedorahosted.org/freeipa/ticket/4949
--dn: cn=config,cn=ldbm database,cn=plugins,cn=config
-+# https://pagure.io/freeipa/issue/8515
-+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
- changetype: modify
- replace: nsslapd-db-locks
- nsslapd-db-locks: 100000
-diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
-index c939c6450..ec826edb7 100644
---- a/ipatests/test_integration/test_installation.py
-+++ b/ipatests/test_integration/test_installation.py
-@@ -972,6 +972,25 @@ class TestInstallMaster(IntegrationTest):
-         )
-         assert "nsslapd-enable-upgrade-hash: off" in result.stdout_text
- 
-+    def test_ldbm_tuning(self):
-+        # check db-locks in new cn=bdb subentry (1.4.3+)
-+        result = tasks.ldapsearch_dm(
-+            self.master,
-+            "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config",
-+            ["nsslapd-db-locks"],
-+            scope="base"
-+        )
-+        assert "nsslapd-db-locks: 50000" in result.stdout_text
-+
-+        # no db-locks configuration in old global entry
-+        result = tasks.ldapsearch_dm(
-+            self.master,
-+            "cn=config,cn=ldbm database,cn=plugins,cn=config",
-+            ["nsslapd-db-locks"],
-+            scope="base"
-+        )
-+        assert "nsslapd-db-locks" not in result.stdout_text
-+
- 
- class TestInstallMasterKRA(IntegrationTest):
- 
--- 
-2.26.2
-
diff --git a/SOURCES/0022-rpcserver-fallback-to-non-armored-kinit-in-case-of-trusted-domains_rhbz#1914821.patch b/SOURCES/0022-rpcserver-fallback-to-non-armored-kinit-in-case-of-trusted-domains_rhbz#1914821.patch
deleted file mode 100644
index e382b47..0000000
--- a/SOURCES/0022-rpcserver-fallback-to-non-armored-kinit-in-case-of-trusted-domains_rhbz#1914821.patch
+++ /dev/null
@@ -1,236 +0,0 @@
-From 1441b999d3fe9b4e59fe942294d13480ecee7d94 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Wed, 28 Oct 2020 17:46:56 +0200
-Subject: [PATCH] rpcserver: fallback to non-armored kinit in case of trusted
- domains
-
-MIT Kerberos implements FAST negotiation as specified in RFC 6806
-section 11. The implementation relies on the caller to provide a hint
-whether FAST armoring must be used.
-
-FAST armor can only be used when both client and KDC have a shared
-secret. When KDC is from a trusted domain, there is no way to have a
-shared secret between a generic Kerberos client and that KDC.
-
-[MS-KILE] section 3.2.5.4 'Using FAST When the Realm Supports FAST'
-allows KILE clients (Kerberos clients) to have local settings that
-direct it to enforce use of FAST. This is equal to the current
-implementation of 'kinit' utility in MIT Kerberos requiring to use FAST
-if armor cache (option '-T') is provided.
-
-[MS-KILE] section 3.3.5.7.4 defines a way for a computer from a
-different realm to use compound identity TGS-REQ to create FAST TGS-REQ
-explicitly armored with the computer's TGT. However, this method is not
-available to IPA framework as we don't have access to the IPA server's
-host key. In addition, 'kinit' utility does not support this method.
-
-Active Directory has a policy to force use of FAST when client
-advertizes its use. Since we cannot know in advance whether a principal
-to obtain initial credentials for belongs to our realm or to a trusted
-one due to enterprise principal canonicalization, we have to try to
-kinit. Right now we fail unconditionally if FAST couldn't be used and
-libkrb5 communication with a KDC from the user realm (e.g. from a
-trusted forest) causes enforcement of a FAST.
-
-In the latter case, as we cannot use FAST anyway, try to kinit again
-without advertizing FAST. This works even in the situations when FAST
-enforcement is enabled on Active Directory side: if client doesn't
-advertize FAST capability, it is not required. Additionally, FAST cannot
-be used for any practical need for a trusted domain's users yet.
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipalib/errors.py                        |  6 ++
- ipaserver/rpcserver.py                  | 94 ++++++++++++++++---------
- ipatests/test_integration/test_trust.py | 21 ++++++
- 3 files changed, 86 insertions(+), 35 deletions(-)
-
-diff --git a/ipalib/errors.py b/ipalib/errors.py
-index 1b17ca7ed..fa51e15c0 100644
---- a/ipalib/errors.py
-+++ b/ipalib/errors.py
-@@ -245,6 +245,12 @@ class PluginModuleError(PrivateError):
-     format = '%(name)s is not a valid plugin module'
- 
- 
-+class KrbPrincipalWrongFAST(PrivateError):
-+    """
-+    Raised when it is not possible to use our FAST armor for kinit
-+    """
-+    format = '%(principal)s cannot use Anonymous PKINIT as a FAST armor'
-+
- ##############################################################################
- # Public errors:
- 
-diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
-index 181295471..ed775170e 100644
---- a/ipaserver/rpcserver.py
-+++ b/ipaserver/rpcserver.py
-@@ -46,9 +46,11 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
- from ipalib.frontend import Local
- from ipalib.install.kinit import kinit_armor, kinit_password
- from ipalib.backend import Executioner
--from ipalib.errors import (PublicError, InternalError, JSONError,
-+from ipalib.errors import (
-+    PublicError, InternalError, JSONError,
-     CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
--    ExecutionError, PasswordExpired, KrbPrincipalExpired, UserLocked)
-+    ExecutionError, PasswordExpired, KrbPrincipalExpired, KrbPrincipalWrongFAST,
-+    UserLocked)
- from ipalib.request import context, destroy_context
- from ipalib.rpc import (xml_dumps, xml_loads,
-     json_encode_binary, json_decode_binary)
-@@ -957,6 +959,34 @@ class login_password(Backend, KerberosSession):
-         self.api.Backend.wsgi_dispatch.mount(self, self.key)
- 
-     def __call__(self, environ, start_response):
-+        def attempt_kinit(user_principal, password,
-+                          ipa_ccache_name, use_armor=True):
-+            try:
-+                # try to remove in case an old file was there
-+                os.unlink(ipa_ccache_name)
-+            except OSError:
-+                pass
-+            try:
-+                self.kinit(user_principal, password,
-+                           ipa_ccache_name, use_armor=use_armor)
-+            except PasswordExpired as e:
-+                return self.unauthorized(environ, start_response,
-+                                         str(e), 'password-expired')
-+            except InvalidSessionPassword as e:
-+                return self.unauthorized(environ, start_response,
-+                                         str(e), 'invalid-password')
-+            except KrbPrincipalExpired as e:
-+                return self.unauthorized(environ,
-+                                         start_response,
-+                                         str(e),
-+                                         'krbprincipal-expired')
-+            except UserLocked as e:
-+                return self.unauthorized(environ,
-+                                         start_response,
-+                                         str(e),
-+                                         'user-locked')
-+            return None
-+
-         logger.debug('WSGI login_password.__call__:')
- 
-         # Get the user and password parameters from the request
-@@ -1007,26 +1037,14 @@ class login_password(Backend, KerberosSession):
-         ipa_ccache_name = os.path.join(paths.IPA_CCACHES,
-                                        'kinit_{}'.format(os.getpid()))
-         try:
--            # try to remove in case an old file was there
--            os.unlink(ipa_ccache_name)
--        except OSError:
--            pass
--        try:
--            self.kinit(user_principal, password, ipa_ccache_name)
--        except PasswordExpired as e:
--            return self.unauthorized(environ, start_response, str(e), 'password-expired')
--        except InvalidSessionPassword as e:
--            return self.unauthorized(environ, start_response, str(e), 'invalid-password')
--        except KrbPrincipalExpired as e:
--            return self.unauthorized(environ,
--                                     start_response,
--                                     str(e),
--                                     'krbprincipal-expired')
--        except UserLocked as e:
--            return self.unauthorized(environ,
--                                     start_response,
--                                     str(e),
--                                     'user-locked')
-+            result = attempt_kinit(user_principal, password,
-+                                   ipa_ccache_name, use_armor=True)
-+        except KrbPrincipalWrongFAST:
-+            result = attempt_kinit(user_principal, password,
-+                                   ipa_ccache_name, use_armor=False)
-+
-+        if result is not None:
-+            return result
- 
-         result = self.finalize_kerberos_acquisition('login_password',
-                                                     ipa_ccache_name, environ,
-@@ -1038,21 +1056,24 @@ class login_password(Backend, KerberosSession):
-             pass
-         return result
- 
--    def kinit(self, principal, password, ccache_name):
--        # get anonymous ccache as an armor for FAST to enable OTP auth
--        armor_path = os.path.join(paths.IPA_CCACHES,
--                                  "armor_{}".format(os.getpid()))
-+    def kinit(self, principal, password, ccache_name, use_armor=True):
-+        if use_armor:
-+            # get anonymous ccache as an armor for FAST to enable OTP auth
-+            armor_path = os.path.join(paths.IPA_CCACHES,
-+                                      "armor_{}".format(os.getpid()))
- 
--        logger.debug('Obtaining armor in ccache %s', armor_path)
-+            logger.debug('Obtaining armor in ccache %s', armor_path)
- 
--        try:
--            kinit_armor(
--                armor_path,
--                pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
--            )
--        except RuntimeError as e:
--            logger.error("Failed to obtain armor cache")
--            # We try to continue w/o armor, 2FA will be impacted
-+            try:
-+                kinit_armor(
-+                    armor_path,
-+                    pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
-+                )
-+            except RuntimeError as e:
-+                logger.error("Failed to obtain armor cache")
-+                # We try to continue w/o armor, 2FA will be impacted
-+                armor_path = None
-+        else:
-             armor_path = None
- 
-         try:
-@@ -1080,6 +1101,9 @@ class login_password(Backend, KerberosSession):
-                   'while getting initial credentials') in str(e):
-                 raise UserLocked(principal=principal,
-                                  message=unicode(e))
-+            elif ('kinit: Error constructing AP-REQ armor: '
-+                  'Matching credential not found') in str(e):
-+                raise KrbPrincipalWrongFAST(principal=principal)
-             raise InvalidSessionPassword(principal=principal,
-                                          message=unicode(e))
- 
-diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
-index a6a055c2a..bec918a31 100644
---- a/ipatests/test_integration/test_trust.py
-+++ b/ipatests/test_integration/test_trust.py
-@@ -175,6 +175,27 @@ class TestTrust(BaseTestTrust):
-         tasks.kdestroy_all(self.master)
-         tasks.kinit_admin(self.master)
- 
-+    def test_password_login_as_aduser(self):
-+        """Test if AD user can login with password to Web UI"""
-+        ad_admin = 'Administrator@%s' % self.ad_domain
-+
-+        tasks.kdestroy_all(self.master)
-+        user_and_password = ('user=%s&password=%s' %
-+                             (ad_admin, self.master.config.ad_admin_password))
-+        host = self.master.hostname
-+        cmd_args = [
-+            paths.BIN_CURL,
-+            '-v',
-+            '-H', 'referer:https://{}/ipa'.format(host),
-+            '-H', 'Content-Type:application/x-www-form-urlencoded',
-+            '-H', 'Accept:text/plain',
-+            '--cacert', paths.IPA_CA_CRT,
-+            '--data', user_and_password,
-+            'https://{}/ipa/session/login_password'.format(host)]
-+        result = self.master.run_command(cmd_args)
-+        assert "Set-Cookie: ipa_session=MagBearerToken" in result.stdout_text
-+        tasks.kinit_admin(self.master)
-+
-     def test_ipauser_authentication_with_nonposix_trust(self):
-         ipauser = u'tuser'
-         original_passwd = 'Secret123'
--- 
-2.29.2
-
diff --git a/SOURCES/0023-pylint-remove-unused-variable_rhbz#1914821.patch b/SOURCES/0023-pylint-remove-unused-variable_rhbz#1914821.patch
deleted file mode 100644
index 91596b6..0000000
--- a/SOURCES/0023-pylint-remove-unused-variable_rhbz#1914821.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 12de9ee69f12f7c0021ea98e9c1163db7d59e5d3 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Wed, 28 Oct 2020 19:37:11 +0200
-Subject: [PATCH] pylint: remove unused variable
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaserver/rpcserver.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
-index 27850e867..181295471 100644
---- a/ipaserver/rpcserver.py
-+++ b/ipaserver/rpcserver.py
-@@ -972,7 +972,7 @@ class login_password(Backend, KerberosSession):
- 
-         try:
-             query_dict = parse_qs(query_string)
--        except Exception as e:
-+        except Exception:
-             return self.bad_request(environ, start_response, "cannot parse query data")
- 
-         user = query_dict.get('user', None)
--- 
-2.29.2
-
diff --git a/SOURCES/0024-wgi-plugins.py-ignore-empty-plugin-directories_rhbz#1895910.patch b/SOURCES/0024-wgi-plugins.py-ignore-empty-plugin-directories_rhbz#1895910.patch
deleted file mode 100644
index 432aa61..0000000
--- a/SOURCES/0024-wgi-plugins.py-ignore-empty-plugin-directories_rhbz#1895910.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From 29262465edf034d521c165e3854e28835d86b98d Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Fri, 6 Nov 2020 09:53:35 +0200
-Subject: [PATCH] wgi/plugins.py: ignore empty plugin directories
-
-Dynamic plugin registry returns as a plugin any folder within the
-plugins directory. Web UI then attempts to load for each plugin 'foo' a
-JavaScript file named 'foo/foo.js'. The problem is that if 'foo/foo.js'
-does not exist, Web UI breaks and it is impossible to recover until the
-empty folder is removed or 'foo/foo.js' (even empty) is created at the
-server side.
-
-Check that 'foo/foo.js' actual exists when including a plugin into the
-registry.
-
-Test the registry generator by creating fake plugins and removing them
-during the test.
-
-Fixes: https://pagure.io/freeipa/issue/8567
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- install/wsgi/plugins.py                   |  5 +-
- ipatests/test_ipaserver/test_jsplugins.py | 68 +++++++++++++++++++++++
- 2 files changed, 72 insertions(+), 1 deletion(-)
- create mode 100644 ipatests/test_ipaserver/test_jsplugins.py
-
-diff --git a/install/wsgi/plugins.py b/install/wsgi/plugins.py
-index f80cfb9fe..4c43e7f87 100644
---- a/install/wsgi/plugins.py
-+++ b/install/wsgi/plugins.py
-@@ -36,7 +36,10 @@ def get_plugin_index():
- 
-     dirs = os.listdir(paths.IPA_JS_PLUGINS_DIR)
-     index = 'define([],function(){return['
--    index += ','.join("'"+x+"'" for x in dirs)
-+    for x in dirs:
-+        p = os.path.join(paths.IPA_JS_PLUGINS_DIR, x, x + '.js')
-+        if os.path.exists(p):
-+            index += "'" + x + "',"
-     index += '];});'
-     return index.encode('utf-8')
- 
-diff --git a/ipatests/test_ipaserver/test_jsplugins.py b/ipatests/test_ipaserver/test_jsplugins.py
-new file mode 100644
-index 000000000..354e6992c
---- /dev/null
-+++ b/ipatests/test_ipaserver/test_jsplugins.py
-@@ -0,0 +1,68 @@
-+# Copyright (C) 2020  FreeIPA Contributors see COPYING for license
-+
-+import os
-+import pytest
-+
-+from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test
-+from ipatests.util import assert_equal, assert_not_equal
-+from ipaplatform.paths import paths
-+
-+
-+@pytest.mark.tier1
-+class test_jsplugins(Unauthorized_HTTP_test):
-+    app_uri = '/ipa/ui/js/freeipa/plugins.js'
-+    jsplugins = (('foo', 'foo.js'), ('bar', ''))
-+    content_type = 'application/javascript'
-+
-+    def test_jsplugins(self):
-+        empty_response = "define([],function(){return[];});"
-+
-+        # Step 1: make sure default response has no additional plugins
-+        response = self.send_request(method='GET')
-+        assert_equal(response.status, 200)
-+        response_data = response.read().decode(encoding='utf-8')
-+        assert_equal(response_data, empty_response)
-+
-+        # Step 2: add fake plugins
-+        try:
-+            for (d, f) in self.jsplugins:
-+                dir = os.path.join(paths.IPA_JS_PLUGINS_DIR, d)
-+                if not os.path.exists(dir):
-+                    os.mkdir(dir, 0o755)
-+                if f:
-+                    with open(os.path.join(dir, f), 'w') as js:
-+                        js.write("/* test js plugin */")
-+
-+        except OSError as e:
-+            pytest.skip(
-+                'Cannot set up test JS plugin: %s' % e
-+            )
-+
-+        # Step 3: query plugins to see if our plugins exist
-+        response = self.send_request(method='GET')
-+        assert_equal(response.status, 200)
-+        response_data = response.read().decode(encoding='utf-8')
-+        assert_not_equal(response_data, empty_response)
-+        for (d, f) in self.jsplugins:
-+            if f:
-+                assert "'" + d + "'" in response_data
-+            else:
-+                assert "'" + d + "'" not in response_data
-+
-+        # Step 4: remove fake plugins
-+        try:
-+            for (d, f) in self.jsplugins:
-+                dir = os.path.join(paths.IPA_JS_PLUGINS_DIR, d)
-+                file = os.path.join(dir, f)
-+                if f and os.path.exists(file):
-+                    os.unlink(file)
-+                if os.path.exists(dir):
-+                    os.rmdir(dir)
-+        except OSError:
-+            pass
-+
-+        # Step 5: make sure default response has no additional plugins
-+        response = self.send_request(method='GET')
-+        assert_equal(response.status, 200)
-+        response_data = response.read().decode(encoding='utf-8')
-+        assert_equal(response_data, empty_response)
--- 
-2.29.2
-
diff --git a/SOURCES/0025-ipatests-support-subordinate-upn-suffixes_rhbz#1914823.patch b/SOURCES/0025-ipatests-support-subordinate-upn-suffixes_rhbz#1914823.patch
deleted file mode 100644
index 1ffa594..0000000
--- a/SOURCES/0025-ipatests-support-subordinate-upn-suffixes_rhbz#1914823.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From d5cca835d5439331c05475d0ad2f993ac6f8b615 Mon Sep 17 00:00:00 2001
-From: Sudhir Menon <sumenon@redhat.com>
-Date: Wed, 11 Nov 2020 14:55:32 +0530
-Subject: [PATCH] ipatests: support subordinate upn suffixes
-
-This test adds new UPN Suffix on the AD side
-within the ad.test subtree i.e new.ad.test and this
-UPN is then assigned to aduser and then try to
-kinit using aduser along with the UPN set, to ensure
-that the kinit succeeds
-
-Signed-off-by: Sudhir Menon <sumenon@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipatests/test_integration/test_trust.py | 45 +++++++++++++++++++++++++
- 1 file changed, 45 insertions(+)
-
-diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
-index 7e4dbcc6e..31349ced7 100644
---- a/ipatests/test_integration/test_trust.py
-+++ b/ipatests/test_integration/test_trust.py
-@@ -245,6 +245,51 @@ class TestTrust(BaseTestTrust):
-         self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
-                                 stdin_text=self.upn_password)
- 
-+    def test_subordinate_suffix(self):
-+        """Test subordinate UPN Suffixes"""
-+        tasks.configure_dns_for_trust(self.master, self.ad)
-+        tasks.establish_trust_with_ad(
-+            self.master, self.ad_domain,
-+            extra_args=['--range-type', 'ipa-ad-trust'])
-+        # Clear all UPN Suffixes
-+        ps_cmd = "Get-ADForest | Set-ADForest -UPNSuffixes $null"
-+        self.ad.run_command(["powershell", "-c", ps_cmd])
-+        result = self.master.run_command(["ipa", "trust-show", self.ad_domain])
-+        assert (
-+            "ipantadditionalsuffixes: {}".format(self.upn_suffix)
-+            not in result.stdout_text
-+        )
-+        # Run Get-ADForest
-+        ps_cmd1 = "Get-ADForest"
-+        self.ad.run_command(["powershell", "-c", ps_cmd1])
-+        # Add new UPN for AD
-+        ps_cmd2 = (
-+            'Get-ADForest | Set-ADForest -UPNSuffixes '
-+            '@{add="new.ad.test", "upn.dom"}'
-+        )
-+        self.ad.run_command(["powershell", "-c", ps_cmd2])
-+        self.ad.run_command(["powershell", "-c", ps_cmd1])
-+        self.master.run_command(
-+            ["ipa", "trust-fetch-domains", self.ad_domain],
-+            raiseonerr=False)
-+        self.master.run_command(["ipa", "trust-show", self.ad_domain])
-+        # Set UPN for the aduser
-+        ps_cmd3 = (
-+            'set-aduser -UserPrincipalName '
-+            'Administrator@new.ad.test -Identity Administrator'
-+        )
-+        self.ad.run_command(["powershell", "-c", ps_cmd3])
-+        # kinit to IPA using AD user Administrator@new.ad.test
-+        result = self.master.run_command(
-+            ["getent", "passwd", "Administrator@new.ad.test"]
-+        )
-+        assert result.returncode == 0
-+        self.master.run_command(
-+            ["kinit", "-E", "Administrator@new.ad.test"],
-+            stdin_text="Secret123",
-+        )
-+        tasks.kdestroy_all(self.master)
-+
-     def test_remove_nonposix_trust(self):
-         self.remove_trust(self.ad)
-         tasks.unconfigure_dns_for_trust(self.master, self.ad)
--- 
-2.29.2
-
diff --git a/SOURCES/0026-ipa-kdb-support-subordinate-superior-UPN-suffixes_rhbz#1914823.patch b/SOURCES/0026-ipa-kdb-support-subordinate-superior-UPN-suffixes_rhbz#1914823.patch
deleted file mode 100644
index 19adf2b..0000000
--- a/SOURCES/0026-ipa-kdb-support-subordinate-superior-UPN-suffixes_rhbz#1914823.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-From 1f0702bf9231a4898a2d58325fc51c71fea25047 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Fri, 23 Oct 2020 18:45:09 +0300
-Subject: [PATCH] ipa-kdb: support subordinate/superior UPN suffixes
-
-[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
-trusted domain information in Active Directory to conform certain rules.
-One side-effect of those rules is that list of UPN suffixes reported
-through the netr_DsRGetForestTrustInformation function is dynamically
-filtered to deduplicate subordinate suffixes.
-
-It means that if list of UPN suffixes contains the following top level
-names (TLNs):
-
-  fabrikam.com
-  sub.fabrikam.com
-
-then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
-as the TLN, fully filtering 'sub.fabrikam.com'.
-
-IPA KDB driver used exact comparison of the UPN suffixes so any
-subordinate had to be specified exactly.
-
-Modify logic so that if exact check does not succeed, we validate a
-realm to test being a subordinate of the known UPN suffixes. The
-subordinate check is done by making sure UPN suffix is at the end of the
-test realm and is immediately preceded with a dot.
-
-Because the function to check suffixes potentially called for every
-Kerberos principal, precalculate and cache length for each UPN suffix at
-the time we retrieve the list of them.
-
-Fixes: https://pagure.io/freeipa/issue/8554
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Robbie Harwood <rharwood@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Robbie Harwood <rharwood@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_mspac.c         | 30 +++++++++++++++++++++++++
- daemons/ipa-kdb/ipa_kdb_mspac_private.h |  1 +
- 2 files changed, 31 insertions(+)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index 29dadc183..692f542c9 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -2393,6 +2393,7 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
-                     free((*mspac)->trusts[i].upn_suffixes[j]);
-                 }
-                 free((*mspac)->trusts[i].upn_suffixes);
-+                free((*mspac)->trusts[i].upn_suffixes_len);
-             }
-         }
-         free((*mspac)->trusts);
-@@ -2603,6 +2604,24 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
-             }
-         }
- 
-+        t[n].upn_suffixes_len = NULL;
-+        if (t[n].upn_suffixes != NULL) {
-+            size_t len = 0;
-+
-+            for (; t[n].upn_suffixes[len] != NULL; len++);
-+
-+            if (len != 0) {
-+                t[n].upn_suffixes_len = calloc(n, sizeof(size_t));
-+                if (t[n].upn_suffixes_len == NULL) {
-+                    ret = ENOMEM;
-+                    goto done;
-+                }
-+                for (i = 0; i < len; i++) {
-+                    t[n].upn_suffixes_len[i] = strlen(t[n].upn_suffixes[i]);
-+                }
-+            }
-+        }
-+
-         ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistIncoming",
-                                          &sid_blacklist_incoming);
- 
-@@ -2972,6 +2991,17 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
- 				result = strncasecmp(test_realm,
- 						     ipactx->mspac->trusts[i].upn_suffixes[j],
- 						     size) == 0;
-+				if (!result) {
-+					/* if UPN suffix did not match exactly, find if it is
-+					 * superior to the test_realm, e.g. if test_realm ends
-+					 * with the UPN suffix prefixed with dot*/
-+					size_t len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
-+					if ((size > len) && (test_realm[size - len - 1] == '.')) {
-+						result = strncasecmp(test_realm + (size - len),
-+								     ipactx->mspac->trusts[i].upn_suffixes[j],
-+								     len) == 0;
-+					}
-+				}
- 				if (result)
- 					break;
- 			}
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
-index 30382d2ee..b21aa163f 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
-@@ -48,6 +48,7 @@ struct ipadb_adtrusts {
-     struct ipadb_adtrusts *parent;
-     char *parent_name;
-     char **upn_suffixes;
-+    size_t *upn_suffixes_len;
- };
- 
- int string_to_sid(const char *str, struct dom_sid *sid);
--- 
-2.29.2
-
diff --git a/SOURCES/0027-ad-trust-accept-subordinate-domains-of-the-forest-trust-root_rhbz#1914823.patch b/SOURCES/0027-ad-trust-accept-subordinate-domains-of-the-forest-trust-root_rhbz#1914823.patch
deleted file mode 100644
index f8be726..0000000
--- a/SOURCES/0027-ad-trust-accept-subordinate-domains-of-the-forest-trust-root_rhbz#1914823.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 6b224e57672e3f73f93bb9eddd9031e945529a1e Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Tue, 24 Nov 2020 16:03:36 +0200
-Subject: [PATCH] ad trust: accept subordinate domains of the forest trust root
-
-Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
-subordinate UPN suffixes but missed the case where subordinate UPN is a
-subdomain of the forest root domain and not mentioned in the UPN
-suffixes list.
-
-Correct this situation by applying the same check to the trusted domain
-name as well.
-
-Fixes: https://pagure.io/freeipa/issue/8554
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_mspac.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index f2bd60e11..c6ac593ca 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -2976,10 +2976,20 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
- 
- 	/* Iterate through list of trusts and check if input realm belongs to any of the trust */
- 	for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
-+		size_t len = 0;
- 		result = strncasecmp(test_realm,
- 				     ipactx->mspac->trusts[i].domain_name,
- 				     size) == 0;
- 
-+		if (!result) {
-+			len = strlen(ipactx->mspac->trusts[i].domain_name);
-+			if ((size > len) && (test_realm[size - len - 1] == '.')) {
-+				result = strncasecmp(test_realm + (size - len),
-+						     ipactx->mspac->trusts[i].domain_name,
-+						     len) == 0;
-+			}
-+		}
-+
-                 if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) {
- 			result = strncasecmp(test_realm,
- 					     ipactx->mspac->trusts[i].flat_name,
-@@ -2995,7 +3005,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
- 					/* if UPN suffix did not match exactly, find if it is
- 					 * superior to the test_realm, e.g. if test_realm ends
- 					 * with the UPN suffix prefixed with dot*/
--					size_t len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
-+					len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
- 					if ((size > len) && (test_realm[size - len - 1] == '.')) {
- 						result = strncasecmp(test_realm + (size - len),
- 								     ipactx->mspac->trusts[i].upn_suffixes[j],
--- 
-2.29.2
-
diff --git a/SOURCES/0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch b/SOURCES/0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch
deleted file mode 100644
index 6593fab..0000000
--- a/SOURCES/0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From 81cbee4e3ff2e667946e0d41097b402257608b7e Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Fri, 6 Nov 2020 14:07:10 +0200
-Subject: [PATCH] ipa-kdb: fix crash in MS-PAC cache init code
-
-When initializing UPN suffixes, we calculate their sizes and didn't use
-the right variable to allocate their size. This affects us if there are
-more than one UPN suffix available for a trust due to memory corruption
-while filling in sizes.
-
-Add unit test for multiple UPN suffixes.
-
-Fixes: https://pagure.io/freeipa/issue/8566
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Robbie Harwood <rharwood@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_mspac.c       |  2 +-
- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 50 +++++++++++++++++++++++++++
- 2 files changed, 51 insertions(+), 1 deletion(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index dd29db190..fe5b586b6 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -2610,7 +2610,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
-             for (; t[n].upn_suffixes[len] != NULL; len++);
- 
-             if (len != 0) {
--                t[n].upn_suffixes_len = calloc(n, sizeof(size_t));
-+                t[n].upn_suffixes_len = calloc(len, sizeof(size_t));
-                 if (t[n].upn_suffixes_len == NULL) {
-                     ret = ENOMEM;
-                     goto done;
-diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
-index d3ef5c00d..752b24ea4 100644
---- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
-+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
-@@ -71,6 +71,10 @@
- #define DOM_SID "S-1-5-21-1-2-3"
- #define DOM_SID_TRUST "S-1-5-21-4-5-6"
- #define BLACKLIST_SID "S-1-5-1"
-+#define NUM_SUFFIXES 10
-+#define SUFFIX_TEMPLATE "d%0d" DOMAIN_NAME
-+#define TEST_REALM_TEMPLATE "some." SUFFIX_TEMPLATE
-+#define EXTERNAL_REALM "WRONG.DOMAIN"
- 
- static int setup(void **state)
- {
-@@ -92,6 +96,9 @@
-     ipa_ctx = calloc(1, sizeof(struct ipadb_context));
-     assert_non_null(ipa_ctx);
- 
-+    kerr = krb5_get_default_realm(krb5_ctx, &ipa_ctx->realm);
-+    assert_int_equal(kerr, 0);
-+
-     ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac));
-     assert_non_null(ipa_ctx->mspac);
- 
-@@ -126,6 +133,15 @@
-                         &ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]);
-     assert_int_equal(ret, 0);
- 
-+    ipa_ctx->mspac->trusts[0].upn_suffixes = calloc(NUM_SUFFIXES + 1, sizeof(char *));
-+    ipa_ctx->mspac->trusts[0].upn_suffixes_len = calloc(NUM_SUFFIXES, sizeof(size_t));
-+    for (size_t i = 0; i < NUM_SUFFIXES; i++) {
-+	asprintf(&(ipa_ctx->mspac->trusts[0].upn_suffixes[i]), SUFFIX_TEMPLATE, i);
-+        ipa_ctx->mspac->trusts[0].upn_suffixes_len[i] =
-+            strlen(ipa_ctx->mspac->trusts[0].upn_suffixes[i]);
-+
-+    }
-+
-     ipa_ctx->kcontext = krb5_ctx;
-     kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
-     assert_int_equal(kerr, 0);
-@@ -478,6 +494,38 @@
- }
- 
- 
-+void test_check_trusted_realms(void **state)
-+{
-+    struct test_ctx *test_ctx;
-+    krb5_error_code kerr = 0;
-+    char *trusted_realm = NULL;
-+
-+    test_ctx = (struct test_ctx *) *state;
-+
-+    for(size_t i = 0; i < NUM_SUFFIXES; i++) {
-+        char *test_realm = NULL;
-+        asprintf(&test_realm, TEST_REALM_TEMPLATE, i);
-+
-+        if (test_realm) {
-+            kerr = ipadb_is_princ_from_trusted_realm(
-+                       test_ctx->krb5_ctx,
-+                       test_realm,
-+                       strlen(test_realm),
-+                       &trusted_realm);
-+            assert_int_equal(kerr, 0);
-+            free(test_realm);
-+            free(trusted_realm);
-+        }
-+    }
-+
-+    kerr = ipadb_is_princ_from_trusted_realm(
-+               test_ctx->krb5_ctx,
-+               EXTERNAL_REALM,
-+               strlen(EXTERNAL_REALM),
-+               &trusted_realm);
-+    assert_int_equal(kerr, KRB5_KDB_NOENTRY);
-+}
-+
- int main(int argc, const char *argv[])
- {
-     const struct CMUnitTest tests[] = {
-@@ -488,6 +536,8 @@
-         cmocka_unit_test(test_string_to_sid),
-         cmocka_unit_test_setup_teardown(test_dom_sid_string,
-                                         setup, teardown),
-+        cmocka_unit_test_setup_teardown(test_check_trusted_realms,
-+                                        setup, teardown),
-     };
- 
-     return cmocka_run_group_tests(tests, NULL, NULL);
--- 
-2.29.2
-
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
index b252f00..0e9a6de 100644
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,1063 +1,15 @@
-From f40f42dd9b8c5da54a872ef6a7de46e5ae3ba341 Mon Sep 17 00:00:00 2001
+From ac3ba2b4ff4cd3ca85c1ff07c2b050f8b5eb7c2b Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 01/78] client/man/default.conf.5: Change branding to IPA and
+Date: Sun, 7 Oct 2018 12:25:40 +0300
+Subject: [PATCH 1/3] install/ui/css/patternfly.css: Change branding to IPA and
  Identity Management
 
----
- client/man/default.conf.5 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/client/man/default.conf.5 b/client/man/default.conf.5
-index 728fc0871..6ec8616bc 100644
---- a/client/man/default.conf.5
-+++ b/client/man/default.conf.5
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Rob Crittenden <rcritten@@redhat.com>
- .\"
--.TH "default.conf" "5" "Feb 21 2011" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "default.conf" "5" "Feb 21 2011" "IPA" "IPA Manual Pages"
- .SH "NAME"
- default.conf \- IPA configuration file
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From ddf6ddd9a6b0482d01fce2df102f25d719adfa79 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 02/78] client/man/ipa-certupdate.1: Change branding to IPA and
- Identity Management
-
----
- client/man/ipa-certupdate.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/client/man/ipa-certupdate.1 b/client/man/ipa-certupdate.1
-index d95790a36..431b395a9 100644
---- a/client/man/ipa-certupdate.1
-+++ b/client/man/ipa-certupdate.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Jan Cholasta <jcholast@redhat.com>
- .\"
--.TH "ipa-certupdate" "1" "Jul 2 2014" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-certupdate" "1" "Jul 2 2014" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-certupdate \- Update local IPA certificate databases with certificates from the server
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 100af01bbb2838c4c43159f4eaa925c57113baec Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 03/78] client/man/ipa-client-automount.1: Change branding to
- IPA and Identity Management
-
----
- client/man/ipa-client-automount.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/client/man/ipa-client-automount.1 b/client/man/ipa-client-automount.1
-index 4c3caee93..3f6edabd0 100644
---- a/client/man/ipa-client-automount.1
-+++ b/client/man/ipa-client-automount.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Rob Crittenden <rcritten@redhat.com>
- .\"
--.TH "ipa-client-automount" "1" "May 25 2012" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-client-automount" "1" "May 25 2012" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-client\-automount \- Configure automount and NFS for IPA
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 497a46243f09fa8d8a295f61710065c675a91800 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 04/78] client/man/ipa-client-install.1: Change branding to IPA
- and Identity Management
-
----
- client/man/ipa-client-install.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
-index 2d031fb2c..64ab1bff0 100644
---- a/client/man/ipa-client-install.1
-+++ b/client/man/ipa-client-install.1
-@@ -1,7 +1,7 @@
- .\" A man page for ipa-client-install
- .\" Copyright (C) 2008-2016  FreeIPA Contributors see COPYING for license
- .\"
--.TH "ipa-client-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-client-install" "1" "Dec 19 2016" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-client\-install \- Configure an IPA client
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 5d13b4528df055dee11ddd07c10a073b8ddd0065 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 05/78] client/man/ipa-getkeytab.1: Change branding to IPA and
- Identity Management
-
----
- client/man/ipa-getkeytab.1 | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
-index f06fcd910..01a2618ef 100644
---- a/client/man/ipa-getkeytab.1
-+++ b/client/man/ipa-getkeytab.1
-@@ -17,7 +17,7 @@
- .\" Author: Karl MacMillan <kmacmill@redhat.com>
- .\" Author: Simo Sorce <ssorce@redhat.com>
- .\"
--.TH "ipa-getkeytab" "1" "Oct 10 2007" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-getkeytab" "1" "Oct 10 2007" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-getkeytab \- Get a keytab for a Kerberos principal
- .SH "SYNOPSIS"
-@@ -118,7 +118,7 @@ GSSAPI or EXTERNAL.
- \fB\-r\fR
- Retrieve mode. Retrieve an existing key from the server instead of generating a
- new one. This is incompatible with the \-\-password option, and will work only
--against a FreeIPA server more recent than version 3.3. The user requesting the
-+against a IPA server more recent than version 3.3. The user requesting the
- keytab must have access to the keys for this operation to succeed.
- .SH "EXAMPLES"
- Add and retrieve a keytab for the NFS service principal on
--- 
-2.21.1
-
-From c89ccf3e9cf8868c19e12716dcff110b0cc040fc Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 06/78] client/man/ipa-join.1: Change branding to IPA and
- Identity Management
-
----
- client/man/ipa-join.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/client/man/ipa-join.1 b/client/man/ipa-join.1
-index d88160784..30b667558 100644
---- a/client/man/ipa-join.1
-+++ b/client/man/ipa-join.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Rob Crittenden <rcritten@redhat.com>
- .\"
--.TH "ipa-join" "1" "Oct 8 2009" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-join" "1" "Oct 8 2009" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From e691f8e132a0d7f12049015cf728e6ed1f3ca18b Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 07/78] client/man/ipa-rmkeytab.1: Change branding to IPA and
- Identity Management
-
----
- client/man/ipa-rmkeytab.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/client/man/ipa-rmkeytab.1 b/client/man/ipa-rmkeytab.1
-index 53f775439..2c8218c94 100644
---- a/client/man/ipa-rmkeytab.1
-+++ b/client/man/ipa-rmkeytab.1
-@@ -17,7 +17,7 @@
- .\" Author: Rob Crittenden <rcritten@redhat.com>
- .\"
- .\"
--.TH "ipa-rmkeytab" "1" "Oct 30 2009" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-rmkeytab" "1" "Oct 30 2009" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-rmkeytab \- Remove a kerberos principal from a keytab
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 5bfab52a3246268a063d16700bf7063da56f3fa4 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 08/78] client/man/ipa.1: Change branding to IPA and Identity
- Management
-
----
- client/man/ipa.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/client/man/ipa.1 b/client/man/ipa.1
-index f9fae7c0d..2fb21b52d 100644
---- a/client/man/ipa.1
-+++ b/client/man/ipa.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Pavel Zuna <pzuna@redhat.com>
- .\"
--.TH "ipa" "1" "Apr 29 2016" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa" "1" "Apr 29 2016" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa \- IPA command\-line interface
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From e2387735f5a4b37cec1c850ac2725ed8ddf59322 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 09/78] install/html/ssbrowser.html: Change branding to IPA and
- Identity Management
-
----
- install/html/ssbrowser.html | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html
-index a48a24511..f934dbb40 100644
---- a/install/html/ssbrowser.html
-+++ b/install/html/ssbrowser.html
-@@ -2,7 +2,7 @@
- <html>
- <head>
- <meta charset="utf-8">
--    <title>IPA: Identity Policy Audit</title>
-+    <title>Identity Management</title>
-     <script type="text/javascript" src="../ui/js/libs/loader.js"></script>
-     <script type="text/javascript">
-         var dojoConfig = {
-@@ -69,7 +69,7 @@
- 
-     <nav class="navbar navbar-default navbar-pf" role="navigation">
-     <div class="navbar-header">
--        <a class="brand" href="../ui/index.html"><img src="../ui/images/header-logo.png" alt="FreeIPA"></a>
-+        <a class="brand" href="../ui/index.html"><img src="../ui/images/header-logo.png" alt="Identity Management"></a>
-     </div>
-     </nav>
- 
--- 
-2.21.1
-
-From 10b4195ec2820ddbb67bcdb6a74a8f4aa20c12fe Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 10/78] install/html/unauthorized.html: Change branding to IPA
- and Identity Management
-
----
- install/html/unauthorized.html | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/install/html/unauthorized.html b/install/html/unauthorized.html
-index 630982da8..b8c64d69d 100644
---- a/install/html/unauthorized.html
-+++ b/install/html/unauthorized.html
-@@ -2,7 +2,7 @@
- <html>
- <head>
-     <meta charset="utf-8">
--    <title>IPA: Identity Policy Audit</title>
-+    <title>Identity Management</title>
-     <script type="text/javascript" src="../ui/js/libs/loader.js"></script>
-     <script type="text/javascript">
-         var dojoConfig = {
-@@ -62,7 +62,7 @@
- 
-     <nav class="navbar navbar-default navbar-pf" role="navigation">
-     <div class="navbar-header">
--        <a class="brand" href="../ui/index.html"><img src="../ui/images/header-logo.png" alt="FreeIPA"></a>
-+        <a class="brand" href="../ui/index.html"><img src="../ui/images/header-logo.png" alt="Identity Management"></a>
-     </div>
-     </nav>
- 
--- 
-2.21.1
-
-From 8293605a01b9b45d4ab87d7fd9342b9e832ba3ce Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 11/78] install/migration/index.html: Change branding to IPA
- and Identity Management
-
----
- install/migration/index.html | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/migration/index.html b/install/migration/index.html
-index fca517cdc..b5ac1f6df 100644
---- a/install/migration/index.html
-+++ b/install/migration/index.html
-@@ -2,7 +2,7 @@
- <html>
- <head>
- <meta charset="utf-8">
--    <title>IPA: Identity Policy Audit</title>
-+    <title>Identity Management</title>
- 
-     <!--[if IE]>
-     <meta id="ie-detector">
--- 
-2.21.1
-
-From 6a479bab8581f2960a628d309a705d42ef9dfdbf Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 12/78] install/share/schema.d/README: Change branding to IPA
- and Identity Management
-
----
- install/share/schema.d/README | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/install/share/schema.d/README b/install/share/schema.d/README
-index 19e3e6832..2a92ec6ae 100644
---- a/install/share/schema.d/README
-+++ b/install/share/schema.d/README
-@@ -7,8 +7,8 @@ schema files during the run of ipa-server-upgrade utility. Therefore, they are
- also installed when upgrade happens within the process of ipa-server-install.
- 
- The directory is installed as /usr/share/ipa/schema.d and is owned by a
--freeipa-server-common package. Therefore, a 3rd-party plugin would need to
--depend on the freeipa-server-common package if it delivers the schema file(s).
-+ipa-server-common package. Therefore, a 3rd-party plugin would need to
-+depend on the ipa-server-common package if it delivers the schema file(s).
- 
- You may place your schema files in a subdirectory too, the code that loads
- schema files processes recursively all subdirectories of schema.d.
--- 
-2.21.1
-
-From c52b451a88bc8d18d1e08f237e5bcf648861c650 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 13/78] install/tools/ipa-adtrust-install.in: Change branding
- to IPA and Identity Management
-
----
- install/tools/ipa-adtrust-install.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/install/tools/ipa-adtrust-install.in b/install/tools/ipa-adtrust-install.in
-index 7d94b718e..80f5d27a7 100644
---- a/install/tools/ipa-adtrust-install.in
-+++ b/install/tools/ipa-adtrust-install.in
-@@ -141,11 +141,11 @@ def main():
-           "==============")
-     print("This program will setup components needed to establish trust to "
-           "AD domains for")
--    print("the FreeIPA Server.")
-+    print("the IPA Server.")
-     print("")
-     print("This includes:")
-     print("  * Configure Samba")
--    print("  * Add trust related objects to FreeIPA LDAP server")
-+    print("  * Add trust related objects to IPA LDAP server")
-     # TODO:
-     # print "  * Add a SID to all users and Posix groups"
-     print("")
--- 
-2.21.1
-
-From 7213f732557deb560aede21286abd2404a0e6f9e Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 14/78] install/tools/ipa-replica-conncheck.in: Change branding
- to IPA and Identity Management
-
----
- install/tools/ipa-replica-conncheck.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/ipa-replica-conncheck.in b/install/tools/ipa-replica-conncheck.in
-index b22db1139..b86ce4569 100644
---- a/install/tools/ipa-replica-conncheck.in
-+++ b/install/tools/ipa-replica-conncheck.in
-@@ -290,7 +290,7 @@ class PortResponder(threading.Thread):
-         self._sockets = []
-         self._close = False
-         self._close_lock = threading.Lock()
--        self.responder_data = b'FreeIPA'
-+        self.responder_data = b'IPA'
-         self.ports_opened = False
-         self.ports_open_cond = threading.Condition()
- 
--- 
-2.21.1
-
-From 1f2a34a5fcb88b3ca94949a513523eb3862e99c1 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 15/78] install/tools/man/ipa-adtrust-install.1: Change
- branding to IPA and Identity Management
-
----
- install/tools/man/ipa-adtrust-install.1 | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
-index b11065806..f70f316f6 100644
---- a/install/tools/man/ipa-adtrust-install.1
-+++ b/install/tools/man/ipa-adtrust-install.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Sumit Bose <sbose@redhat.com>
- .\"
--.TH "ipa-adtrust-install" "1" "April 11 2017" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-adtrust-install" "1" "April 11 2017" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains
- .SH "SYNOPSIS"
-@@ -87,7 +87,7 @@ ldapmodify command info the directory server.
- .TP
- \fB\-\-add\-agents\fR
- Add IPA masters to the list that allows to serve information about
--users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master
-+users from trusted forests. Starting with IPA 4.2, a regular IPA master
- can provide this information to SSSD clients. IPA masters aren't added
- to the list automatically as restart of the LDAP service on each of them
- is required. The host where ipa\-adtrust\-install is being run is added
--- 
-2.21.1
-
-From 5742d0b0fa19dc744f81aeed6727c472d2e5505f Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 16/78] install/tools/man/ipa-advise.1: Change branding to IPA
- and Identity Management
-
----
- install/tools/man/ipa-advise.1 | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/install/tools/man/ipa-advise.1 b/install/tools/man/ipa-advise.1
-index 4c494aab9..515bbddbe 100644
---- a/install/tools/man/ipa-advise.1
-+++ b/install/tools/man/ipa-advise.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Tomas Babej <tbabej@redhat.com>
- .\"
--.TH "ipa-advise" "1" "Jun 10 2013" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-advise" "1" "Jun 10 2013" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-advise \- Provide configurations advice for various use cases.
- .SH "SYNOPSIS"
-@@ -41,4 +41,4 @@ Log to the given file
- .SH "EXIT STATUS"
- 0 if the command was successful
- 
--1 if an error occurred
-\ No newline at end of file
-+1 if an error occurred
--- 
-2.21.1
-
-From 650e5f89bb097c559b52a961866296380f3f94d5 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 17/78] install/tools/man/ipa-backup.1: Change branding to IPA
- and Identity Management
-
----
- install/tools/man/ipa-backup.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-backup.1 b/install/tools/man/ipa-backup.1
-index 2f0bc9e6a..77d5d7caa 100644
---- a/install/tools/man/ipa-backup.1
-+++ b/install/tools/man/ipa-backup.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Rob Crittenden <rcritten@redhat.com>
- .\"
--.TH "ipa-backup" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-backup" "1" "Mar 22 2013" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-backup \- Back up an IPA master
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From f8849ddf92e83d23b0c317b1c5f59ad9af1e3e1c Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 18/78] install/tools/man/ipa-ca-install.1: Change branding to
- IPA and Identity Management
-
----
- install/tools/man/ipa-ca-install.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
-index 3ebe32c0a..8e57c0092 100644
---- a/install/tools/man/ipa-ca-install.1
-+++ b/install/tools/man/ipa-ca-install.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Rob Crittenden <rcritten@redhat.com>
- .\"
--.TH "ipa-ca-install" "1" "Mar 30 2017" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-ca-install" "1" "Mar 30 2017" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-ca\-install \- Install a CA on a server
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 625ae452bc457003c9f4559884abb9afa2bb41ca Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 19/78] install/tools/man/ipa-cacert-manage.1: Change branding
- to IPA and Identity Management
-
----
- install/tools/man/ipa-cacert-manage.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1
-index b76ee1816..4359b12e3 100644
---- a/install/tools/man/ipa-cacert-manage.1
-+++ b/install/tools/man/ipa-cacert-manage.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Jan Cholasta <jcholast@redhat.com>
- .\"
--.TH "ipa-cacert-manage" "1" "Aug 12 2013" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-cacert-manage" "1" "Aug 12 2013" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-cacert\-manage \- Manage CA certificates in IPA
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 13ebf098b64a5aefd39aac7a1eef1367170bc284 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 20/78] install/tools/man/ipa-compat-manage.1: Change branding
- to IPA and Identity Management
-
----
- install/tools/man/ipa-compat-manage.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-compat-manage.1 b/install/tools/man/ipa-compat-manage.1
-index f22b1743e..26470331a 100644
---- a/install/tools/man/ipa-compat-manage.1
-+++ b/install/tools/man/ipa-compat-manage.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Simo Sorce <ssorce@redhat.com>
- .\"
--.TH "ipa-compat-manage" "1" "Dec 2 2008" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-compat-manage" "1" "Dec 2 2008" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-compat\-manage \- Enables or disables the schema compatibility plugin
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 2dfc9079680b04f286eeed4f65ce4f02914c55b7 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 21/78] install/tools/man/ipa-csreplica-manage.1: Change
- branding to IPA and Identity Management
-
----
- install/tools/man/ipa-csreplica-manage.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-csreplica-manage.1 b/install/tools/man/ipa-csreplica-manage.1
-index ab5bfddd8..6d039751e 100644
---- a/install/tools/man/ipa-csreplica-manage.1
-+++ b/install/tools/man/ipa-csreplica-manage.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Rob Crittenden <rcritten@redhat.com>
- .\"
--.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-csreplica\-manage \- Manage an IPA CS replica
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 4858e90ba2b7aca2af1e2375b2442b3fa5c30f9c Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 22/78] install/tools/man/ipa-dns-install.1: Change branding to
- IPA and Identity Management
-
----
- install/tools/man/ipa-dns-install.1 | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
-index 14e4cd51f..029001eca 100644
---- a/install/tools/man/ipa-dns-install.1
-+++ b/install/tools/man/ipa-dns-install.1
-@@ -1,7 +1,7 @@
- .\" A man page for ipa-dns-install
- .\" Copyright (C) 2010-2016  FreeIPA Contributors see COPYING for license
- .\"
--.TH "ipa-dns-install" "1" "Jun 28, 2012" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-dns-install" "1" "Jun 28, 2012" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-dns\-install \- Add DNS as a service to an IPA server
- .SH "SYNOPSIS"
-@@ -12,7 +12,7 @@ In cases where the IPA server name does not belong to the primary DNS domain and
- 
- IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
- 
--The DNS component in FreeIPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
-+The DNS component in IPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
- 
- This command requires that an IPA server is already installed and configured.
- 
--- 
-2.21.1
-
-From aeb6e9ae2e4ebf5d627e80f0a495a45589c0455f Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 23/78] install/tools/man/ipa-kra-install.1: Change branding to
- IPA and Identity Management
-
----
- install/tools/man/ipa-kra-install.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1
-index 6c8523aa0..5476a4e71 100644
---- a/install/tools/man/ipa-kra-install.1
-+++ b/install/tools/man/ipa-kra-install.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Ade Lee <alee@redhat.com>
- .\"
--.TH "ipa-kra-install" "1" "May 10 2017" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-kra-install" "1" "May 10 2017" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-kra\-install \- Install a KRA on a server
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From d71a89b2b1ebe588672e76f04c7edd6d7a287837 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 24/78] install/tools/man/ipa-ldap-updater.1: Change branding
- to IPA and Identity Management
-
----
- install/tools/man/ipa-ldap-updater.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-ldap-updater.1 b/install/tools/man/ipa-ldap-updater.1
-index 4893802c2..7ead55bd9 100644
---- a/install/tools/man/ipa-ldap-updater.1
-+++ b/install/tools/man/ipa-ldap-updater.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Rob Crittenden <rcritten@redhat.com>
- .\"
--.TH "ipa-ldap-updater" "1" "Sep 12 2008" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-ldap-updater" "1" "Sep 12 2008" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-ldap\-updater \- Update the IPA LDAP configuration
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From acdf99fd7afbfd614b2db75bddf647ad12d2767f Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 25/78] install/tools/man/ipa-managed-entries.1: Change
- branding to IPA and Identity Management
-
----
- install/tools/man/ipa-managed-entries.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-managed-entries.1 b/install/tools/man/ipa-managed-entries.1
-index 3d5ca22b8..edaa0a90d 100644
---- a/install/tools/man/ipa-managed-entries.1
-+++ b/install/tools/man/ipa-managed-entries.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Jr Aquino <jr.aquino@citrix.com>
- .\"
--.TH "ipa-managed-entries" "1" "Feb 06 2012" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-managed-entries" "1" "Feb 06 2012" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-managed\-entries \- Enables or disables the schema Managed Entry plugins
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 2cbdc087d8f18733d36e60788faddef5a914821a Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 26/78] install/tools/man/ipa-nis-manage.1: Change branding to
- IPA and Identity Management
-
----
- install/tools/man/ipa-nis-manage.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-nis-manage.1 b/install/tools/man/ipa-nis-manage.1
-index 93278487c..1107b7790 100644
---- a/install/tools/man/ipa-nis-manage.1
-+++ b/install/tools/man/ipa-nis-manage.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Rob Crittenden <rcritten@redhat.com>
- .\"
--.TH "ipa-nis-manage" "1" "April 25 2016" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-nis-manage" "1" "April 25 2016" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-nis\-manage \- Enables or disables the NIS listener plugin
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 3af61d4b26532726492bc7d121ec8b39bb68dce6 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 27/78] install/tools/man/ipa-otptoken-import.1: Change
- branding to IPA and Identity Management
-
----
- install/tools/man/ipa-otptoken-import.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-otptoken-import.1 b/install/tools/man/ipa-otptoken-import.1
-index 920a08ca2..fe91040fa 100644
---- a/install/tools/man/ipa-otptoken-import.1
-+++ b/install/tools/man/ipa-otptoken-import.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Nathaniel McCallum <npmccallum@redhat.com>
- .\"
--.TH "ipa-otptoken-import" "1" "Jun 12 2014" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-otptoken-import" "1" "Jun 12 2014" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-otptoken\-import \- Imports OTP tokens from RFC 6030 XML file
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 426c1370d990dcd44612427abc75f8b21178f279 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 28/78] install/tools/man/ipa-pkinit-manage.1: Change branding
- to IPA and Identity Management
-
----
- install/tools/man/ipa-pkinit-manage.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-pkinit-manage.1 b/install/tools/man/ipa-pkinit-manage.1
-index 5018ce8aa..50d63e921 100644
---- a/install/tools/man/ipa-pkinit-manage.1
-+++ b/install/tools/man/ipa-pkinit-manage.1
-@@ -1,7 +1,7 @@
- .\"
- .\" Copyright (C) 2017  FreeIPA Contributors see COPYING for license
- .\"
--.TH "ipa-pkinit-manage" "1" "Jun 05 2017" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-pkinit-manage" "1" "Jun 05 2017" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-pkinit\-manage \- Enables or disables PKINIT
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 7553161cbb48d42e76babe540ae878d328cb462b Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 29/78] install/tools/man/ipa-replica-conncheck.1: Change
- branding to IPA and Identity Management
-
----
- install/tools/man/ipa-replica-conncheck.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-replica-conncheck.1 b/install/tools/man/ipa-replica-conncheck.1
-index 6451f3545..ed441e3be 100644
---- a/install/tools/man/ipa-replica-conncheck.1
-+++ b/install/tools/man/ipa-replica-conncheck.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Martin Kosek <mkosek@redhat.com>
- .\"
--.TH "ipa-replica-conncheck" "1" "Jun 2 2011" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-replica-conncheck" "1" "Jun 2 2011" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-replica\-conncheck \- Check a replica\-master network connection before installation
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 3676e1a1040aa6ae858134828cfcd7b35e74d4f5 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 30/78] install/tools/man/ipa-replica-install.1: Change
- branding to IPA and Identity Management
-
----
- install/tools/man/ipa-replica-install.1 | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
-index 19d1d9110..44fce10ba 100644
---- a/install/tools/man/ipa-replica-install.1
-+++ b/install/tools/man/ipa-replica-install.1
-@@ -1,7 +1,7 @@
- .\" A man page for ipa-replica-install
- .\" Copyright (C) 2008-2016  FreeIPA Contributors see COPYING for license
- .\"
--.TH "ipa-replica-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-replica-install" "1" "Dec 19 2016" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-replica\-install \- Create an IPA replica
- .SH "SYNOPSIS"
-@@ -12,7 +12,7 @@ Configures a new IPA server that is a replica of the server. Once it has been cr
- 
- Domain level 0 is not supported anymore.
- 
--To create a replica, the machine only needs to be enrolled in the FreeIPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
-+To create a replica, the machine only needs to be enrolled in the IPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
- 
- If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica. The NTP configuration cannot be updated during client promotion. 
- 
-@@ -229,7 +229,7 @@ ldapmodify command info the directory server.
- .TP
- \fB\-\-add\-agents\fR
- Add IPA masters to the list that allows to serve information about
--users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master
-+users from trusted forests. Starting with IPA 4.2, a regular IPA master
- can provide this information to SSSD clients. IPA masters aren't added
- to the list automatically as restart of the LDAP service on each of them
- is required. The host where ipa\-adtrust\-install is being run is added
--- 
-2.21.1
-
-From 139ddf89255aa4423499208d5b4191dbc7b829dd Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 31/78] install/tools/man/ipa-replica-manage.1: Change branding
- to IPA and Identity Management
-
----
- install/tools/man/ipa-replica-manage.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1
-index 239f1591c..2c94278ca 100644
---- a/install/tools/man/ipa-replica-manage.1
-+++ b/install/tools/man/ipa-replica-manage.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Rob Crittenden <rcritten@redhat.com>
- .\"
--.TH "ipa-replica-manage" "1" "Jul 12 2016" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-replica-manage" "1" "Jul 12 2016" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-replica\-manage \- Manage an IPA replica
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 773bf31555e662f24f807e4b69b8dcf1f88e3f83 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 32/78] install/tools/man/ipa-restore.1: Change branding to IPA
- and Identity Management
-
----
- install/tools/man/ipa-restore.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-restore.1 b/install/tools/man/ipa-restore.1
-index 5843d5546..bc0755baa 100644
---- a/install/tools/man/ipa-restore.1
-+++ b/install/tools/man/ipa-restore.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Rob Crittenden <rcritten@redhat.com>
- .\"
--.TH "ipa-restore" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-restore" "1" "Mar 22 2013" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-restore \- Restore an IPA master
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From c00d47be96e91102bf3eeecf0a2363cf21f260eb Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 33/78] install/tools/man/ipa-server-certinstall.1: Change
- branding to IPA and Identity Management
-
----
- install/tools/man/ipa-server-certinstall.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1
-index 79bd7c885..3f12a5af2 100644
---- a/install/tools/man/ipa-server-certinstall.1
-+++ b/install/tools/man/ipa-server-certinstall.1
-@@ -16,7 +16,7 @@
- .\" 
- .\" Author: Rob Crittenden <rcritten@redhat.com>
- .\" 
--.TH "ipa-server-certinstall" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-server-certinstall" "1" "Mar 14 2008" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-server\-certinstall \- Install new SSL server certificates
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From b95e2315685e4142b7f0d5ea1fdaa7b4a1b2a9d7 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 34/78] install/tools/man/ipa-server-install.1: Change branding
- to IPA and Identity Management
-
----
- install/tools/man/ipa-server-install.1 | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
-index 1a4d2f658..fdb0f4cb3 100644
---- a/install/tools/man/ipa-server-install.1
-+++ b/install/tools/man/ipa-server-install.1
-@@ -1,7 +1,7 @@
- .\" A man page for ipa-server-install
- .\" Copyright (C) 2008-2017  FreeIPA Contributors see COPYING for license
- .\"
--.TH "ipa-server-install" "1" "Feb 17 2017" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-server-install" "1" "Feb 17 2017" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-server\-install \- Configure an IPA server
- .SH "SYNOPSIS"
-@@ -172,7 +172,7 @@ Install and configure a KRA on this server.
- .SS "DNS OPTIONS"
- IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
- 
--The DNS component in FreeIPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
-+The DNS component in IPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
- 
- .TP
- \fB\-\-setup\-dns\fR
--- 
-2.21.1
-
-From e63c333515020e37c3be9a9e2a3f67304badad2e Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 35/78] install/tools/man/ipa-server-upgrade.1: Change branding
- to IPA and Identity Management
-
----
- install/tools/man/ipa-server-upgrade.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
-index cbbdc5901..3db19b0f1 100644
---- a/install/tools/man/ipa-server-upgrade.1
-+++ b/install/tools/man/ipa-server-upgrade.1
-@@ -2,7 +2,7 @@
- .\" Copyright (C) 2015  FreeIPA Contributors see COPYING for license
- .\"
- 
--.TH "ipa-server-upgrade" "1" "April 02 2015" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-server-upgrade" "1" "April 02 2015" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-server\-upgrade \- upgrade IPA server
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 7dfbdf73de322616cc6235db57bd8f3fd0805ac5 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 36/78] install/tools/man/ipa-winsync-migrate.1: Change
- branding to IPA and Identity Management
-
----
- install/tools/man/ipa-winsync-migrate.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-winsync-migrate.1 b/install/tools/man/ipa-winsync-migrate.1
-index 88702bad6..1812f6348 100644
---- a/install/tools/man/ipa-winsync-migrate.1
-+++ b/install/tools/man/ipa-winsync-migrate.1
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Tomas Babej <tbabej@redhat.com>
- .\"
--.TH "ipa-winsync-migrate" "1" "Mar 10 2015" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-winsync-migrate" "1" "Mar 10 2015" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-winsync\-migrate \- Seamless migration of AD users created by winsync to native AD users.
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From 79d8cc19a6a65a00006ded393bc7b1716522bca1 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 37/78] install/tools/man/ipactl.8: Change branding to IPA and
- Identity Management
-
----
- install/tools/man/ipactl.8 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipactl.8 b/install/tools/man/ipactl.8
-index fb533aae2..d7aaaf8ed 100644
---- a/install/tools/man/ipactl.8
-+++ b/install/tools/man/ipactl.8
-@@ -16,7 +16,7 @@
- .\" 
- .\" Author: Rob Crittenden <rcritten@redhat.com>
- .\" 
--.TH "ipactl" "8" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipactl" "8" "Mar 14 2008" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipactl \- IPA Server Control Interface
- .SH "SYNOPSIS"
--- 
-2.21.1
-
-From a4ee86f8c53ebb9dbec7ffd75a40f06c8104ad9a Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 38/78] install/ui/css/patternfly.css: Change branding to IPA
- and Identity Management
-
 ---
  install/ui/css/patternfly.css | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/install/ui/css/patternfly.css b/install/ui/css/patternfly.css
-index ee920530b..de574a84c 100644
+index ee92053..de574a8 100644
 --- a/install/ui/css/patternfly.css
 +++ b/install/ui/css/patternfly.css
 @@ -4,4 +4,4 @@
@@ -1069,38 +21,13 @@ index ee920530b..de574a84c 100644
 + */.bootstrap-select.btn-group,.bootstrap-select.btn-group[class*=span]{float:none;display:inline-block;margin-bottom:10px;margin-left:0}.form-horizontal .bootstrap-select.btn-group,.form-inline .bootstrap-select.btn-group,.form-search .bootstrap-select.btn-group{margin-bottom:0}.bootstrap-select.form-control{margin-bottom:0;padding:0;border:none}.bootstrap-select.btn-group.pull-right,.bootstrap-select.btn-group[class*=span].pull-right,.row-fluid .bootstrap-select.btn-group[class*=span].pull-right{float:right}.input-append .bootstrap-select.btn-group{margin-left:-1px}.input-prepend .bootstrap-select.btn-group{margin-right:-1px}.bootstrap-select:not([class*=span]):not([class*=col-]):not([class*=form-control]){width:220px}.bootstrap-select{width:220px\9}.bootstrap-select.form-control:not([class*=span]){width:100%}.bootstrap-select>.btn{width:100%}.error .bootstrap-select .btn{border:1px solid #b94a48}.dropdown-menu{z-index:2000}.bootstrap-select.show-menu-arrow.open>.btn{z-index:2051}.bootstrap-select .btn:focus{outline:thin dotted #333!important;outline:5px auto -webkit-focus-ring-color!important;outline-offset:-2px}.bootstrap-select.btn-group .btn .filter-option{overflow:hidden;position:absolute;left:12px;right:25px;text-align:left}.bootstrap-select.btn-group .btn .caret{position:absolute;top:50%;right:12px;margin-top:-2px;vertical-align:middle}.bootstrap-select.btn-group .dropdown-menu li.disabled>a,.bootstrap-select.btn-group>.disabled{cursor:not-allowed}.bootstrap-select.btn-group>.disabled:focus{outline:0!important}.bootstrap-select.btn-group[class*=span] .btn{width:100%}.bootstrap-select.btn-group .dropdown-menu{min-width:100%;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}.bootstrap-select.btn-group .dropdown-menu.inner{position:static;border:0;padding:0;margin:0;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0;-webkit-box-shadow:none;-moz-box-shadow:none;box-shadow:none}.bootstrap-select.btn-group .dropdown-menu dt{display:block;padding:3px 20px;cursor:default}.bootstrap-select.btn-group .div-contain{overflow:hidden}.bootstrap-select.btn-group .dropdown-menu li{position:relative}.bootstrap-select.btn-group .dropdown-menu li>a.opt{position:relative;padding-left:35px}.bootstrap-select.btn-group .dropdown-menu li>a{cursor:pointer}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.btn-group.show-tick .dropdown-menu li.selected a i.check-mark{display:inline-block;position:absolute;right:15px;margin-top:2.5px}.bootstrap-select.btn-group .dropdown-menu li a i.check-mark{display:none}.bootstrap-select.btn-group.show-tick .dropdown-menu li a span.text{margin-right:34px}.bootstrap-select.btn-group .dropdown-menu li small{padding-left:.5em}.bootstrap-select.btn-group .dropdown-menu li.active:not(.disabled)>a small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:hover small{color:#64b1d8;color:rgba(255,255,255,.4)}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.show-menu-arrow .dropdown-toggle:before{content:'';display:inline-block;border-left:7px solid transparent;border-right:7px solid transparent;border-bottom:7px solid #CCC;border-bottom-color:rgba(0,0,0,.2);position:absolute;bottom:-4px;left:9px;display:none}.bootstrap-select.show-menu-arrow .dropdown-toggle:after{content:'';display:inline-block;border-left:6px solid transparent;border-right:6px solid transparent;border-bottom:6px solid #fff;position:absolute;bottom:-4px;left:10px;display:none}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:before{bottom:auto;top:-3px;border-top:7px solid #ccc;border-bottom:0;border-top-color:rgba(0,0,0,.2)}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:after{bottom:auto;top:-3px;border-top:6px solid #fff;border-bottom:0}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:before{right:12px;left:auto}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:after{right:13px;left:auto}.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:after,.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:before{display:block}.bootstrap-select.btn-group .no-results{padding:3px;background:#f5f5f5;margin:0 5px}.mobile-device{position:absolute;top:0;left:0;display:block!important;width:100%;height:100%!important;opacity:0}.bootstrap-select.fit-width{width:auto!important}.bootstrap-select.btn-group.fit-width .btn .filter-option{position:static}.bootstrap-select.btn-group.fit-width .btn .caret{position:static;top:auto;margin-top:-1px}.control-group.error .bootstrap-select .dropdown-toggle{border-color:#b94a48}.bootstrap-select-searchbox{padding:4px 8px}.bootstrap-select-searchbox input{margin-bottom:0}.alert{border-width:1px;padding-left:47px;padding-right:14px;position:relative}.alert .alert-link{color:#0088ce}.alert .alert-link:hover{color:#00659c}.alert>.btn.pull-right{margin-top:-3px}.alert>.pficon{font-size:22px;position:absolute;left:13px;top:10px}.alert .close{opacity:.85;filter:alpha(opacity=85)}.alert .close:focus,.alert .close:hover{opacity:1;filter:alpha(opacity=100)}.alert .pficon-info{color:#4d5258}.alert-dismissable{padding-right:28px}.alert-dismissable .close{right:-13px;top:1px}.badge{margin-left:6px}.nav-pills>li>a>.badge{margin-left:6px}.bootstrap-select.btn-group.form-control{margin-bottom:0}.bootstrap-select.btn-group .btn{-webkit-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.bootstrap-select.btn-group .btn:hover{border-color:#7dc3e8}.bootstrap-select.btn-group .btn .caret{margin-top:-4px}.bootstrap-select.btn-group .btn:focus{border-color:#0088ce;outline:0!important;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6);box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6)}.has-error .bootstrap-select.btn-group .btn{border-color:#c00}.has-error .bootstrap-select.btn-group .btn:focus{border-color:#900;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33}.has-success .bootstrap-select.btn-group .btn{border-color:#3c763d}.has-success .bootstrap-select.btn-group .btn:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168}.has-warning .bootstrap-select.btn-group .btn{border-color:#ec7a08}.has-warning .bootstrap-select.btn-group .btn:focus{border-color:#bb6106;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60}.bootstrap-select.btn-group .dropdown-menu>.active>a,.bootstrap-select.btn-group .dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.bootstrap-select.btn-group .dropdown-menu>.active>a small,.bootstrap-select.btn-group .dropdown-menu>.active>a:active small{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.disabled>a{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu .divider{background:#ededed!important;margin:4px 1px!important}.bootstrap-select.btn-group .dropdown-menu dt{color:#8b8d8f;font-weight:400;padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li>a.opt{padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu li a:focus small,.bootstrap-select.btn-group .dropdown-menu li a:hover small{color:#9c9c9c}.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:hover small{color:#9c9c9c}.combobox-container.combobox-selected .glyphicon-remove{display:inline-block}.combobox-container .caret{margin-left:0}.combobox-container .combobox::-ms-clear{display:none}.combobox-container .dropdown-menu{margin-top:-1px;width:100%}.combobox-container .glyphicon-remove{display:none;top:auto;width:12px}.combobox-container .glyphicon-remove:before{content:"\e60b";font-family:PatternFlyIcons-webfont}.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;position:relative}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.combobox-container .input-group-addon:focus,.combobox-container .input-group-addon:hover,.open .dropdown-toggle.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.open .dropdown-toggle.combobox-container .input-group-addon{background-image:none}.combobox-container .input-group-addon.active.focus,.combobox-container .input-group-addon.active:focus,.combobox-container .input-group-addon.active:hover,.combobox-container .input-group-addon:active.focus,.combobox-container .input-group-addon:active:focus,.combobox-container .input-group-addon:active:hover,.open .dropdown-toggle.combobox-container .input-group-addon.focus,.open .dropdown-toggle.combobox-container .input-group-addon:focus,.open .dropdown-toggle.combobox-container .input-group-addon:hover{background-color:#e5e5e5;border-color:#a9a9a9}.combobox-container .input-group-addon.disabled,.combobox-container .input-group-addon.disabled.active,.combobox-container .input-group-addon.disabled:active,.combobox-container .input-group-addon.disabled:focus,.combobox-container .input-group-addon.disabled:hover,.combobox-container .input-group-addon[disabled],.combobox-container .input-group-addon[disabled].active,.combobox-container .input-group-addon[disabled]:active,.combobox-container .input-group-addon[disabled]:focus,.combobox-container .input-group-addon[disabled]:hover,fieldset[disabled] .combobox-container .input-group-addon,fieldset[disabled] .combobox-container .input-group-addon.active,fieldset[disabled] .combobox-container .input-group-addon:active,fieldset[disabled] .combobox-container .input-group-addon:focus,fieldset[disabled] .combobox-container .input-group-addon:hover{background-color:#f1f1f1;border-color:#bbb}.combobox-container .input-group-addon:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.treeview .list-group{border-top:0}.treeview .list-group-item{background:0 0;border-bottom:1px solid transparent!important;border-top:1px solid transparent!important;margin-bottom:0;padding:0 10px}.treeview .list-group-item:hover{background:#def3ff!important;border-color:#bee1f4!important}.treeview .list-group-item.node-selected{background:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.treeview span.icon{display:inline-block;font-size:13px;min-width:10px;text-align:center}.treeview span.icon>[class*=fa-angle]{font-size:15px}.treeview span.indent{margin-right:5px}.breadcrumb{padding-left:0}.breadcrumb>.active strong{font-weight:600}.breadcrumb>li{display:inline}.breadcrumb>li+li:before{color:#9c9c9c;content:"\f101";font-family:FontAwesome;font-size:11px;padding:0 9px 0 7px}.btn{-webkit-box-shadow:0 2px 3px rgba(3,3,3,.1);box-shadow:0 2px 3px rgba(3,3,3,.1)}.btn:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{background-color:#fafafa!important;background-image:none!important;border-color:#d1d1d1!important;color:#8b8d8f!important;opacity:1}.btn.disabled:active,.btn[disabled]:active,fieldset[disabled] .btn:active{-webkit-box-shadow:none;box-shadow:none}.btn.disabled.btn-link,.btn[disabled].btn-link,fieldset[disabled] .btn.btn-link{background-color:transparent!important;border:0}.btn-danger{background-color:#a30000;background-image:-webkit-linear-gradient(top,#c00 0,#a30000 100%);background-image:-o-linear-gradient(top,#c00 0,#a30000 100%);background-image:linear-gradient(to bottom,#c00 0,#a30000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffcc0000', endColorstr='#ffa30000', GradientType=0);border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.btn-danger:focus,.btn-danger:hover,.open .dropdown-toggle.btn-danger{background-color:#a30000;background-image:none;border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.open .dropdown-toggle.btn-danger{background-image:none}.btn-danger.active.focus,.btn-danger.active:focus,.btn-danger.active:hover,.btn-danger:active.focus,.btn-danger:active:focus,.btn-danger:active:hover,.open .dropdown-toggle.btn-danger.focus,.open .dropdown-toggle.btn-danger:focus,.open .dropdown-toggle.btn-danger:hover{background-color:#8a0000;border-color:#670000}.btn-danger.disabled,.btn-danger.disabled.active,.btn-danger.disabled:active,.btn-danger.disabled:focus,.btn-danger.disabled:hover,.btn-danger[disabled],.btn-danger[disabled].active,.btn-danger[disabled]:active,.btn-danger[disabled]:focus,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger,fieldset[disabled] .btn-danger.active,fieldset[disabled] .btn-danger:active,fieldset[disabled] .btn-danger:focus,fieldset[disabled] .btn-danger:hover{background-color:#a30000;border-color:#8b0000}.btn-default{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.btn-default:focus,.btn-default:hover,.open .dropdown-toggle.btn-default{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.open .dropdown-toggle.btn-default{background-image:none}.btn-default.active.focus,.btn-default.active:focus,.btn-default.active:hover,.btn-default:active.focus,.btn-default:active:focus,.btn-default:active:hover,.open .dropdown-toggle.btn-default.focus,.open .dropdown-toggle.btn-default:focus,.open .dropdown-toggle.btn-default:hover{background-color:#e5e5e5;border-color:#a9a9a9}.btn-default.disabled,.btn-default.disabled.active,.btn-default.disabled:active,.btn-default.disabled:focus,.btn-default.disabled:hover,.btn-default[disabled],.btn-default[disabled].active,.btn-default[disabled]:active,.btn-default[disabled]:focus,.btn-default[disabled]:hover,fieldset[disabled] .btn-default,fieldset[disabled] .btn-default.active,fieldset[disabled] .btn-default:active,fieldset[disabled] .btn-default:focus,fieldset[disabled] .btn-default:hover{background-color:#f1f1f1;border-color:#bbb}.btn-link,.btn-link:active{-webkit-box-shadow:none;box-shadow:none}.btn-primary{background-color:#0088ce;background-image:-webkit-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:-o-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:linear-gradient(to bottom,#39a5dc 0,#0088ce 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff39a5dc', endColorstr='#ff0088ce', GradientType=0);border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.btn-primary:focus,.btn-primary:hover,.open .dropdown-toggle.btn-primary{background-color:#0088ce;background-image:none;border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.open .dropdown-toggle.btn-primary{background-image:none}.btn-primary.active.focus,.btn-primary.active:focus,.btn-primary.active:hover,.btn-primary:active.focus,.btn-primary:active:focus,.btn-primary:active:hover,.open .dropdown-toggle.btn-primary.focus,.open .dropdown-toggle.btn-primary:focus,.open .dropdown-toggle.btn-primary:hover{background-color:#0077b5;border-color:#004e78}.btn-primary.disabled,.btn-primary.disabled.active,.btn-primary.disabled:active,.btn-primary.disabled:focus,.btn-primary.disabled:hover,.btn-primary[disabled],.btn-primary[disabled].active,.btn-primary[disabled]:active,.btn-primary[disabled]:focus,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary,fieldset[disabled] .btn-primary.active,fieldset[disabled] .btn-primary:active,fieldset[disabled] .btn-primary:focus,fieldset[disabled] .btn-primary:hover{background-color:#0088ce;border-color:#00659c}.btn-group-xs .btn,.btn-group-xs>.btn,.btn-xs{font-weight:400}.close{text-shadow:none;opacity:.6;filter:alpha(opacity=60)}.close:focus,.close:hover{opacity:.9;filter:alpha(opacity=90)}.ColVis_Button:active:focus{outline:0}.ColVis_catcher{position:absolute;z-index:999}.ColVis_collection{background-color:#fff;border:1px solid #bbb;border-radius:1px;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);background-clip:padding-box;list-style:none;margin:-1px 0 0 0;padding:5px 10px;width:150px;z-index:1000}.ColVis_collection label{font-weight:400;margin-bottom:5px;margin-top:5px;padding-left:20px}.ColVis_collectionBackground{background-color:#fff;height:100%;left:0;position:fixed;top:0;width:100%;z-index:998}.dataTables_header{background-color:#f5f5f5;border:1px solid #d1d1d1;border-bottom:none;padding:5px;position:relative;text-align:center}.dataTables_header .btn{-webkit-box-shadow:none;box-shadow:none}.dataTables_header .ColVis{position:absolute;right:5px;text-align:left;top:5px}.dataTables_header .ColVis+.dataTables_info{padding-right:30px}.dataTables_header .dataTables_filter{position:absolute}.dataTables_header .dataTables_filter input{border:1px solid #bbb;height:24px}@media (max-width:767px){.dataTables_header .dataTables_filter input{width:100px}}.dataTables_header .dataTables_info{padding:2px 0}@media (max-width:480px){.dataTables_header .dataTables_info{text-align:right}}.dataTables_header .dataTables_info b{font-weight:700}.dataTables_footer{background-color:#fff;border:1px solid #d1d1d1;border-top:none;overflow:hidden}.dataTables_paginate{background:#fafafa;float:right;margin:0}.dataTables_paginate .pagination{float:left;margin:0}.dataTables_paginate .pagination>li>span{border-color:#fff #d1d1d1 #f5f5f5;border-width:0 1px;font-size:16px;font-weight:400;padding:0;text-align:center;width:31px}.dataTables_paginate .pagination>li>span:focus,.dataTables_paginate .pagination>li>span:hover{filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination>li.last>span{border-right:none}.dataTables_paginate .pagination>li.disabled>span{background:#f5f5f5;border-left-color:#ededed;border-right-color:#ededed;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination-input{float:left;font-size:12px;line-height:1em;padding:4px 15px 0;text-align:right}.dataTables_paginate .pagination-input .paginate_input{border:1px solid #d1d1d1;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075);box-shadow:inset 0 1px 1px rgba(3,3,3,.075);font-size:12px;font-weight:600;height:19px;margin-right:8px;padding-right:3px;text-align:right;width:30px}.dataTables_paginate .pagination-input .paginate_of{position:relative}.dataTables_paginate .pagination-input .paginate_of b{margin-left:3px}.dataTables_wrapper{margin:20px 0}@media (max-width:767px){.dataTables_wrapper .table-responsive{margin-bottom:0}}.DTCR_clonedTable{background-color:rgba(255,255,255,.7);z-index:202}.DTCR_pointer{background-color:#0088ce;width:1px;z-index:201}table.datatable{margin-bottom:0;max-width:none!important}table.datatable thead .sorting,table.datatable thead .sorting_asc,table.datatable thead .sorting_asc_disabled,table.datatable thead .sorting_desc,table.datatable thead .sorting_desc_disabled{cursor:pointer}table.datatable thead .sorting_asc,table.datatable thead .sorting_desc{color:#0088ce!important;position:relative}table.datatable thead .sorting_asc:after,table.datatable thead .sorting_desc:after{content:"\f107";font-family:FontAwesome;font-size:10px;font-weight:400;height:9px;left:7px;line-height:12px;position:relative;top:2px;vertical-align:baseline;width:12px}table.datatable thead .sorting_asc:before,table.datatable thead .sorting_desc:before{background:#0088ce;content:'';height:2px;position:absolute;left:0;top:0;width:100%}table.datatable thead .sorting_asc:after{content:"\f106";top:-3px}table.datatable th:active{outline:0}.caret{font-family:FontAwesome;font-weight:400;height:9px;position:relative;vertical-align:baseline;width:12px}.caret:before{bottom:0;content:"\f107";left:0;line-height:12px;position:absolute;text-align:center;top:-1px;right:0}.dropup .caret:before{content:"\f106"}.dropdown-menu .divider{background-color:#ededed;height:1px;margin:4px 1px;overflow:hidden}.dropdown-menu>li>a{border-color:transparent;border-style:solid;border-width:1px 0;padding:1px 10px}.dropdown-menu>li>a:focus,.dropdown-menu>li>a:hover{border-color:#bee1f4;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>li>a:active{background-color:#0088ce;border-color:#0088ce;color:#fff!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.active>a,.dropdown-menu>.active>a:focus,.dropdown-menu>.active>a:hover{background-color:#0088ce!important;border-color:#0088ce!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-header{padding-left:10px;padding-right:10px;text-transform:uppercase}.btn-group>.dropdown-menu,.dropdown>.dropdown-menu,.input-group-btn>.dropdown-menu{margin-top:-1px}.dropup .dropdown-menu{margin-bottom:-1px}.dropdown-submenu{position:relative}.dropdown-submenu:hover>a{background-color:#def3ff;border-color:#bee1f4}.dropdown-submenu:hover>.dropdown-menu{display:block}.dropdown-submenu.pull-left{float:none!important}.dropdown-submenu.pull-left>.dropdown-menu{left:auto;margin-left:10px;right:100%}.dropdown-submenu>a{padding-right:20px!important}.dropdown-submenu>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:2px}.dropdown-submenu>.dropdown-menu{left:100%;margin-top:0;top:-6px}.dropup .dropdown-submenu>.dropdown-menu{bottom:-5px;top:auto}.open .dropdown-submenu.active>.dropdown-menu{display:block}.dropdown-kebab-pf .btn-link{color:#252525;font-size:16px;line-height:1;padding:4px 0}.dropdown-kebab-pf .btn-link:active,.dropdown-kebab-pf .btn-link:focus,.dropdown-kebab-pf .btn-link:hover{color:#0088ce}.dropdown-kebab-pf .dropdown-menu{left:-15px;margin-top:11px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right{left:auto;right:-15px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:after,.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:before{left:auto;right:6px}.dropdown-kebab-pf .dropdown-menu:after,.dropdown-kebab-pf .dropdown-menu:before{border-bottom-color:#bbb;border-bottom-style:solid;border-bottom-width:10px;border-left:10px solid transparent;border-right:10px solid transparent;content:"";display:inline-block;left:6px;position:absolute;top:-11px}.dropdown-kebab-pf .dropdown-menu:after{border-bottom-color:#fff;top:-10px}.dropdown-kebab-pf.dropup .dropdown-menu{margin-bottom:11px;margin-top:0}.dropdown-kebab-pf.dropup .dropdown-menu:after,.dropdown-kebab-pf.dropup .dropdown-menu:before{border-bottom:none;border-top-color:#bbb;border-top-style:solid;border-top-width:10px;bottom:-11px;top:auto}.dropdown-kebab-pf.dropup .dropdown-menu:after{border-top-color:#fff;bottom:-10px}@font-face{font-family:'Open Sans';font-style:normal;font-weight:400;src:local('Open Sans'),local('OpenSans'),url(../fonts/open-sans/OpenSans-Regular.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:300;src:local('OpenSans-Light'),local('Open Sans Light'),url(../fonts/open-sans/OpenSans-Light.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:600;src:local('Open Sans Semibold'),local('OpenSans-Semibold'),url(../fonts/open-sans/OpenSans-Semibold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:700;src:local('Open Sans Bold'),local('OpenSans-Bold'),url(../fonts/open-sans/OpenSans-Bold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:800;src:local('Open Sans Extrabold'),local('OpenSans-Extrabold'),url(../fonts/open-sans/OpenSans-ExtraBold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:300;src:local('Open Sans Light Italic'),local('OpenSansLight-Italic'),url(../fonts/open-sans/OpenSans-LightItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:400;src:local('Open Sans Italic'),local('OpenSans-Italic'),url(../fonts/open-sans/OpenSans-Italic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:600;src:local('Open Sans Semibold Italic'),local('OpenSans-SemiboldItalic'),url(../fonts/open-sans/OpenSans-SemiboldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:700;src:local('Open Sans Bold Italic'),local('OpenSans-BoldItalic'),url(../fonts/open-sans/OpenSans-BoldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:800;src:local('Open Sans Extrabold Italic'),local('OpenSans-ExtraboldItalic'),url(../fonts/open-sans/OpenSans-ExtraBoldItalic.ttf) format('truetype')}.chars-remaining-pf span{font-weight:600;padding-right:5px}.chars-warn-remaining-pf{color:#c00}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f}.form-control[disabled]:hover,.form-control[readonly]:hover,fieldset[disabled] .form-control:hover{border-color:#bbb}.form-control:hover{border-color:#7dc3e8}.has-error .form-control:hover{border-color:#900}.has-success .form-control:hover{border-color:#2b542c}.has-warning .form-control:hover{border-color:#bb6106}.has-error .checkbox,.has-error .checkbox-inline,.has-error .control-label,.has-error .radio,.has-error .radio-inline,.has-error.checkbox label,.has-error.checkbox-inline label,.has-error.radio label,.has-error.radio-inline label,.has-success .checkbox,.has-success .checkbox-inline,.has-success .control-label,.has-success .radio,.has-success .radio-inline,.has-success.checkbox label,.has-success.checkbox-inline label,.has-success.radio label,.has-success.radio-inline label,.has-warning .checkbox,.has-warning .checkbox-inline,.has-warning .control-label,.has-warning .radio,.has-warning .radio-inline,.has-warning.checkbox label,.has-warning.checkbox-inline label,.has-warning.radio label,.has-warning.radio-inline label{color:#363636}.help-block{margin-bottom:0}.input-group .input-group-btn .btn{-webkit-box-shadow:none;box-shadow:none}label{font-weight:600}.navbar-nav>li>.dropdown-menu.infotip{border-top-width:1px!important;margin-top:10px}@media (max-width:767px){.navbar-pf .navbar-nav .open .dropdown-menu.infotip{background-color:#fff!important;margin-top:0}}.infotip{min-width:235px;padding:0}.infotip .list-group{border-top:0;margin:0;padding:8px 0}.infotip .list-group .list-group-item{border:none;margin:0 15px 0 34px;padding:5px 0}.infotip .list-group .list-group-item>.i{color:#4d5258;font-size:13px;left:-20px;position:absolute;top:8px}.infotip .list-group .list-group-item>a{color:#4d5258;line-height:13px}.infotip .list-group .list-group-item>.close{float:right}.infotip .footer{background-color:#f5f5f5;padding:6px 15px}.infotip .footer a:hover{color:#0088ce}.infotip .arrow,.infotip .arrow:after{border-color:transparent;border-style:solid;display:block;height:0;position:absolute;width:0}.infotip .arrow{border-width:11px}.infotip .arrow:after{border-width:10px;content:""}.infotip.bottom .arrow,.infotip.bottom-left .arrow,.infotip.bottom-right .arrow{border-bottom-color:#999;border-bottom-color:#bbb;border-top-width:0;left:50%;margin-left:-11px;top:-11px}.infotip.bottom .arrow:after,.infotip.bottom-left .arrow:after,.infotip.bottom-right .arrow:after{border-top-width:0;border-bottom-color:#fff;content:" ";margin-left:-10px;top:1px}.infotip.bottom-left .arrow{left:20%}.infotip.bottom-right .arrow{left:80%}.infotip.top .arrow{border-bottom-width:0;border-top-color:#999;border-top-color:#bbb;bottom:-11px;left:50%;margin-left:-11px}.infotip.top .arrow:after{border-bottom-width:0;border-top-color:#f5f5f5;bottom:1px;content:" ";margin-left:-10px}.infotip.right .arrow{border-left-width:0;border-right-color:#999;border-right-color:#bbb;left:-11px;margin-top:-11px;top:50%}.infotip.right .arrow:after{bottom:-10px;border-left-width:0;border-right-color:#fff;content:" ";left:1px}.infotip.left .arrow{border-left-color:#999;border-left-color:#bbb;border-right-width:0;margin-top:-11px;right:-11px;top:50%}.infotip.left .arrow:after{border-left-color:#fff;border-right-width:0;bottom:-10px;content:" ";right:1px}.label{border-radius:0;font-size:100%;font-weight:600}h1 .label,h2 .label,h3 .label,h4 .label,h5 .label,h6 .label{font-size:75%}.list-group{border-top:1px solid #ededed}.list-group .list-group-item:first-child{border-top:0}.list-group-item{border-top:0;border-left:0;border-right:0;margin-bottom:0}.list-group-item-heading{font-weight:600}.list-group-item.active,.list-group-item.active:focus,.list-group-item.active:hover{border-top:solid 1px #39a5dc;margin-top:-1px;z-index:auto}.list-group-item.active:first-child{border-top:1px solid #39a5dc!important;margin-top:-1px}.login-pf{height:100%}.login-pf #brand{position:relative;top:-70px}.login-pf #brand img{display:block;height:18px;margin:0 auto;max-width:100%}@media (min-width:768px){.login-pf #brand img{margin:0;text-align:left}}.login-pf #badge{display:block;margin:20px auto 70px;position:relative;text-align:center}@media (min-width:768px){.login-pf #badge{float:right;margin-right:64px;margin-top:50px}}.login-pf body{background:#1a1a1a url(../img/bg-login.jpg) repeat-x 50% 0;background-size:auto}@media (min-width:768px){.login-pf body{background-size:100% auto}}.login-pf .container{background-color:transparent;clear:right;color:#fff;padding-bottom:40px;padding-top:20px;width:auto}@media (min-width:768px){.login-pf .container{bottom:13%;padding-left:80px;position:absolute;width:100%}}.login-pf .container [class^=alert]{background:0 0;color:#fff}.login-pf .container .details p:first-child{border-top:1px solid rgba(255,255,255,.3);padding-top:25px;margin-top:25px}@media (min-width:768px){.login-pf .container .details{border-left:1px solid rgba(255,255,255,.3);padding-left:40px}.login-pf .container .details p:first-child{border-top:0;padding-top:0;margin-top:0}}.login-pf .container .details p{margin-bottom:2px}.login-pf .container .form-horizontal .control-label{font-size:13px;font-weight:400;text-align:left}.login-pf .container .form-horizontal .form-group:last-child,.login-pf .container .form-horizontal .form-group:last-child .help-block:last-child{margin-bottom:0}.login-pf .container .help-block{color:#fff}@media (min-width:768px){.login-pf .container .login{padding-right:40px}}.login-pf .container .submit{text-align:right}.modal-header{background-color:#f5f5f5;border-bottom:none;padding:10px 18px}.modal-header .close{margin-top:2px}.modal-title{font-size:13px;font-weight:700}.modal-footer{border-top:none;margin-top:15px;padding:14px 15px 15px}.modal-footer>.btn{padding-left:10px;padding-right:10px}.modal-footer>.btn>.fa-angle-left{margin-right:5px}.modal-footer>.btn>.fa-angle-right{margin-left:5px}.navbar-pf{background:#393F45;border:0;border-radius:0;border-top:3px solid #c00;margin-bottom:0;min-height:0}.navbar-pf .navbar-brand{color:#fff;height:auto;padding:12px 0;margin:0 0 0 20px}.navbar-pf .navbar-brand img{display:block}.navbar-pf .navbar-collapse{border-top:0;-webkit-box-shadow:none;box-shadow:none;padding:0}.navbar-pf .navbar-header{border-bottom:1px solid #53565b;float:none}.navbar-pf .navbar-nav{margin:0}.navbar-pf .navbar-nav>.active>a,.navbar-pf .navbar-nav>.active>a:focus,.navbar-pf .navbar-nav>.active>a:hover{background-color:#454C53;color:#fff}.navbar-pf .navbar-nav>li>a{color:#dbdada;line-height:1;padding:10px 20px;text-shadow:none}.navbar-pf .navbar-nav>li>a:focus,.navbar-pf .navbar-nav>li>a:hover{color:#fff}.navbar-pf .navbar-nav>.open>a,.navbar-pf .navbar-nav>.open>a:focus,.navbar-pf .navbar-nav>.open>a:hover{background-color:#454C53;color:#fff}@media (max-width:767px){.navbar-pf .navbar-nav .active .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent,.navbar-pf .navbar-nav .open .dropdown-menu{background-color:#3c434a!important;margin-left:0;padding-bottom:0;padding-top:0}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:hover{background-color:#424950!important;color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent>li>a,.navbar-pf .navbar-nav .open .dropdown-menu>li>a{background-color:transparent;border:0;color:#dbdada;outline:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu>li>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>li>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>li>a:hover{color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu .divider,.navbar-pf .navbar-nav .active .navbar-persistent .divider,.navbar-pf .navbar-nav .open .dropdown-menu .divider{background-color:#53565b;margin:0 1px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-header{padding-bottom:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open .dropdown-toggle{color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.pull-left{float:none!important}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu>a:after,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu>a:after{display:none}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-header{padding-left:45px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu{border:0;bottom:auto;-webkit-box-shadow:none;box-shadow:none;display:block;float:none;margin:0;min-width:0;padding:0;position:relative;left:auto;right:auto;top:auto}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu>li>a{padding:5px 15px 5px 45px;line-height:20px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a{padding-left:60px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-menu{display:block}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after{display:inline-block!important;position:relative;right:auto;top:1px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu{display:none}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-submenu>a:after{display:none!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu{background-color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active small{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.disabled>a{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li>a.opt{border-bottom:1px solid transparent;border-top:1px solid transparent;color:#363636;padding-left:10px;padding-right:10px}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:focus small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:hover small{color:#9c9c9c}.navbar-pf .navbar-nav .context-bootstrap-select>.open>.dropdown-menu{padding-bottom:5px;padding-top:5px}}.navbar-pf .navbar-persistent{display:none}.navbar-pf .active>.navbar-persistent{display:block}.navbar-pf .navbar-primary{float:none}.navbar-pf .navbar-primary .context{border-bottom:1px solid #53565b}.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group,.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group[class*=span]{margin:8px 20px 9px;width:auto}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a{position:relative}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{content:"\f107";display:inline-block;font-family:FontAwesome;font-weight:400}@media (max-width:767px){.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{height:10px;margin-left:4px;vertical-align:baseline}}.navbar-pf .navbar-toggle{border:0;margin:0;padding:10px 20px}.navbar-pf .navbar-toggle:focus,.navbar-pf .navbar-toggle:hover{background-color:transparent;outline:0}.navbar-pf .navbar-toggle:focus .icon-bar,.navbar-pf .navbar-toggle:hover .icon-bar{-webkit-box-shadow:0 0 3px #fff;box-shadow:0 0 3px #fff}.navbar-pf .navbar-toggle .icon-bar{background-color:#fff}.navbar-pf .navbar-utility{border-bottom:1px solid #53565b}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:36px;position:relative}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:20px;position:absolute;top:10px}@media (max-width:767px){.navbar-pf .navbar-utility>li+li{border-top:1px solid #53565b}}@media (min-width:768px){.navbar-pf .navbar-brand{padding:7px 0 8px}.navbar-pf .navbar-nav>li>a{padding-bottom:14px;padding-top:14px}.navbar-pf .navbar-persistent{font-size:14px}.navbar-pf .navbar-primary{font-size:14px;background-image:-webkit-linear-gradient(top,#474c50 0,#383f43 100%);background-image:-o-linear-gradient(top,#474c50 0,#383f43 100%);background-image:linear-gradient(to bottom,#474c50 0,#383f43 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff474c50', endColorstr='#ff383f43', GradientType=0)}.navbar-pf .navbar-primary.persistent-secondary .context .dropdown-menu{top:auto}.navbar-pf .navbar-primary.persistent-secondary .dropup .dropdown-menu{bottom:-5px;top:auto}.navbar-pf .navbar-primary.persistent-secondary>li{position:static}.navbar-pf .navbar-primary.persistent-secondary>li.active{margin-bottom:32px}.navbar-pf .navbar-primary.persistent-secondary>li.active>.navbar-persistent{display:block;left:0;position:absolute}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent{background:#f6f6f6;border-bottom:1px solid #cecdcd;padding:0;width:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent a{text-decoration:none!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a:hover{color:#0088ce!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active .active>a{color:#fff}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu:hover>.dropdown-menu{display:none}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-menu{display:block;left:20px;margin-top:1px;top:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle{padding-right:35px!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle:after{position:absolute;right:20px;top:10px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a:after,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a{background-color:transparent;display:block;line-height:1;padding:9px 20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle{padding-right:35px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle:after{font-size:15px;position:absolute;right:20px;top:9px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a:hover{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li a{color:#4d5258}.navbar-pf .navbar-primary>li>a{border-bottom:1px solid transparent;border-top:1px solid transparent;position:relative;margin:-1px 0 0}.navbar-pf .navbar-primary>li>a:hover{background-color:#4b5053;border-top-color:#949699;color:#dbdada;background-image:-webkit-linear-gradient(top,#5c6165 0,#4b5053 100%);background-image:-o-linear-gradient(top,#5c6165 0,#4b5053 100%);background-image:linear-gradient(to bottom,#5c6165 0,#4b5053 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5c6165', endColorstr='#ff4b5053', GradientType=0)}.navbar-pf .navbar-primary>.active>a,.navbar-pf .navbar-primary>.active>a:focus,.navbar-pf .navbar-primary>.active>a:hover,.navbar-pf .navbar-primary>.open>a,.navbar-pf .navbar-primary>.open>a:focus,.navbar-pf .navbar-primary>.open>a:hover{background-color:#64686c;border-bottom-color:#64686c;border-top-color:#949699;-webkit-box-shadow:none;box-shadow:none;color:#fff;background-image:-webkit-linear-gradient(top,#72757a 0,#64686c 100%);background-image:-o-linear-gradient(top,#72757a 0,#64686c 100%);background-image:linear-gradient(to bottom,#72757a 0,#64686c 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff72757a', endColorstr='#ff64686c', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select .filter-option{max-width:160px;text-overflow:ellipsis}.navbar-pf .navbar-primary li.context.dropdown{border-bottom:0}.navbar-pf .navbar-primary li.context.context-bootstrap-select,.navbar-pf .navbar-primary li.context>a{background-color:#505458;border-bottom-color:#65696d;border-right:1px solid #65696d;border-top-color:#64696d;font-weight:600;background-image:-webkit-linear-gradient(top,#585d61 0,#505458 100%);background-image:-o-linear-gradient(top,#585d61 0,#505458 100%);background-image:linear-gradient(to bottom,#585d61 0,#505458 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff585d61', endColorstr='#ff505458', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select:hover,.navbar-pf .navbar-primary li.context>a:hover{background-color:#5a5e62;border-bottom-color:#6e7276;border-right-color:#6e7276;border-top-color:#6c7276;background-image:-webkit-linear-gradient(top,#62676b 0,#5a5e62 100%);background-image:-o-linear-gradient(top,#62676b 0,#5a5e62 100%);background-image:linear-gradient(to bottom,#62676b 0,#5a5e62 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff62676b', endColorstr='#ff5a5e62', GradientType=0)}.navbar-pf .navbar-primary li.context.open>a{background-color:#65696d;border-bottom-color:#6e7276;border-right-color:#777a7e;border-top-color:#767a7e;background-image:-webkit-linear-gradient(top,#6b7175 0,#65696d 100%);background-image:-o-linear-gradient(top,#6b7175 0,#65696d 100%);background-image:linear-gradient(to bottom,#6b7175 0,#65696d 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff6b7175', endColorstr='#ff65696d', GradientType=0)}.navbar-pf .navbar-utility{border-bottom:0;font-size:11px;position:absolute;right:0;top:0}.navbar-pf .navbar-utility>.active>a,.navbar-pf .navbar-utility>.active>a:focus,.navbar-pf .navbar-utility>.active>a:hover,.navbar-pf .navbar-utility>.open>a,.navbar-pf .navbar-utility>.open>a:focus,.navbar-pf .navbar-utility>.open>a:hover{background:#5b6165;color:#fff}.navbar-pf .navbar-utility>li>a{border-left:1px solid #53565b;color:#fff!important;padding:7px 10px}.navbar-pf .navbar-utility>li>a:hover{background:#4a5053;border-left-color:#636466}.navbar-pf .navbar-utility>li.open>a{border-left-color:#6c6e70;color:#fff!important}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:26px}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:10px;top:7px}.navbar-pf .navbar-utility .open .dropdown-menu{left:auto;right:0}.navbar-pf .navbar-utility .open .dropdown-menu .dropdown-menu{left:auto;right:100%}.navbar-pf .navbar-utility .open .dropdown-menu{border-top-width:0}.navbar-pf .open .dropdown-submenu>.dropdown-menu,.navbar-pf .open.bootstrap-select .dropdown-menu{border-top-width:1px!important}}@media (max-width:360px){.navbar-pf .navbar-brand{margin-left:10px;width:75%}.navbar-pf .navbar-brand img{height:auto;max-width:100%}.navbar-pf .navbar-toggle{padding-left:0}}.drawer-pf{background-color:#fafafa;border:1px solid #d1d1d1;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);overflow-y:auto;position:absolute;right:0;width:320px;z-index:2}.drawer-pf .panel{border-bottom:none;border-left:none;border-right:none}.drawer-pf .panel-group .panel-heading+.panel-collapse .panel-body{border-top:none;border-bottom:1px solid #d1d1d1;padding:0}.drawer-pf .panel-counter{display:block;font-style:italic;line-height:1.2;padding-left:18px;padding-top:5px}.drawer-pf .panel-heading{border-bottom:1px solid #d1d1d1}.drawer-pf .panel-group{bottom:0;margin-bottom:0;position:absolute;top:25px;width:100%}.drawer-pf .panel-title a{cursor:pointer;display:block}.drawer-pf.drawer-pf-expanded{left:270px;width:inherit}.drawer-pf.drawer-pf-expanded .drawer-pf-toggle-expand:before{content:"\f101"}.drawer-pf-toggle-expand{color:inherit;cursor:pointer;left:0;padding:2px 5px;position:absolute}.drawer-pf-toggle-expand:before{content:"\f100";font-family:FontAwesome}.drawer-pf-toggle-expand:focus,.drawer-pf-toggle-expand:hover{color:inherit;text-decoration:none}.drawer-pf-action .btn-link{color:#0088ce;padding:10px 0}.drawer-pf-action .btn-link:hover{color:#00659c}.drawer-pf-loading{color:#4d5258;font-size:14px;padding:20px 15px}.drawer-pf-notification{border-bottom:1px solid #d1d1d1;padding:15px}.drawer-pf-notification .date{border-right:1px solid #aaa;display:inline-block;line-height:1;margin-right:5px;padding-right:9px}.drawer-pf-notification .pficon{font-size:14px;margin-top:3px}.drawer-pf-notification:last-of-type{border-bottom:none}.drawer-pf-notification:hover{background-color:#def3ff}.drawer-pf-notification.unread .drawer-pf-notification-message{font-weight:700}.drawer-pf-notification.expanded-notification .date{border-right:none;padding-right:0}.drawer-pf-notification-info,.drawer-pf-notification-message{display:block;padding-left:27px;padding-right:19px}.expanded-notification .drawer-pf-notification-info,.expanded-notification .drawer-pf-notification-message{display:inline-block}.drawer-pf-notifications-non-clickable .drawer-pf-notification:hover{background-color:#fff}.drawer-pf-title{background-color:#fafafa;border-bottom:1px solid #d1d1d1;position:absolute;width:318px}.drawer-pf-title h3{font-size:12px;margin:0;padding:6px 15px}.navbar-pf-vertical .drawer-pf{height:calc(100vh - 80px);top:58px}.navbar-pf-vertical .nav .drawer-pf-trigger .drawer-pf-trigger-icon{border-left:1px solid #53565b;border-right:1px solid #53565b;padding-left:15px;padding-right:15px}.navbar-pf-vertical .nav .drawer-pf-trigger.open .drawer-pf-trigger-icon{background-color:#4a5053}.navbar-pf .drawer-pf{height:calc(100vh - 46px);top:26px}.navbar-pf .drawer-pf-trigger-icon{cursor:pointer}.pager li>a,.pager li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;font-weight:600;line-height:22px;padding:2px 14px}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>a:focus,.pager li>a:hover,.pager li>span.active,.pager li>span:active,.pager li>span:focus,.pager li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>span.active,.pager li>span:active{background-image:none}.open .dropdown-toggle.pager li>a.focus,.open .dropdown-toggle.pager li>a:focus,.open .dropdown-toggle.pager li>a:hover,.open .dropdown-toggle.pager li>span.focus,.open .dropdown-toggle.pager li>span:focus,.open .dropdown-toggle.pager li>span:hover,.pager li>a.active.focus,.pager li>a.active:focus,.pager li>a.active:hover,.pager li>a:active.focus,.pager li>a:active:focus,.pager li>a:active:hover,.pager li>span.active.focus,.pager li>span.active:focus,.pager li>span.active:hover,.pager li>span:active.focus,.pager li>span:active:focus,.pager li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pager li>a.disabled,.pager li>a.disabled.active,.pager li>a.disabled:active,.pager li>a.disabled:focus,.pager li>a.disabled:hover,.pager li>a[disabled],.pager li>a[disabled].active,.pager li>a[disabled]:active,.pager li>a[disabled]:focus,.pager li>a[disabled]:hover,.pager li>span.disabled,.pager li>span.disabled.active,.pager li>span.disabled:active,.pager li>span.disabled:focus,.pager li>span.disabled:hover,.pager li>span[disabled],.pager li>span[disabled].active,.pager li>span[disabled]:active,.pager li>span[disabled]:focus,.pager li>span[disabled]:hover,fieldset[disabled] .pager li>a,fieldset[disabled] .pager li>a.active,fieldset[disabled] .pager li>a:active,fieldset[disabled] .pager li>a:focus,fieldset[disabled] .pager li>a:hover,fieldset[disabled] .pager li>span,fieldset[disabled] .pager li>span.active,fieldset[disabled] .pager li>span:active,fieldset[disabled] .pager li>span:focus,fieldset[disabled] .pager li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pager li>a>.i,.pager li>span>.i{font-size:18px;vertical-align:top;margin:2px 0}.pager li>a:hover>a:focus{color:#4d5258}.pager li a:active{background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(3,3,3,.125);box-shadow:inset 0 3px 5px rgba(3,3,3,.125);outline:0}.pager .disabled>a,.pager .disabled>a:active,.pager .disabled>a:focus,.pager .disabled>a:hover,.pager .disabled>span{background:#f5f5f5;-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f;cursor:default}.pager .next>a>.i,.pager .next>span>.i{margin-left:5px}.pager .previous>a>.i,.pager .previous>span>.i{margin-right:5px}.pager-sm li>a,.pager-sm li>span{font-weight:400;line-height:16px;padding:1px 10px}.pager-sm li>a>.i,.pager-sm li>span>.i{font-size:12px}.pagination>li>a,.pagination>li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;cursor:default;font-weight:600;padding:2px 10px}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>a:focus,.pagination>li>a:hover,.pagination>li>span.active,.pagination>li>span:active,.pagination>li>span:focus,.pagination>li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>span.active,.pagination>li>span:active{background-image:none}.open .dropdown-toggle.pagination>li>a.focus,.open .dropdown-toggle.pagination>li>a:focus,.open .dropdown-toggle.pagination>li>a:hover,.open .dropdown-toggle.pagination>li>span.focus,.open .dropdown-toggle.pagination>li>span:focus,.open .dropdown-toggle.pagination>li>span:hover,.pagination>li>a.active.focus,.pagination>li>a.active:focus,.pagination>li>a.active:hover,.pagination>li>a:active.focus,.pagination>li>a:active:focus,.pagination>li>a:active:hover,.pagination>li>span.active.focus,.pagination>li>span.active:focus,.pagination>li>span.active:hover,.pagination>li>span:active.focus,.pagination>li>span:active:focus,.pagination>li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pagination>li>a.disabled,.pagination>li>a.disabled.active,.pagination>li>a.disabled:active,.pagination>li>a.disabled:focus,.pagination>li>a.disabled:hover,.pagination>li>a[disabled],.pagination>li>a[disabled].active,.pagination>li>a[disabled]:active,.pagination>li>a[disabled]:focus,.pagination>li>a[disabled]:hover,.pagination>li>span.disabled,.pagination>li>span.disabled.active,.pagination>li>span.disabled:active,.pagination>li>span.disabled:focus,.pagination>li>span.disabled:hover,.pagination>li>span[disabled],.pagination>li>span[disabled].active,.pagination>li>span[disabled]:active,.pagination>li>span[disabled]:focus,.pagination>li>span[disabled]:hover,fieldset[disabled] .pagination>li>a,fieldset[disabled] .pagination>li>a.active,fieldset[disabled] .pagination>li>a:active,fieldset[disabled] .pagination>li>a:focus,fieldset[disabled] .pagination>li>a:hover,fieldset[disabled] .pagination>li>span,fieldset[disabled] .pagination>li>span.active,fieldset[disabled] .pagination>li>span:active,fieldset[disabled] .pagination>li>span:focus,fieldset[disabled] .pagination>li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pagination>li>a>.i,.pagination>li>span>.i{font-size:15px;vertical-align:top;margin:2px 0}.pagination>li>a:active,.pagination>li>span:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.pagination>.active>a,.pagination>.active>a:focus,.pagination>.active>a:hover,.pagination>.active>span,.pagination>.active>span:focus,.pagination>.active>span:hover{background-color:#f1f1f1;border-color:#bbb;-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2);color:#4d5258;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination>.disabled>a,.pagination>.disabled>a:focus,.pagination>.disabled>a:hover,.pagination>.disabled>span,.pagination>.disabled>span:focus,.pagination>.disabled>span:hover{-webkit-box-shadow:none;box-shadow:none;cursor:default;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination-sm>li>a,.pagination-sm>li>span{padding:2px 6px;font-size:11px;line-height:1.5}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:1px;border-top-left-radius:1px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-bottom-right-radius:1px;border-top-right-radius:1px}.pagination-sm>li>a,.pagination-sm>li>span{font-weight:400}.pagination-sm>li>a>.i,.pagination-sm>li>span>.i{font-size:12px;margin-top:2px}.panel-title{font-weight:700}.panel-group .panel{color:#4d5258}.panel-group .panel+.panel{margin-top:-1px}.panel-group .panel-default{border-color:#bbb;border-top-color:#bbb}.panel-group .panel-heading{background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.panel-group .panel-heading+.panel-collapse .panel-body{border-top:1px solid #d1d1d1}.panel-group .panel-title{font-weight:500;line-height:1}.panel-group .panel-title>a{color:#4d5258;font-weight:600}.panel-group .panel-title>a:before{content:"\f107";display:inline-block;font-family:FontAwesome;font-size:13px;margin-right:5px;text-align:center;vertical-align:0;width:8px}.panel-group .panel-title>a:focus{outline:0;text-decoration:none}.panel-group .panel-title>a:hover{text-decoration:none}.panel-group .panel-title>a.collapsed:before{content:"\f105"}.popover{-webkit-box-shadow:0 2px 2px rgba(3,3,3,.08);box-shadow:0 2px 2px rgba(3,3,3,.08);padding:0}.popover-content{color:#4d5258;line-height:18px;padding:10px 14px}.popover-title{border-bottom:none;border-radius:0;color:#4d5258;font-size:13px;font-weight:700;min-height:34px}.popover-title .close{height:22px;position:absolute;right:8px;top:6px}.popover-title.closable{padding-right:30px}@-webkit-keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}@keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}.progress{-webkit-box-shadow:inset 0 0 1px rgba(3,3,3,.25);box-shadow:inset 0 0 1px rgba(3,3,3,.25)}.progress.progress-label-left,.progress.progress-label-top-right{overflow:visible;position:relative}.progress.progress-label-left{margin-left:40px}.progress.progress-sm{height:14px;margin-bottom:14px}.progress.progress-xs{height:6px;margin-bottom:6px}td>.progress:first-child:last-child{margin-bottom:0;margin-top:3px}.progress-bar{box-shadow:none}.progress-label-left .progress-bar span,.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{color:#363636;position:absolute;text-align:right}.progress-label-left .progress-bar span{font-size:14px;left:-40px;top:0;width:35px}.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{font-size:11px;overflow:hidden;right:0;text-overflow:ellipsis;white-space:nowrap}.progress-label-right .progress-bar span strong,.progress-label-top-right .progress-bar span strong{font-weight:600}.progress-label-right .progress-bar span{max-width:85px;top:0}.progress-label-top-right .progress-bar span{max-width:47%;top:-30px}.progress-label-left.progress-sm .progress-bar span,.progress-label-top-right.progress-sm .progress-bar span{font-size:12px}.progress-sm .progress-bar{line-height:14px}.progress-xs .progress-bar{line-height:6px}.progress-bar-remaining{background:0 0}.progress-container{position:relative}.progress-container.progress-description-left{padding-left:90px}.progress-container.progress-label-right{padding-right:90px}.progress-description{margin-bottom:10px;max-width:52%;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.progress-description .count{font-size:20px;font-weight:300;line-height:1;margin-right:5px}.progress-description .fa,.progress-description .pficon{font-size:14px;margin-right:3px}.progress-description-left .progress-description{left:0;margin-bottom:0;max-width:85px;position:absolute;top:0}.progress-description .tooltip{white-space:normal}.search-pf.has-button{border-collapse:separate;display:table}.search-pf.has-button .form-group{display:table-cell;width:100%}.search-pf.has-button .form-group .btn{-webkit-box-shadow:none;box-shadow:none;float:left;margin-left:-1px}.search-pf.has-button .form-group .btn.btn-lg{font-size:14.5px}.search-pf.has-button .form-group .btn.btn-sm{font-size:10.7px}.search-pf.has-button .form-group .form-control{float:left}.search-pf .has-clear .clear{background:0 0;background:rgba(255,255,255,0);border:0;height:25px;line-height:1;padding:0;position:absolute;right:1px;top:1px;width:28px}.search-pf .has-clear .clear:focus{outline:0}.search-pf .has-clear .form-control{padding-right:30px}.search-pf .has-clear .form-control::-ms-clear{display:none}.search-pf .has-clear .input-lg+.clear{height:31px;width:28px}.search-pf .has-clear .input-sm+.clear{height:20px;width:28px}.search-pf .has-clear .input-sm+.clear span{font-size:10px}.search-pf .has-clear .search-pf-input-group{position:relative}.sidebar-header{border-bottom:1px solid #ececec;padding-bottom:11px;margin:50px 0 20px}.sidebar-header .actions{margin-top:-2px}.sidebar-pf .sidebar-header+.list-group{border-top:0;margin-top:-10px}.sidebar-pf .sidebar-header+.list-group .list-group-item{background:0 0;border-color:#ececec;padding-left:0}.sidebar-pf .sidebar-header+.list-group .list-group-item-heading{font-size:12px}.sidebar-pf .nav-category h2{color:#9c9c9c;font-size:12px;font-weight:400;line-height:21px;margin:0;padding:8px 0}.sidebar-pf .nav-category+.nav-category{margin-top:10px}.sidebar-pf .nav-pills>li.active>a{background:#0088ce!important;border-color:#0088ce!important;color:#fff}@media (min-width:768px){.sidebar-pf .nav-pills>li.active>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}.sidebar-pf .nav-pills>li.active>a .fa{color:#fff}.sidebar-pf .nav-pills>li>a{border-bottom:1px solid transparent;border-radius:0;border-top:1px solid transparent;color:#363636;font-size:13px;line-height:21px;padding:1px 20px}.sidebar-pf .nav-pills>li>a:hover{background:#def3ff;border-color:#bee1f4}.sidebar-pf .nav-pills>li>a .fa{color:#6a7079;font-size:15px;margin-right:10px;text-align:center;vertical-align:middle;width:15px}.sidebar-pf .nav-stacked{margin-left:-20px;margin-right:-20px}.sidebar-pf .nav-stacked li+li{margin-top:0}.sidebar-pf .panel{background:0 0}.sidebar-pf .panel-body{padding:6px 20px}.sidebar-pf .panel-body .nav-pills>li>a{padding-left:37px}.sidebar-pf .panel-heading{padding:9px 20px}.sidebar-pf .panel-title{font-size:12px}.sidebar-pf .panel-title>a:before{display:inline-block;margin-left:1px;margin-right:4px;width:9px}.sidebar-pf .panel-title>a.collapsed:before{margin-left:3px;margin-right:2px}@media (min-width:767px){.sidebar-header-bleed-left{margin-left:-20px}.sidebar-header-bleed-left>h2{margin-left:20px}.sidebar-header-bleed-right{margin-right:-20px}.sidebar-header-bleed-right .actions{margin-right:20px}.sidebar-header-bleed-right>h2{margin-right:20px}.sidebar-header-bleed-right+.list-group{margin-right:-20px}.sidebar-pf .panel-group .panel-default,.sidebar-pf .treeview{border-left:0;border-right:0;margin-left:-20px;margin-right:-20px}.sidebar-pf .treeview{margin-top:5px}.sidebar-pf .treeview .list-group-item{padding-left:20px;padding-right:20px}.sidebar-pf .treeview .list-group-item.node-selected:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}@media (min-width:768px){.sidebar-pf{background:#fafafa}.sidebar-pf.sidebar-pf-left{border-right:1px solid #d1d1d1}.sidebar-pf.sidebar-pf-right{border-left:1px solid #d1d1d1}.sidebar-pf>.nav-category,.sidebar-pf>.nav-stacked{margin-top:5px}}@-webkit-keyframes rotation{from{-webkit-transform:rotate(0)}to{-webkit-transform:rotate(359deg)}}@keyframes rotation{from{transform:rotate(0)}to{transform:rotate(359deg)}}.spinner{-webkit-animation:rotation .6s infinite linear;animation:rotation .6s infinite linear;border-bottom:4px solid rgba(3,3,3,.25);border-left:4px solid rgba(3,3,3,.25);border-right:4px solid rgba(3,3,3,.25);border-radius:100%;border-top:4px solid rgba(3,3,3,.75);height:24px;margin:0 auto;position:relative;width:24px}.spinner.spinner-inline{display:inline-block;margin-right:3px}.spinner.spinner-lg{border-width:5px;height:30px;width:30px}.spinner.spinner-sm{border-width:3px;height:18px;width:18px}.spinner.spinner-xs{border-width:2px;height:12px;width:12px}.spinner.spinner-inverse{border-bottom-color:rgba(255,255,255,.25);border-left-color:rgba(255,255,255,.25);border-right-color:rgba(255,255,255,.25);border-top-color:rgba(255,255,255,.75)}.ie9 .spinner{background:url(../img/spinner.gif) no-repeat;border:0}.ie9 .spinner.spinner-inverse{background-image:url(../img/spinner-inverse.gif)}.ie9 .spinner.spinner-inverse-lg{background-image:url(../img/spinner-inverse-lg.gif)}.ie9 .spinner.spinner-inverse-sm{background-image:url(../img/spinner-inverse-sm.gif)}.ie9 .spinner.spinner-inverse-xs{background-image:url(../img/spinner-inverse-xs.gif)}.ie9 .spinner.spinner-lg{background-image:url(../img/spinner-lg.gif)}.ie9 .spinner.spinner-sm{background-image:url(../img/spinner-sm.gif)}.ie9 .spinner.spinner-xs{background-image:url(../img/spinner-xs.gif)}.prettyprint .atn,.prettyprint .com,.prettyprint .fun,.prettyprint .var{color:#3f9c35}.prettyprint .atv,.prettyprint .str{color:#a30000}.prettyprint .clo,.prettyprint .dec,.prettyprint .kwd,.prettyprint .opn,.prettyprint .pln,.prettyprint .pun{color:#363636}.prettyprint .lit,.prettyprint .tag,.prettyprint .typ{color:#00659c}.prettyprint ol.linenums{margin-bottom:0}.table>tbody>tr>td,.table>tbody>tr>th,.table>tfoot>tr>td,.table>tfoot>tr>th,.table>thead>tr>td,.table>thead>tr>th{padding:2px 10px 3px}.table>tbody>tr>td>a:hover,.table>tbody>tr>th>a:hover,.table>tfoot>tr>td>a:hover,.table>tfoot>tr>th>a:hover,.table>thead>tr>td>a:hover,.table>thead>tr>th>a:hover{text-decoration:none}.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>th{font-family:'Open Sans';font-style:normal;font-weight:600}.table>thead{background-clip:padding-box;background-color:#f5f5f5;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.table-bordered{border:1px solid #d1d1d1}.table-bordered>tbody>tr>td,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>td,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border:1px solid #d1d1d1}.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border-bottom-width:1px}.table-striped>tbody>tr:nth-of-type(even){background-color:#f5f5f5}.table-striped>tbody>tr:nth-of-type(odd){background-color:transparent}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#def3ff;border-bottom-color:#7dc3e8}.table-treegrid span.indent{margin-left:10px;margin-right:10px}.table-treegrid span.icon{display:inline-block;font-size:13px;margin-right:5px;min-width:10px;text-align:center}.table-treegrid span.collapse-icon,.table-treegrid span.expand-icon{cursor:pointer}.table-treegrid>tbody>tr.odd{background-color:#f5f5f5}.nav-tabs{font-size:14px}.nav-tabs>li>a{color:#4d5258;margin-right:-1px;padding-bottom:5px;padding-top:5px}.nav-tabs>li>a:active,.nav-tabs>li>a:focus,.nav-tabs>li>a:hover{background:0 0;border-color:#ededed;color:#252525}.nav-tabs>li>.dropdown-menu{border-top:0;border-color:#ededed}.nav-tabs>li>.dropdown-menu.pull-right{right:-1px}.nav-tabs+.nav-tabs-pf{font-size:12px}.nav-tabs+.nav-tabs-pf>li:first-child>a{padding-left:15px}.nav-tabs+.nav-tabs-pf>li:first-child>a:before{left:15px!important}.nav-tabs .open>a,.nav-tabs .open>a:focus,.nav-tabs .open>a:hover{background-color:transparent;border-color:#ededed}@media (min-width:768px){.nav-tabs-pf.nav-justified{border-bottom:1px solid #ededed}}.nav-tabs-pf.nav-justified>li:first-child>a{padding-left:15px}.nav-tabs-pf.nav-justified>li>a{border-bottom:0}.nav-tabs-pf.nav-justified>li>a:before{left:0!important;right:0!important}.nav-tabs-pf>li{margin-bottom:0}.nav-tabs-pf>li.active>a:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li.active>a,.nav-tabs-pf>li.active>a:active,.nav-tabs-pf>li.active>a:focus,.nav-tabs-pf>li.active>a:hover{background-color:transparent;border:0!important;color:#0088ce}.nav-tabs-pf>li.active>a:active:before,.nav-tabs-pf>li.active>a:before,.nav-tabs-pf>li.active>a:focus:before,.nav-tabs-pf>li.active>a:hover:before{background:#0088ce}.nav-tabs-pf>li:first-child>a{padding-left:0}.nav-tabs-pf>li:first-child>a:before{left:0!important}.nav-tabs-pf>li>a{border:0;line-height:1;margin-right:0;padding-bottom:10px;padding-top:10px}.nav-tabs-pf>li>a:active:before,.nav-tabs-pf>li>a:focus:before,.nav-tabs-pf>li>a:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li>.dropdown-menu{left:15px;margin-top:1px}.nav-tabs-pf>li>.dropdown-menu.pull-right{left:auto;right:15px}.nav-tabs-pf .open>a,.nav-tabs-pf .open>a:focus,.nav-tabs-pf .open>a:hover{background-color:transparent}.tooltip{font-size:12px;line-height:1.4}.tooltip-inner{padding:7px 12px;text-align:left}.h1,.h2,h1,h2{font-weight:300}.page-header .actions{margin-top:8px}.page-header .actions a>.pficon{margin-right:4px}@media (min-width:767px){.page-header-bleed-left{margin-left:-20px}.page-header-bleed-right{margin-right:-20px}.page-header-bleed-right .actions{margin-right:20px}}
 \ No newline at end of file
 -- 
-2.21.1
+2.26.2
 
-From 751cb8d5cb432bcb9d5c7ada7c365a12ca6a95ee Mon Sep 17 00:00:00 2001
+
+From bcc1a38148401ba766d98647a5aba69a0905214e Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 39/78] install/ui/index.html: Change branding to IPA and
- Identity Management
-
----
- install/ui/index.html | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/ui/index.html b/install/ui/index.html
-index bc0f0cd1e..d1eacaf53 100644
---- a/install/ui/index.html
-+++ b/install/ui/index.html
-@@ -2,7 +2,7 @@
- <html>
- <head>
-     <meta charset="utf-8">
--    <title>IPA: Identity Policy Audit</title>
-+    <title>Identity Management</title>
- 
-     <!--[if IE]>
-     <meta id="ie-detector">
--- 
-2.21.1
-
-From 8a4169a5d81b3c2376081d61a3beaf6601e318cf Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 40/78] install/ui/less/brand.less: Change branding to IPA and
+Subject: [PATCH 2/3] install/ui/less/brand.less: Change branding to IPA and
  Identity Management
 
 ---
@@ -1108,7 +35,7 @@ Subject: [PATCH 40/78] install/ui/less/brand.less: Change branding to IPA and
  1 file changed, 50 insertions(+), 53 deletions(-)
 
 diff --git a/install/ui/less/brand.less b/install/ui/less/brand.less
-index c9030bb0b..7488eaf91 100644
+index c9030bb..7488eaf 100644
 --- a/install/ui/less/brand.less
 +++ b/install/ui/less/brand.less
 @@ -20,58 +20,55 @@
@@ -1222,12 +149,13 @@ index c9030bb0b..7488eaf91 100644
  }
 \ No newline at end of file
 -- 
-2.21.1
+2.26.2
 
-From 2946405ea45ea7163c520c367f764808f112d7f2 Mon Sep 17 00:00:00 2001
+
+From b9506f826164e757c9b4a694c9ca1bfda921f931 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 41/78] install/ui/less/patternfly.less: Change branding to IPA
+Subject: [PATCH 3/3] install/ui/less/patternfly.less: Change branding to IPA
  and Identity Management
 
 ---
@@ -1235,7 +163,7 @@ Subject: [PATCH 41/78] install/ui/less/patternfly.less: Change branding to IPA
  1 file changed, 48 insertions(+)
 
 diff --git a/install/ui/less/patternfly.less b/install/ui/less/patternfly.less
-index a2e30c85b..97a8d5c26 100644
+index a2e30c8..97a8d5c 100644
 --- a/install/ui/less/patternfly.less
 +++ b/install/ui/less/patternfly.less
 @@ -129,3 +129,51 @@
@@ -1291,1616 +219,5 @@ index a2e30c85b..97a8d5c26 100644
 +@navbar-pf-navbar-utility-open-bg-color:                            #5b6165;
 +@navbar-pf-navbar-utility-open-border-color:                        #6c6e70;
 -- 
-2.21.1
-
-From beb52f0f27401d439755107be31e74210343e784 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 42/78] install/ui/reset_password.html: Change branding to IPA
- and Identity Management
-
----
- install/ui/reset_password.html | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/ui/reset_password.html b/install/ui/reset_password.html
-index e5700c964..a4ea1ce0e 100644
---- a/install/ui/reset_password.html
-+++ b/install/ui/reset_password.html
-@@ -2,7 +2,7 @@
- <html>
- <head>
-     <meta charset="utf-8">
--    <title>IPA: Identity Policy Audit</title>
-+    <title>Identity Management</title>
- 
-     <!--[if IE]>
-     <meta id="ie-detector">
--- 
-2.21.1
-
-From 288607c7080be4f35a00b853f3de9fdd0752376d Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 43/78] install/ui/src/freeipa/widgets/App.js: Change branding
- to IPA and Identity Management
-
----
- install/ui/src/freeipa/widgets/App.js | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/ui/src/freeipa/widgets/App.js b/install/ui/src/freeipa/widgets/App.js
-index 3a139555a..b0f75885d 100644
---- a/install/ui/src/freeipa/widgets/App.js
-+++ b/install/ui/src/freeipa/widgets/App.js
-@@ -187,7 +187,7 @@ define(['dojo/_base/declare',
- 
-             construct.create('img', {
-                 src: 'images/header-logo.png',
--                alt: 'FreeIPA' // TODO: replace with configuration value
-+                alt: 'Identity Management' // TODO: replace with configuration value
-             }, this.brand_node);
- 
-             return this.brand_node;
--- 
-2.21.1
-
-From 5573b887c32228f2c404413fd58560da95ef954d Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 44/78] install/ui/sync_otp.html: Change branding to IPA and
- Identity Management
-
----
- install/ui/sync_otp.html | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/ui/sync_otp.html b/install/ui/sync_otp.html
-index 5814b6c57..36a51ca62 100644
---- a/install/ui/sync_otp.html
-+++ b/install/ui/sync_otp.html
-@@ -2,7 +2,7 @@
- <html>
- <head>
-     <meta charset="utf-8">
--    <title>IPA: Identity Policy Audit</title>
-+    <title>Identity Management</title>
- 
-     <!--[if IE]>
-     <meta id="ie-detector">
--- 
-2.21.1
-
-From 86d40a59a18f9b1439387bf8d5794437be0fb8b9 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 45/78] install/ui/test/data/ipa_init_commands.json: Change
- branding to IPA and Identity Management
-
----
- install/ui/test/data/ipa_init_commands.json | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
-index c35946b34..6d3667473 100644
---- a/install/ui/test/data/ipa_init_commands.json
-+++ b/install/ui/test/data/ipa_init_commands.json
-@@ -8689,7 +8689,7 @@
-                   "label" : "Clock offset",
-                   "confirm" : true,
-                   "alwaysask" : false,
--                  "doc" : "TOTP token / FreeIPA server time difference",
-+                  "doc" : "TOTP token / IPA server time difference",
-                   "deprecated" : false,
-                   "flags" : [
-                      "no_update"
-@@ -29875,7 +29875,7 @@
-                   "primary_key" : false,
-                   "alwaysask" : false,
-                   "deprecated" : false,
--                  "doc" : "TOTP token / FreeIPA server time difference",
-+                  "doc" : "TOTP token / IPA server time difference",
-                   "flags" : [
-                      "no_update"
-                   ],
--- 
-2.21.1
-
-From 7e027d4836251b4f824b5e420e8ef6cfa8bb4505 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 46/78] install/ui/test/data/ipa_init_objects.json: Change
- branding to IPA and Identity Management
-
----
- install/ui/test/data/ipa_init_objects.json | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json
-index 6f9b13e92..08aaafd61 100644
---- a/install/ui/test/data/ipa_init_objects.json
-+++ b/install/ui/test/data/ipa_init_objects.json
-@@ -21190,7 +21190,7 @@
-                   "autofill" : true,
-                   "multivalue" : false,
-                   "deprecated" : false,
--                  "doc" : "TOTP token / FreeIPA server time difference",
-+                  "doc" : "TOTP token / IPA server time difference",
-                   "primary_key" : false,
-                   "cli_metavar" : "INT",
-                   "default" : 0,
--- 
-2.21.1
-
-From 799fc53a7d6503d76452617998da0a936527116c Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 47/78] ipaclient/install/client.py: Change branding to IPA and
- Identity Management
-
----
- ipaclient/install/client.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
-index 34b2d1a6e..d3bffb05f 100644
---- a/ipaclient/install/client.py
-+++ b/ipaclient/install/client.py
-@@ -2033,7 +2033,7 @@ def install_check(options):
-     global client_domain
-     global cli_basedn
- 
--    print("This program will set up FreeIPA client.")
-+    print("This program will set up IPA client.")
-     print("Version {}".format(version.VERSION))
-     print("")
- 
--- 
-2.21.1
-
-From 2c5f5f196ec959eed754b0966fc80daa1d1b6ff7 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 48/78] ipaclient/remote_plugins/2_114/otptoken.py: Change
- branding to IPA and Identity Management
-
----
- ipaclient/remote_plugins/2_114/otptoken.py | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/ipaclient/remote_plugins/2_114/otptoken.py b/ipaclient/remote_plugins/2_114/otptoken.py
-index 632c97ea2..d3edb589d 100644
---- a/ipaclient/remote_plugins/2_114/otptoken.py
-+++ b/ipaclient/remote_plugins/2_114/otptoken.py
-@@ -132,7 +132,7 @@ class otptoken(Object):
-             'ipatokentotpclockoffset',
-             required=False,
-             label=_(u'Clock offset'),
--            doc=_(u'TOTP token / FreeIPA server time difference'),
-+            doc=_(u'TOTP token / IPA server time difference'),
-         ),
-         parameters.Int(
-             'ipatokentotptimestep',
-@@ -263,7 +263,7 @@ class otptoken_add(Method):
-             required=False,
-             cli_name='offset',
-             label=_(u'Clock offset'),
--            doc=_(u'TOTP token / FreeIPA server time difference'),
-+            doc=_(u'TOTP token / IPA server time difference'),
-             default=0,
-             autofill=True,
-         ),
-@@ -553,7 +553,7 @@ class otptoken_find(Method):
-             required=False,
-             cli_name='offset',
-             label=_(u'Clock offset'),
--            doc=_(u'TOTP token / FreeIPA server time difference'),
-+            doc=_(u'TOTP token / IPA server time difference'),
-             default=0,
-         ),
-         parameters.Int(
--- 
-2.21.1
-
-From 521d5c9ebee2fe4df8650ebdc53b91d25232d631 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 49/78] ipaclient/remote_plugins/2_156/otptoken.py: Change
- branding to IPA and Identity Management
-
----
- ipaclient/remote_plugins/2_156/otptoken.py | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/ipaclient/remote_plugins/2_156/otptoken.py b/ipaclient/remote_plugins/2_156/otptoken.py
-index 0b2b54c6e..e674d465d 100644
---- a/ipaclient/remote_plugins/2_156/otptoken.py
-+++ b/ipaclient/remote_plugins/2_156/otptoken.py
-@@ -132,7 +132,7 @@ class otptoken(Object):
-             'ipatokentotpclockoffset',
-             required=False,
-             label=_(u'Clock offset'),
--            doc=_(u'TOTP token / FreeIPA server time difference'),
-+            doc=_(u'TOTP token / IPA server time difference'),
-         ),
-         parameters.Int(
-             'ipatokentotptimestep',
-@@ -263,7 +263,7 @@ class otptoken_add(Method):
-             required=False,
-             cli_name='offset',
-             label=_(u'Clock offset'),
--            doc=_(u'TOTP token / FreeIPA server time difference'),
-+            doc=_(u'TOTP token / IPA server time difference'),
-             default=0,
-             autofill=True,
-         ),
-@@ -553,7 +553,7 @@ class otptoken_find(Method):
-             required=False,
-             cli_name='offset',
-             label=_(u'Clock offset'),
--            doc=_(u'TOTP token / FreeIPA server time difference'),
-+            doc=_(u'TOTP token / IPA server time difference'),
-             default=0,
-         ),
-         parameters.Int(
--- 
-2.21.1
-
-From 0a29cb7c05dfc8a75afdbdadcb9c7a67e9e90b50 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 50/78] ipaclient/remote_plugins/2_164/otptoken.py: Change
- branding to IPA and Identity Management
-
----
- ipaclient/remote_plugins/2_164/otptoken.py | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/ipaclient/remote_plugins/2_164/otptoken.py b/ipaclient/remote_plugins/2_164/otptoken.py
-index 0b2b54c6e..e674d465d 100644
---- a/ipaclient/remote_plugins/2_164/otptoken.py
-+++ b/ipaclient/remote_plugins/2_164/otptoken.py
-@@ -132,7 +132,7 @@ class otptoken(Object):
-             'ipatokentotpclockoffset',
-             required=False,
-             label=_(u'Clock offset'),
--            doc=_(u'TOTP token / FreeIPA server time difference'),
-+            doc=_(u'TOTP token / IPA server time difference'),
-         ),
-         parameters.Int(
-             'ipatokentotptimestep',
-@@ -263,7 +263,7 @@ class otptoken_add(Method):
-             required=False,
-             cli_name='offset',
-             label=_(u'Clock offset'),
--            doc=_(u'TOTP token / FreeIPA server time difference'),
-+            doc=_(u'TOTP token / IPA server time difference'),
-             default=0,
-             autofill=True,
-         ),
-@@ -553,7 +553,7 @@ class otptoken_find(Method):
-             required=False,
-             cli_name='offset',
-             label=_(u'Clock offset'),
--            doc=_(u'TOTP token / FreeIPA server time difference'),
-+            doc=_(u'TOTP token / IPA server time difference'),
-             default=0,
-         ),
-         parameters.Int(
--- 
-2.21.1
-
-From fec6eff7f15ff4ae4bf28d816ca4b231f77b15ca Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 51/78] ipalib/pkcs10.py: Change branding to IPA and Identity
- Management
-
----
- ipalib/pkcs10.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py
-index 2756c8568..590ce0757 100644
---- a/ipalib/pkcs10.py
-+++ b/ipalib/pkcs10.py
-@@ -2,7 +2,7 @@ from __future__ import print_function
- import sys
- 
- print(
--    "ipalib.pkcs10 module is deprecated and will be removed in FreeIPA 4.6. "
-+    "ipalib.pkcs10 module is deprecated and will be removed in IPA 4.6. "
-     "To load CSRs, please, use python-cryptography instead.",
-     file=sys.stderr
- )
--- 
-2.21.1
-
-From e364a5187b1a49ea81653f5282825485a58827df Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 52/78] ipalib/rpc.py: Change branding to IPA and Identity
- Management
-
----
- ipalib/rpc.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipalib/rpc.py b/ipalib/rpc.py
-index 1ef0f5e95..f1be90522 100644
---- a/ipalib/rpc.py
-+++ b/ipalib/rpc.py
-@@ -284,7 +284,7 @@ class _JSONPrimer(dict):
- 
-     Prepare a data structure for JSON serialization. In an ideal world, priming
-     could be handled by the default hook of json.dumps(). Unfortunately the
--    hook treats Python 2 str as text while FreeIPA considers str as bytes.
-+    hook treats Python 2 str as text while IPA considers str as bytes.
- 
-     The primer uses a couple of tricks to archive maximum performance:
- 
--- 
-2.21.1
-
-From e1367d8a71cd5d1aa0f57793238577fa69324594 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 53/78] ipalib/util.py: Change branding to IPA and Identity
- Management
-
----
- ipalib/util.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipalib/util.py b/ipalib/util.py
-index e0c658c51..3378db043 100644
---- a/ipalib/util.py
-+++ b/ipalib/util.py
-@@ -236,7 +236,7 @@ def normalize_zone(zone):
- def get_proper_tls_version_span(tls_version_min, tls_version_max):
-     """
-     This function checks whether the given TLS versions are known in
--    FreeIPA and that these versions fulfill the requirements for minimal
-+    IPA and that these versions fulfill the requirements for minimal
-     TLS version (see
-     `ipalib.constants: TLS_VERSIONS, TLS_VERSION_MINIMAL`).
- 
--- 
-2.21.1
-
-From e980e233c6c48fe2ebc8d10f5bd18db5dea6ff94 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 54/78] ipalib/x509.py: Change branding to IPA and Identity
- Management
-
----
- ipalib/x509.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipalib/x509.py b/ipalib/x509.py
-index 1f612a379..dfe66e1b4 100644
---- a/ipalib/x509.py
-+++ b/ipalib/x509.py
-@@ -88,7 +88,7 @@ SAN_KRB5PRINCIPALNAME = '1.3.6.1.5.2.2'
- class IPACertificate:
-     """
-     A proxy class wrapping a python-cryptography certificate representation for
--    FreeIPA purposes
-+    IPA purposes
-     """
-     def __init__(self, cert, backend=None):
-         """
--- 
-2.21.1
-
-From 38ca6711b3cb6c24c9ae16e172339a680613f2af Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 55/78] ipaserver/advise/plugins/legacy_clients.py: Change
- branding to IPA and Identity Management
-
----
- ipaserver/advise/plugins/legacy_clients.py | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py
-index 2a56922b8..0e322fe96 100644
---- a/ipaserver/advise/plugins/legacy_clients.py
-+++ b/ipaserver/advise/plugins/legacy_clients.py
-@@ -94,7 +94,7 @@ class config_redhat_sssd_before_1_9(config_base_legacy_client):
-     Legacy client configuration for Red Hat based systems, using SSSD.
-     """
-     description = ('Instructions for configuring a system with an old version '
--                   'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
-+                   'of SSSD (1.5-1.8) as a IPA client. This set of '
-                    'instructions is targeted for platforms that include '
-                    'the authconfig utility, which are all Red Hat based '
-                    'platforms.')
-@@ -129,7 +129,7 @@ class config_generic_linux_sssd_before_1_9(config_base_legacy_client):
-     using SSSD.
-     """
-     description = ('Instructions for configuring a system with an old version '
--                   'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
-+                   'of SSSD (1.5-1.8) as a IPA client. This set of '
-                    'instructions is targeted for linux systems that do not '
-                    'include the authconfig utility.')
- 
-@@ -184,7 +184,7 @@ class config_redhat_nss_pam_ldapd(config_base_legacy_client):
-     using nss-pam-ldapd.
-     """
-     description = ('Instructions for configuring a system with nss-pam-ldapd '
--                   'as a FreeIPA client. This set of instructions is targeted '
-+                   'as a IPA client. This set of instructions is targeted '
-                    'for platforms that include the authconfig utility, which '
-                    'are all Red Hat based platforms.')
- 
-@@ -352,7 +352,7 @@ class config_redhat_nss_ldap(config_base_legacy_client):
-     using nss-ldap.
-     """
-     description = ('Instructions for configuring a system with nss-ldap '
--                   'as a FreeIPA client. This set of instructions is targeted '
-+                   'as a IPA client. This set of instructions is targeted '
-                    'for platforms that include the authconfig utility, which '
-                    'are all Red Hat based platforms.')
- 
--- 
-2.21.1
-
-From f6fa8b8edd7a4123cf3f409c169e4eee12a3ed3c Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 56/78] ipaserver/advise/plugins/smart_card_auth.py: Change
- branding to IPA and Identity Management
-
----
- ipaserver/advise/plugins/smart_card_auth.py | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
-index c43c74e5b..ce50cec83 100644
---- a/ipaserver/advise/plugins/smart_card_auth.py
-+++ b/ipaserver/advise/plugins/smart_card_auth.py
-@@ -97,7 +97,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
-     """
- 
-     description = ("Instructions for enabling Smart Card authentication on "
--                   " a single FreeIPA server. Includes Apache configuration, "
-+                   " a single IPA server. Includes Apache configuration, "
-                    "enabling PKINIT on KDC and configuring WebUI to accept "
-                    "Smart Card auth requests. To enable the feature in the "
-                    "whole topology you have to run the script on each master")
-@@ -244,11 +244,11 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
- @register()
- class config_client_for_smart_card_auth(common_smart_card_auth_config):
-     """
--    Configures smart card authentication on FreeIPA client
-+    Configures smart card authentication on IPA client
-     """
- 
-     description = ("Instructions for enabling Smart Card authentication on "
--                   " a single FreeIPA client. Configures Smart Card daemon, "
-+                   " a single IPA client. Configures Smart Card daemon, "
-                    "set the system-wide trust store and configures SSSD to "
-                    "allow smart card logins to desktop")
- 
--- 
-2.21.1
-
-From 4b528a73ed9d914997f8e7ed44076211e6fef239 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 57/78] ipaserver/install/dns.py: Change branding to IPA and
- Identity Management
-
----
- ipaserver/install/dns.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
-index 9f08e86f9..7d6d7fe7c 100644
---- a/ipaserver/install/dns.py
-+++ b/ipaserver/install/dns.py
-@@ -151,7 +151,7 @@ def install_check(standalone, api, replica, options, hostname):
- 
-     if standalone:
-         print("==============================================================================")
--        print("This program will setup DNS for the FreeIPA Server.")
-+        print("This program will setup DNS for the IPA Server.")
-         print("")
-         print("This includes:")
-         print("  * Configure DNS (bind)")
--- 
-2.21.1
-
-From b4bf196e8f7eb5193d5be111820b9b9d13b7c25c Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 58/78] ipaserver/install/ipa_kra_install.py: Change branding
- to IPA and Identity Management
-
----
- ipaserver/install/ipa_kra_install.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
-index 2d6e4bf09..076c20666 100644
---- a/ipaserver/install/ipa_kra_install.py
-+++ b/ipaserver/install/ipa_kra_install.py
-@@ -93,7 +93,7 @@ class KRAInstall(admintool.AdminTool):
-         if options.uninstall:
-             sys.exit(
-                 'ERROR: Standalone KRA uninstallation was removed in '
--                'FreeIPA 4.5 as it had never worked properly and only caused '
-+                'IPA 4.5 as it had never worked properly and only caused '
-                 'issues.')
-         else:
-             return KRAInstaller
-@@ -104,7 +104,7 @@ class KRAInstaller(KRAInstall):
- 
-     INSTALLER_START_MESSAGE = '''
-         ===================================================================
--        This program will setup Dogtag KRA for the FreeIPA Server.
-+        This program will setup Dogtag KRA for the IPA Server.
- 
-     '''
- 
--- 
-2.21.1
-
-From 2831a3d84888547b38803681019f9f5bdfb34b2e Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 59/78] ipaserver/install/plugins/dns.py: Change branding to
- IPA and Identity Management
-
----
- ipaserver/install/plugins/dns.py | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
-index baa19c38e..a7a1748d9 100644
---- a/ipaserver/install/plugins/dns.py
-+++ b/ipaserver/install/plugins/dns.py
-@@ -161,11 +161,11 @@ class update_ipaconfigstring_dnsversion_to_ipadnsversion(Updater):
- @register()
- class update_dnszones(Updater):
-     """
--    Update all zones to meet requirements in the new FreeIPA versions
-+    Update all zones to meet requirements in the new IPA versions
- 
-     1) AllowQuery and AllowTransfer
-     Set AllowQuery and AllowTransfer ACLs in all zones that may be configured
--    in an upgraded FreeIPA instance.
-+    in an upgraded IPA instance.
- 
-     Upgrading to new version of bind-dyndb-ldap and having these ACLs empty
-     would result in a leak of potentially sensitive DNS information as
-@@ -173,7 +173,7 @@ class update_dnszones(Updater):
-     or LDAP.
- 
-     This plugin disables the zone transfer by default so that it needs to be
--    explicitly enabled by FreeIPA Administrator.
-+    explicitly enabled by IPA Administrator.
- 
-     2) Update policy
-     SSH public key support includes a feature to automatically add/update
-@@ -272,7 +272,7 @@ class update_dns_limits(Updater):
- @register()
- class update_master_to_dnsforwardzones(DNSUpdater):
-     """
--    Update all zones to meet requirements in the new FreeIPA versions
-+    Update all zones to meet requirements in the new IPA versions
- 
-     All masters zones with specified forwarders, and forward-policy different
-     than none, will be tranformed to forward zones.
-@@ -420,7 +420,7 @@ class update_dnsforward_emptyzones(DNSUpdater):
- 
-     BIND ignores conflicting forwarding configuration
-     when forwarding policy != only.
--    bind-dyndb-ldap 9.0+ will do the same so we have to adjust FreeIPA zones
-+    bind-dyndb-ldap 9.0+ will do the same so we have to adjust IPA zones
-     accordingly.
-     """
-     backup_filename = u'dns-forwarding-empty-zones-%Y-%m-%d-%H-%M-%S.ldif'
--- 
-2.21.1
-
-From 76ae883950cbe20c50f456ddc7d24d209d78232e Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 60/78] ipaserver/install/replication.py: Change branding to
- IPA and Identity Management
-
----
- ipaserver/install/replication.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
-index 1fefe3ebf..87794b7f4 100644
---- a/ipaserver/install/replication.py
-+++ b/ipaserver/install/replication.py
-@@ -1760,7 +1760,7 @@ class ReplicationManager:
-         Ensure that the 'cn=replication managers,cn=sysaccounts' group exists
-         and contains the principals for master and remote replica
- 
--        On FreeIPA 3.x masters lacking support for nsds5ReplicaBinddnGroup
-+        On IPA 3.x masters lacking support for nsds5ReplicaBinddnGroup
-         attribute, add replica bind DN directly into the replica entry.
-         """
-         my_dn = DN(
--- 
-2.21.1
-
-From 4324a4f3653d3322ef75406b0b9b2cd68fb17995 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 61/78] ipaserver/install/server/install.py: Change branding to
- IPA and Identity Management
-
----
- ipaserver/install/server/install.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
-index afce0d73a..b62c08baa 100644
---- a/ipaserver/install/server/install.py
-+++ b/ipaserver/install/server/install.py
-@@ -414,7 +414,7 @@ def install_check(installer):
- 
-     print("======================================="
-           "=======================================")
--    print("This program will set up the FreeIPA Server.")
-+    print("This program will set up the IPA Server.")
-     print("Version {}".format(version.VERSION))
-     print("")
-     print("This includes:")
--- 
-2.21.1
-
-From 55b2630e53494d831fb65a0c520aabe1c895b13d Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 62/78] ipaserver/install/server/replicainstall.py: Change
- branding to IPA and Identity Management
-
----
- ipaserver/install/server/replicainstall.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index 71ea091a3..0ea48f18e 100644
---- a/ipaserver/install/server/replicainstall.py
-+++ b/ipaserver/install/server/replicainstall.py
-@@ -619,7 +619,7 @@ def check_domain_level_is_supported(current):
-     above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
- 
-     if under_lower_bound or above_upper_bound:
--        message = ("This version of FreeIPA does not support "
-+        message = ("This version of IPA does not support "
-                    "the Domain Level which is currently set for "
-                    "this domain. The Domain Level needs to be "
-                    "raised before installing a replica with "
--- 
-2.21.1
-
-From 649e159570278e417922a68e23c2fc44ef6eeb44 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 63/78] ipaserver/plugins/certmap.py: Change branding to IPA
- and Identity Management
-
----
- ipaserver/plugins/certmap.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/plugins/certmap.py b/ipaserver/plugins/certmap.py
-index ee8f0c15f..cdbc38f70 100644
---- a/ipaserver/plugins/certmap.py
-+++ b/ipaserver/plugins/certmap.py
-@@ -614,7 +614,7 @@ class certmap_match(Search):
-         The search is performed using SSSD's DBus interface
-         Users.ListByCertificate.
-         SSSD does the lookup based on certificate mapping rules, using
--        FreeIPA domain and trusted domains.
-+        IPA domain and trusted domains.
-         :raise RemoteRetrieveError: if DBus returns an exception
-         """
-         sssd = _sssd()
--- 
-2.21.1
-
-From 926ce56e094b8b54c10d867d9c1150d73af088f5 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 64/78] ipaserver/plugins/otptoken.py: Change branding to IPA
- and Identity Management
-
----
- ipaserver/plugins/otptoken.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
-index 72ed5393d..46e4d5e8d 100644
---- a/ipaserver/plugins/otptoken.py
-+++ b/ipaserver/plugins/otptoken.py
-@@ -245,7 +245,7 @@ class otptoken(LDAPObject):
-         Int('ipatokentotpclockoffset?',
-             cli_name='offset',
-             label=_('Clock offset'),
--            doc=_('TOTP token / FreeIPA server time difference'),
-+            doc=_('TOTP token / IPA server time difference'),
-             default=0,
-             autofill=True,
-             flags=('no_update'),
--- 
-2.21.1
-
-From aaa3824fd7e96be447529183033aa37cad016264 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 65/78] ipaserver/plugins/sudorule.py: Change branding to IPA
- and Identity Management
-
----
- ipaserver/plugins/sudorule.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ipaserver/plugins/sudorule.py b/ipaserver/plugins/sudorule.py
-index 643215985..68baa0174 100644
---- a/ipaserver/plugins/sudorule.py
-+++ b/ipaserver/plugins/sudorule.py
-@@ -47,7 +47,7 @@ give certain users (or groups of users) the ability to run some (or all)
- commands as root or another user while providing an audit trail of the
- commands and their arguments.
- """) + _("""
--FreeIPA provides a means to configure the various aspects of Sudo:
-+IPA provides a means to configure the various aspects of Sudo:
-    Users: The user(s)/group(s) allowed to invoke Sudo.
-    Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo.
-    Allow Command: The specific command(s) permitted to be run via Sudo.
-@@ -60,7 +60,7 @@ An order can be added to a sudorule to control the order in which they
- are evaluated (if the client supports it). This order is an integer and
- must be unique.
- """) + _("""
--FreeIPA provides a designated binddn to use with Sudo located at:
-+IPA provides a designated binddn to use with Sudo located at:
- uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
- """) + _("""
- To enable the binddn run the following command to set the password:
--- 
-2.21.1
-
-From 4285adc257bfdf7eb836c4bfdb61a8e34aa0e87d Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 66/78] po/de.po: Change branding to IPA and Identity
- Management
-
----
- po/de.po | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/po/de.po b/po/de.po
-index 8f9c2209b..95626fc68 100644
---- a/po/de.po
-+++ b/po/de.po
-@@ -3668,7 +3668,7 @@ msgstr "TOTP Sychnronisierungsfenster"
- msgid "TOTP authentication Window"
- msgstr "TOTP Authentifizierungsfenster"
- 
--msgid "TOTP token / FreeIPA server time difference"
-+msgid "TOTP token / IPA server time difference"
- msgstr "Differenz zwischen Token und Serverzeit"
- 
- msgid "Target"
--- 
-2.21.1
-
-From 68b461d299352e515457ff2ef8a40d82afc35bc0 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 67/78] po/es.po: Change branding to IPA and Identity
- Management
-
----
- po/es.po | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/po/es.po b/po/es.po
-index b9e9fc126..6970d31f5 100644
---- a/po/es.po
-+++ b/po/es.po
-@@ -3101,7 +3101,7 @@ msgid ""
- "The profile configuration format is the raw property-list format\n"
- "used by Dogtag Certificate System.  The XML format is not supported.\n"
- "\n"
--"The following restrictions apply to profiles managed by FreeIPA:\n"
-+"The following restrictions apply to profiles managed by IPA:\n"
- "\n"
- "- When importing a profile the \"profileId\" field, if present, must\n"
- "  match the ID given on the command line.\n"
-@@ -3159,7 +3159,7 @@ msgstr ""
- "propiedad\n"
- "usado por Dogtag Certificate System.  No está soportado el formato XML.\n"
- "\n"
--"A los perfiles manejados por FreeIPA se les aplican las siguientes "
-+"A los perfiles manejados por IPA se les aplican las siguientes "
- "restricciones:\n"
- "\n"
- "- Cuando se importa un perfil el campo \"profileId\", si está presente, debe "
-@@ -4948,7 +4948,7 @@ msgid ""
- "commands as root or another user while providing an audit trail of the\n"
- "commands and their arguments.\n"
- "\n"
--"FreeIPA provides a means to configure the various aspects of Sudo:\n"
-+"IPA provides a means to configure the various aspects of Sudo:\n"
- "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
- "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
- "Sudo.\n"
-@@ -4963,7 +4963,7 @@ msgid ""
- "are evaluated (if the client supports it). This order is an integer and\n"
- "must be unique.\n"
- "\n"
--"FreeIPA provides a designated binddn to use with Sudo located at:\n"
-+"IPA provides a designated binddn to use with Sudo located at:\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- "\n"
- "To enable the binddn run the following command to set the password:\n"
-@@ -4971,7 +4971,7 @@ msgid ""
- "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
- "dc=com\n"
- "\n"
--"For more information, see the FreeIPA Documentation to Sudo.\n"
-+"For more information, see the IPA Documentation to Sudo.\n"
- msgstr ""
- "\n"
- "Reglas Sudo\n"
-@@ -4984,7 +4984,7 @@ msgstr ""
- "auditoria de\n"
- " los comandos y sus argumentos.\n"
- "\n"
--"FreeIPA proporciona un medio para configurar diversos aspectos de Sudo:\n"
-+"IPA proporciona un medio para configurar diversos aspectos de Sudo:\n"
- "   Users: Los usuario(s)/grupos(s) que tienen permitido llamar a Sudo.\n"
- "   Hosts: Loshost(s)/grupo(s) de host a los que el usuario permite llamar a "
- "Sudo.\n"
-@@ -5002,7 +5002,7 @@ msgstr ""
- "será evaluada\n"
- "(si el cliente lo soporta). Este orden es un entero y debe ser único.\n"
- "\n"
--"FreeIPA suministra un binddn designado para usar con Sudo situado en :\n"
-+"IPA suministra un binddn designado para usar con Sudo situado en :\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- "\n"
- "Para habilitar el binddn ejecute el siguiente comando para fijar la "
-@@ -5011,7 +5011,7 @@ msgstr ""
- "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
- "dc=com\n"
- "\n"
--"Para más información, vea la Documentación FreeIPA para Sudo.\n"
-+"Para más información, vea la Documentación IPA para Sudo.\n"
- 
- msgid ""
- "\n"
-@@ -12742,8 +12742,8 @@ msgstr "Variación del tiempo de autenticación TOTP (segundos)"
- msgid "TOTP synchronization time variance (seconds)"
- msgstr "Variación del tiempo de sincronización TOTP (segundos)"
- 
--msgid "TOTP token / FreeIPA server time difference"
--msgstr "Ficha TOTP / Diferencia de hora del servidor FreeIPA"
-+msgid "TOTP token / IPA server time difference"
-+msgstr "Ficha TOTP / Diferencia de hora del servidor IPA"
- 
- msgid "Take a revoked certificate off hold."
- msgstr "Tomar un certificado revocado de espera."
--- 
-2.21.1
-
-From 1d49558b613ae9f1c763e3108166b47a59b743be Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 68/78] po/fr.po: Change branding to IPA and Identity
- Management
-
----
- po/fr.po | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/po/fr.po b/po/fr.po
-index 88253e172..23a4ba3ea 100644
---- a/po/fr.po
-+++ b/po/fr.po
-@@ -2575,17 +2575,17 @@ msgstr ""
- 
- msgid ""
- "\n"
--"FreeIPA provides a designated binddn to use with Sudo located at:\n"
-+"IPA provides a designated binddn to use with Sudo located at:\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- msgstr ""
- "\n"
--"FreeIPA permet la désignation d'un « binddn » à utiliser avec sudo situé "
-+"IPA permet la désignation d'un « binddn » à utiliser avec sudo situé "
- "à :\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- 
- msgid ""
- "\n"
--"FreeIPA provides a means to configure the various aspects of Sudo:\n"
-+"IPA provides a means to configure the various aspects of Sudo:\n"
- "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
- "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
- "Sudo.\n"
-@@ -2597,7 +2597,7 @@ msgid ""
- "   Options: The various Sudoers Options that can modify Sudo's behavior.\n"
- msgstr ""
- "\n"
--"FreeIPA offre les moyens de configurer les divers aspects de sudo :\n"
-+"IPA offre les moyens de configurer les divers aspects de sudo :\n"
- "   Users : utilisateur/groupe autorisés à invoquer sudo.\n"
- "   Hosts : hôte/groupe d'hôte dont l'utilisateur peut invoquer sudo.\n"
- "   Allow Command : commande donnée pouvant être exécutée via sudo.\n"
-@@ -3708,7 +3708,7 @@ msgid ""
- "The profile configuration format is the raw property-list format\n"
- "used by Dogtag Certificate System.  The XML format is not supported.\n"
- "\n"
--"The following restrictions apply to profiles managed by FreeIPA:\n"
-+"The following restrictions apply to profiles managed by IPA:\n"
- "\n"
- "- When importing a profile the \"profileId\" field, if present, must\n"
- "  match the ID given on the command line.\n"
-@@ -3770,7 +3770,7 @@ msgstr ""
- "propriété utilisé par Dogtag Certificate System.  Le format  XML n'est\n"
- "pas pris en charge.\n"
- "\n"
--"Les restrictions suivantes s'appliquent aux profils gérés par FreeIPA :\n"
-+"Les restrictions suivantes s'appliquent aux profils gérés par IPA :\n"
- "\n"
- "- Lors de l'import d'un profil, le champ « profileId » s'il est présent "
- "doit\n"
-@@ -15658,8 +15658,8 @@ msgstr "Durée de la fenêtre d'authentification TOTP (secondes)"
- msgid "TOTP synchronization time variance (seconds)"
- msgstr "Variance temporelle de synchronisation TOTP (secondes)"
- 
--msgid "TOTP token / FreeIPA server time difference"
--msgstr "Différence entre le jeton TOTP et le serveur FreeIPA"
-+msgid "TOTP token / IPA server time difference"
-+msgstr "Différence entre le jeton TOTP et le serveur IPA"
- 
- msgid "TSIG record"
- msgstr "Enregistrement TSIG"
--- 
-2.21.1
-
-From 28d5217ccc838e037f60dbdfce72ae0eaa1fbdd8 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 69/78] po/ru.po: Change branding to IPA and Identity
- Management
-
----
- po/ru.po | 40 ++++++++++++++++++++--------------------
- 1 file changed, 20 insertions(+), 20 deletions(-)
-
-diff --git a/po/ru.po b/po/ru.po
-index 7d663a7a8..699979b74 100644
---- a/po/ru.po
-+++ b/po/ru.po
-@@ -5308,17 +5308,17 @@ msgstr ""
- 
- msgid ""
- "\n"
--"FreeIPA provides a designated binddn to use with Sudo located at:\n"
-+"IPA provides a designated binddn to use with Sudo located at:\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- msgstr ""
- "\n"
--"FreeIPA предусматривает специальную привязку DN (binddn) для использования с "
-+"IPA предусматривает специальную привязку DN (binddn) для использования с "
- "Sudo:\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- 
- msgid ""
- "\n"
--"FreeIPA provides a means to configure the various aspects of Sudo:\n"
-+"IPA provides a means to configure the various aspects of Sudo:\n"
- "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
- "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
- "Sudo.\n"
-@@ -5330,7 +5330,7 @@ msgid ""
- "   Options: The various Sudoers Options that can modify Sudo's behavior.\n"
- msgstr ""
- "\n"
--"FreeIPA предоставляет возможности настройки различных аспектов Sudo:\n"
-+"IPA предоставляет возможности настройки различных аспектов Sudo:\n"
- "   Users: пользователь (пользователи) или группа (группы), которые могут "
- "вызывать Sudo.\n"
- "   Hosts: узел (узлы) или группа (группы) узлов, пользователи которых могут "
-@@ -7826,7 +7826,7 @@ msgid ""
- "The profile configuration format is the raw property-list format\n"
- "used by Dogtag Certificate System.  The XML format is not supported.\n"
- "\n"
--"The following restrictions apply to profiles managed by FreeIPA:\n"
-+"The following restrictions apply to profiles managed by IPA:\n"
- "\n"
- "- When importing a profile the \"profileId\" field, if present, must\n"
- "  match the ID given on the command line.\n"
-@@ -7880,7 +7880,7 @@ msgstr ""
- "свойств, который используется системой сертификации Dogtag Certificate "
- "System.  Поддержка формата XML не предусмотрена.\n"
- "\n"
--"К профилям под управлением  FreeIPA применяются следующие ограничения:\n"
-+"К профилям под управлением  IPA применяются следующие ограничения:\n"
- "\n"
- "- При импорте профиля значение поля \"profileId\", если это поле имеется, "
- "должно совпадать с идентификатором, указанным в командной строке.\n"
-@@ -7936,7 +7936,7 @@ msgid ""
- "The profile configuration format is the raw property-list format\n"
- "used by Dogtag Certificate System.  The XML format is not supported.\n"
- "\n"
--"The following restrictions apply to profiles managed by FreeIPA:\n"
-+"The following restrictions apply to profiles managed by IPA:\n"
- "\n"
- "- When importing a profile the \"profileId\" field, if present, must\n"
- "  match the ID given on the command line.\n"
-@@ -7992,7 +7992,7 @@ msgstr ""
- "свойств, который используется системой сертификации Dogtag Certificate "
- "System.  Поддержка формата XML не предусмотрена.\n"
- "\n"
--"К профилям под управлением  FreeIPA применяются следующие ограничения:\n"
-+"К профилям под управлением  IPA применяются следующие ограничения:\n"
- "\n"
- "- При импорте профиля значение поля \"profileId\", если это поле имеется, "
- "должно совпадать с идентификатором, указанным в командной строке.\n"
-@@ -13772,7 +13772,7 @@ msgid ""
- "commands as root or another user while providing an audit trail of the\n"
- "commands and their arguments.\n"
- "\n"
--"FreeIPA provides a means to configure the various aspects of Sudo:\n"
-+"IPA provides a means to configure the various aspects of Sudo:\n"
- "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
- "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
- "Sudo.\n"
-@@ -13787,7 +13787,7 @@ msgid ""
- "are evaluated (if the client supports it). This order is an integer and\n"
- "must be unique.\n"
- "\n"
--"FreeIPA provides a designated binddn to use with Sudo located at:\n"
-+"IPA provides a designated binddn to use with Sudo located at:\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- "\n"
- "To enable the binddn run the following command to set the password:\n"
-@@ -13825,7 +13825,7 @@ msgstr ""
- "пользователя \"root\" или другого пользователя, вместе с тем предоставляя "
- "журнал аудита команд и их аргументов.\n"
- "\n"
--"FreeIPA предоставляет возможности настройки различных аспектов Sudo:\n"
-+"IPA предоставляет возможности настройки различных аспектов Sudo:\n"
- "   Users: пользователь (пользователи) или группа (группы), которые могут "
- "вызывать Sudo.\n"
- "   Hosts: узел (узлы) или группа (группы) узлов, пользователи которых могут "
-@@ -13846,7 +13846,7 @@ msgstr ""
- "Порядок определяется числовым индексом (целое число), который не должен "
- "повторяться.\n"
- "\n"
--"FreeIPA предусматривает специальную привязку DN (binddn) для использования с "
-+"IPA предусматривает специальную привязку DN (binddn) для использования с "
- "Sudo:\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- "\n"
-@@ -13887,7 +13887,7 @@ msgid ""
- "commands as root or another user while providing an audit trail of the\n"
- "commands and their arguments.\n"
- "\n"
--"FreeIPA provides a means to configure the various aspects of Sudo:\n"
-+"IPA provides a means to configure the various aspects of Sudo:\n"
- "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
- "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
- "Sudo.\n"
-@@ -13902,7 +13902,7 @@ msgid ""
- "are evaluated (if the client supports it). This order is an integer and\n"
- "must be unique.\n"
- "\n"
--"FreeIPA provides a designated binddn to use with Sudo located at:\n"
-+"IPA provides a designated binddn to use with Sudo located at:\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- "\n"
- "To enable the binddn run the following command to set the password:\n"
-@@ -13910,7 +13910,7 @@ msgid ""
- "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
- "dc=com\n"
- "\n"
--"For more information, see the FreeIPA Documentation to Sudo.\n"
-+"For more information, see the IPA Documentation to Sudo.\n"
- msgstr ""
- "\n"
- "Правила Sudo\n"
-@@ -13921,7 +13921,7 @@ msgstr ""
- "пользователя \"root\" или другого пользователя, вместе с тем предоставляя "
- "журнал аудита команд и их аргументов.\n"
- "\n"
--"FreeIPA предоставляет возможности настройки различных аспектов Sudo:\n"
-+"IPA предоставляет возможности настройки различных аспектов Sudo:\n"
- "   Users: пользователь (пользователи) или группа (группы), которые могут "
- "вызывать Sudo.\n"
- "   Hosts: узел (узлы) или группа (группы) узлов, пользователи которых могут "
-@@ -13942,7 +13942,7 @@ msgstr ""
- "Порядок определяется числовым индексом (целое число), который не должен "
- "повторяться.\n"
- "\n"
--"FreeIPA предусматривает специальную привязку DN (binddn) для использования с "
-+"IPA предусматривает специальную привязку DN (binddn) для использования с "
- "Sudo:\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- "\n"
-@@ -13951,7 +13951,7 @@ msgstr ""
- "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
- "dc=com\n"
- "\n"
--"Дополнительные сведения приведены в документации FreeIPA по Sudo.\n"
-+"Дополнительные сведения приведены в документации IPA по Sudo.\n"
- 
- msgid ""
- "\n"
-@@ -27252,8 +27252,8 @@ msgstr "Отклонение по времени TOTP-аутентификаци
- msgid "TOTP synchronization time variance (seconds)"
- msgstr "Отклонение по времени TOTP-синхронизации (в секундах)"
- 
--msgid "TOTP token / FreeIPA server time difference"
--msgstr "Разница времени между токеном TOTP и сервером FreeIPA"
-+msgid "TOTP token / IPA server time difference"
-+msgstr "Разница времени между токеном TOTP и сервером IPA"
- 
- msgid "TSIG record"
- msgstr "Запись TSIG"
--- 
-2.21.1
-
-From 41e8beb8aa6bcaf48de38b48939fdf40cf8819b5 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 70/78] po/uk.po: Change branding to IPA and Identity
- Management
-
----
- po/uk.po | 40 ++++++++++++++++++++--------------------
- 1 file changed, 20 insertions(+), 20 deletions(-)
-
-diff --git a/po/uk.po b/po/uk.po
-index a17396796..ca864c8a4 100644
---- a/po/uk.po
-+++ b/po/uk.po
-@@ -5403,17 +5403,17 @@ msgstr ""
- 
- msgid ""
- "\n"
--"FreeIPA provides a designated binddn to use with Sudo located at:\n"
-+"IPA provides a designated binddn to use with Sudo located at:\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- msgstr ""
- "\n"
--"У FreeIPA передбачено визначений binddn для використання з sudo, який "
-+"У IPA передбачено визначений binddn для використання з sudo, який "
- "розташовано у\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- 
- msgid ""
- "\n"
--"FreeIPA provides a means to configure the various aspects of Sudo:\n"
-+"IPA provides a means to configure the various aspects of Sudo:\n"
- "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
- "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
- "Sudo.\n"
-@@ -5425,7 +5425,7 @@ msgid ""
- "   Options: The various Sudoers Options that can modify Sudo's behavior.\n"
- msgstr ""
- "\n"
--"У FreeIPA передбачено декілька параметрів налаштовування роботи sudo:\n"
-+"У IPA передбачено декілька параметрів налаштовування роботи sudo:\n"
- "   Users: користувачі або групи, які можуть викликати sudo.\n"
- "   Hosts: вузли або групи вузлів, користувачі якого можуть викликати sudo.\n"
- "   Allow Command: специфічні команди, які можна виконувати за допомогою "
-@@ -7948,7 +7948,7 @@ msgid ""
- "The profile configuration format is the raw property-list format\n"
- "used by Dogtag Certificate System.  The XML format is not supported.\n"
- "\n"
--"The following restrictions apply to profiles managed by FreeIPA:\n"
-+"The following restrictions apply to profiles managed by IPA:\n"
- "\n"
- "- When importing a profile the \"profileId\" field, if present, must\n"
- "  match the ID given on the command line.\n"
-@@ -8002,7 +8002,7 @@ msgstr ""
- "властивостей, що використовується системою сертифікації Dogtag.\n"
- "Підтримки формату XML не передбачено.\n"
- "\n"
--"Профілів, які керуються FreeIPA, стосуються такі обмеження:\n"
-+"Профілів, які керуються IPA, стосуються такі обмеження:\n"
- "\n"
- "- Під час імпортування профілю поле «profileId», якщо таке є, має\n"
- "  містити значення, що збігається з ідентифікатором, вказаним у рядку "
-@@ -8059,7 +8059,7 @@ msgid ""
- "The profile configuration format is the raw property-list format\n"
- "used by Dogtag Certificate System.  The XML format is not supported.\n"
- "\n"
--"The following restrictions apply to profiles managed by FreeIPA:\n"
-+"The following restrictions apply to profiles managed by IPA:\n"
- "\n"
- "- When importing a profile the \"profileId\" field, if present, must\n"
- "  match the ID given on the command line.\n"
-@@ -8114,7 +8114,7 @@ msgstr ""
- "властивостей, що використовується системою сертифікації Dogtag.\n"
- "Підтримки формату XML не передбачено.\n"
- "\n"
--"Профілів, які керуються FreeIPA, стосуються такі обмеження:\n"
-+"Профілів, які керуються IPA, стосуються такі обмеження:\n"
- "\n"
- "- Під час імпортування профілю поле «profileId», якщо таке є, має\n"
- "  містити значення, що збігається з ідентифікатором, вказаним у рядку "
-@@ -13887,7 +13887,7 @@ msgid ""
- "commands as root or another user while providing an audit trail of the\n"
- "commands and their arguments.\n"
- "\n"
--"FreeIPA provides a means to configure the various aspects of Sudo:\n"
-+"IPA provides a means to configure the various aspects of Sudo:\n"
- "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
- "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
- "Sudo.\n"
-@@ -13902,7 +13902,7 @@ msgid ""
- "are evaluated (if the client supports it). This order is an integer and\n"
- "must be unique.\n"
- "\n"
--"FreeIPA provides a designated binddn to use with Sudo located at:\n"
-+"IPA provides a designated binddn to use with Sudo located at:\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- "\n"
- "To enable the binddn run the following command to set the password:\n"
-@@ -13940,7 +13940,7 @@ msgstr ""
- "користувача, зберігаючи водночас журнал виконання команд та\n"
- "аргументів.\n"
- "\n"
--"У FreeIPA передбачено декілька параметрів налаштовування роботи sudo:\n"
-+"У IPA передбачено декілька параметрів налаштовування роботи sudo:\n"
- "   Users: користувачі або групи, які можуть викликати sudo.\n"
- "   Hosts: вузли або групи вузлів, користувачі якого можуть викликати sudo.\n"
- "   Allow Command: специфічні команди, які можна виконувати за допомогою "
-@@ -13958,7 +13958,7 @@ msgstr ""
- "обробки записів (якщо такий порядок передбачено на клієнтському боці).\n"
- "Порядок визначається числовим індексом, який не повинен повторюватися.\n"
- "\n"
--"У FreeIPA передбачено визначений binddn для використання з sudo, який "
-+"У IPA передбачено визначений binddn для використання з sudo, який "
- "розташовано у\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- "\n"
-@@ -13998,7 +13998,7 @@ msgid ""
- "commands as root or another user while providing an audit trail of the\n"
- "commands and their arguments.\n"
- "\n"
--"FreeIPA provides a means to configure the various aspects of Sudo:\n"
-+"IPA provides a means to configure the various aspects of Sudo:\n"
- "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
- "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
- "Sudo.\n"
-@@ -14013,7 +14013,7 @@ msgid ""
- "are evaluated (if the client supports it). This order is an integer and\n"
- "must be unique.\n"
- "\n"
--"FreeIPA provides a designated binddn to use with Sudo located at:\n"
-+"IPA provides a designated binddn to use with Sudo located at:\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- "\n"
- "To enable the binddn run the following command to set the password:\n"
-@@ -14021,7 +14021,7 @@ msgid ""
- "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
- "dc=com\n"
- "\n"
--"For more information, see the FreeIPA Documentation to Sudo.\n"
-+"For more information, see the IPA Documentation to Sudo.\n"
- msgstr ""
- "\n"
- "Правила sudo\n"
-@@ -14032,7 +14032,7 @@ msgstr ""
- "користувача, зберігаючи водночас журнал виконання команд та\n"
- "аргументів.\n"
- "\n"
--"У FreeIPA передбачено декілька параметрів налаштовування роботи sudo:\n"
-+"У IPA передбачено декілька параметрів налаштовування роботи sudo:\n"
- "   Users: користувачі або групи, які можуть викликати sudo.\n"
- "   Hosts: вузли або групи вузлів, користувачі якого можуть викликати sudo.\n"
- "   Allow Command: специфічні команди, які можна виконувати за допомогою "
-@@ -14050,7 +14050,7 @@ msgstr ""
- "обробки записів (якщо такий порядок передбачено на клієнтському боці).\n"
- "Порядок визначається числовим індексом, який не повинен повторюватися.\n"
- "\n"
--"У FreeIPA передбачено визначений binddn для використання з sudo, який "
-+"У IPA передбачено визначений binddn для використання з sudo, який "
- "розташовано у\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- "\n"
-@@ -14059,7 +14059,7 @@ msgstr ""
- "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
- "dc=com\n"
- "\n"
--"Докладніші відомості наведено у документації з FreeIPA щодо sudo.\n"
-+"Докладніші відомості наведено у документації з IPA щодо sudo.\n"
- 
- msgid ""
- "\n"
-@@ -27264,8 +27264,8 @@ msgstr "Відхилення часу розпізнавання TOTP (у сек
- msgid "TOTP synchronization time variance (seconds)"
- msgstr "Відхилення часу синхронізації TOTP (у секундах)"
- 
--msgid "TOTP token / FreeIPA server time difference"
--msgstr "Часова розбіжність між ключем TOTP  і сервером FreeIPA"
-+msgid "TOTP token / IPA server time difference"
-+msgstr "Часова розбіжність між ключем TOTP  і сервером IPA"
- 
- msgid "TSIG record"
- msgstr "Запис TSIG"
--- 
-2.21.1
-
-From 703f4aa1ba942db3f614190de1dc291216d20e86 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 71/78] po/zh_CN.po: Change branding to IPA and Identity
- Management
-
----
- po/zh_CN.po | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/po/zh_CN.po b/po/zh_CN.po
-index dec79967d..bc2269701 100644
---- a/po/zh_CN.po
-+++ b/po/zh_CN.po
-@@ -298,7 +298,7 @@ msgstr ""
- 
- msgid ""
- "\n"
--"FreeIPA provides a means to configure the various aspects of Sudo:\n"
-+"IPA provides a means to configure the various aspects of Sudo:\n"
- "   Users: The user(s)/group(s) allowed to invoke Sudo.\n"
- "   Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
- "Sudo.\n"
-@@ -310,7 +310,7 @@ msgid ""
- "   Options: The various Sudoers Options that can modify Sudo's behavior.\n"
- msgstr ""
- "\n"
--"FreeIPA提供了一种方法来配置Sudo的各个方面：\n"
-+"IPA提供了一种方法来配置Sudo的各个方面：\n"
- "   用户：用户/用户组允许调用Sudo。\n"
- "   主机：主机/主机组上的用户允许调用Sudo。\n"
- "   允许的命令：指定命令允许通过Sudo来运行。\n"
-@@ -9923,8 +9923,8 @@ msgstr "TOTP认证时间差异（秒）"
- msgid "TOTP synchronization time variance (seconds)"
- msgstr "TOTP同步时间差异（秒）"
- 
--msgid "TOTP token / FreeIPA server time difference"
--msgstr "TOTP令牌/FreeIPA服务器时差"
-+msgid "TOTP token / IPA server time difference"
-+msgstr "TOTP令牌/IPA服务器时差"
- 
- msgid "TSIG record"
- msgstr "TSIG记录"
--- 
-2.21.1
-
-From 51756934d7214104a0da2a5a57d74194ecb054c9 Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:27:35 +0200
-Subject: [PATCH 72/78] client/man/ipa-client-samba.1: Change branding to IPA
- and Identity Management
-
----
- client/man/ipa-client-samba.1 | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/client/man/ipa-client-samba.1 b/client/man/ipa-client-samba.1
-index ea83715ff..5ed6c7150 100644
---- a/client/man/ipa-client-samba.1
-+++ b/client/man/ipa-client-samba.1
-@@ -1,7 +1,7 @@
- .\" A man page for ipa-client-samba
- .\" Copyright (C) 2008-2016  FreeIPA Contributors see COPYING for license
- .\"
--.TH "ipa-client-samba" "1" "Jun 10 2019" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-client-samba" "1" "Jun 10 2019" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-client\-samba \- Configure Samba file server on an IPA client
- .SH "SYNOPSIS"
-@@ -39,7 +39,7 @@ The ipa\-client\-samba script assumes that the machine has alreaby been enrolled
- .SS "IPA Master Requirements"
- At least one IPA master must hold a \fBTrust Controller\fR role. This can be achieved by running ipa\-adtrust\-install on the IPA master. The utility will configure IPA master to be a domain controller for IPA domain.
- 
--IPA master holding a \fBTrust Controller\fR role has also to have support for a special service command to create SMB service, \fBipa service-add-smb\fR. This command is available with FreeIPA 4.8.0 or later release.
-+IPA master holding a \fBTrust Controller\fR role has also to have support for a special service command to create SMB service, \fBipa service-add-smb\fR. This command is available with IPA 4.8.0 or later release.
- 
- .SH "OPTIONS"
- .SS "BASIC OPTIONS"
--- 
-2.21.1
-
-From 9cb31fd0f81511252170f539b354a67b2bd1e96a Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:28:22 +0200
-Subject: [PATCH 73/78] contrib/lite-server.py: Change branding to IPA and
- Identity Management
-
----
- contrib/lite-server.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/contrib/lite-server.py b/contrib/lite-server.py
-index bd73b0763..9feffdada 100755
---- a/contrib/lite-server.py
-+++ b/contrib/lite-server.py
-@@ -139,7 +139,7 @@ class StaticFilesMiddleware(SharedDataMiddleware):
- 
- 
- def init_api(ccname):
--    """Initialize FreeIPA API from command line
-+    """Initialize IPA API from command line
-     """
-     from ipalib import __file__ as ipalib_file
-     from ipalib import api
--- 
-2.21.1
-
-From a8bc392551a963cb33e3e9748a771fd0f1201541 Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:28:56 +0200
-Subject: [PATCH 74/78] ipaserver/dcerpc.py: Change branding to IPA and
- Identity Management
-
----
- ipaserver/dcerpc.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
-index 27d075425..8d3384f12 100644
---- a/ipaserver/dcerpc.py
-+++ b/ipaserver/dcerpc.py
-@@ -1483,7 +1483,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None):
-     def communicate(td):
-         td.init_lsa_pipe(td.info['dc'])
-         netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds)
--        # Older FreeIPA versions used netr_DsrEnumerateDomainTrusts call
-+        # Older IPA versions used netr_DsrEnumerateDomainTrusts call
-         # but it doesn't provide information about non-domain UPNs associated
-         # with the forest, thus we have to use netr_DsRGetForestTrustInformation
-         domains = netr_pipe.netr_DsRGetForestTrustInformation(td.info['dc'], None, 0)
--- 
-2.21.1
-
-From 8bcae9d325453cae61cbc18b9114e9ba8b716993 Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:29:21 +0200
-Subject: [PATCH 75/78] ipaserver/install/ipa_cert_fix.py: Change branding to
- IPA and Identity Management
-
----
- ipaserver/install/ipa_cert_fix.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
-index 6b952d34f..e79d7ddc4 100644
---- a/ipaserver/install/ipa_cert_fix.py
-+++ b/ipaserver/install/ipa_cert_fix.py
-@@ -45,7 +45,7 @@ msg = """
-                           WARNING
- 
- ipa-cert-fix is intended for recovery when expired certificates
--prevent the normal operation of FreeIPA.  It should ONLY be used
-+prevent the normal operation of IPA.  It should ONLY be used
- in such scenarios, and backup of the system, especially certificates
- and keys, is STRONGLY RECOMMENDED.
- 
--- 
-2.21.1
-
-From 8e3fb91139f51439164b38003cf0917af137158d Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:29:43 +0200
-Subject: [PATCH 76/78] ipaserver/plugins/config.py: Change branding to IPA and
- Identity Management
-
----
- ipaserver/plugins/config.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
-index e96e51971..ace66e589 100644
---- a/ipaserver/plugins/config.py
-+++ b/ipaserver/plugins/config.py
-@@ -462,7 +462,7 @@ class config(LDAPObject):
- 
-         known_domains = self.gather_trusted_domains()
- 
--        # add FreeIPA domain to the list of domains. This one is always enabled
-+        # add IPA domain to the list of domains. This one is always enabled
-         known_domains.update({self.api.env.domain: True})
- 
-         for domain in submitted_domains:
--- 
-2.21.1
-
-From 65a663bd7fb5559316f1a8e5f04e0d4827bfb0b6 Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:30:01 +0200
-Subject: [PATCH 77/78] ipaserver/plugins/certprofile.py: Change branding to
- IPA and Identity Management
-
----
- ipaserver/plugins/certprofile.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
-index 6e2e91dc6..03fbe4d3e 100644
---- a/ipaserver/plugins/certprofile.py
-+++ b/ipaserver/plugins/certprofile.py
-@@ -57,7 +57,7 @@ PROFILE CONFIGURATION FORMAT:
- The profile configuration format is the raw property-list format
- used by Dogtag Certificate System.  The XML format is not supported.
- 
--The following restrictions apply to profiles managed by FreeIPA:
-+The following restrictions apply to profiles managed by IPA:
- 
- - When importing a profile the "profileId" field, if present, must
-   match the ID given on the command line.
--- 
-2.21.1
-
-From 0801d5ad45d4fa9b64e0bfb4152af658ead0e514 Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:30:20 +0200
-Subject: [PATCH 78/78] doc/designs/adtrust/samba-domain-member.md: Change
- branding to IPA and Identity Management
-
----
- doc/designs/adtrust/samba-domain-member.md | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/doc/designs/adtrust/samba-domain-member.md b/doc/designs/adtrust/samba-domain-member.md
-index 95e3c014c..83e84ddb8 100644
---- a/doc/designs/adtrust/samba-domain-member.md
-+++ b/doc/designs/adtrust/samba-domain-member.md
-@@ -46,11 +46,11 @@ performing a remote authentication using Kerberos, a remote system has to
- present a Kerberos ticket to the domain member's SMB service, like with any
- other Kerberos services.
- 
--To operate as a domain member in a FreeIPA domain, thus, Samba needs a FreeIPA
--master to be configured as a domain controller and a FreeIPA client needs to be
-+To operate as a domain member in a IPA domain, thus, Samba needs a IPA
-+master to be configured as a domain controller and a IPA client needs to be
- configured in a specific way to allow Samba to talk to a domain controller.
- This document overviews a set of implementation tasks to achieve the domain
--member operation. Most of these tasks are related to FreeIPA components but
-+member operation. Most of these tasks are related to IPA components but
- some of changes required do belong to Samba itself.
- 
- ## Domain member configuration overview
-@@ -102,16 +102,16 @@ password rotation.
- 
- The knowledge of the machine account password is recorded in a special
- database, `secrets.tdb`, during the process of a machine join to the domain.
--For FreeIPA client the join process is different from the one Samba uses for
-+For IPA client the join process is different from the one Samba uses for
- Active Directory, thus we need to seed the machine account password separately
--to enrolling FreeIPA client. Note that FreeIPA machine enrollment does not
-+to enrolling IPA client. Note that IPA machine enrollment does not
- allow to share clear text machine account password as it is not recorded
- anywhere.
- 
- ## Domain controller side configuration overview
- 
- See [samba-domain-controller] for the details of how Samba domain controller is
--set up and configured in FreeIPA.
-+set up and configured in IPA.
- 
- ## Changes required on domain member
- 
--- 
-2.21.1
+2.26.2
 
diff --git a/SOURCES/1002-4.8.0-Remove-csrgen.patch b/SOURCES/1002-4.8.0-Remove-csrgen.patch
deleted file mode 100644
index 8b7e374..0000000
--- a/SOURCES/1002-4.8.0-Remove-csrgen.patch
+++ /dev/null
@@ -1,2051 +0,0 @@
-Addtional patches that need to be partly reverted that are touching csrgen
-related files:
-
-7b8a2af2197381058ca532d1ae206defb16fac88
-ac6568dcf58ec8d06df5493d14a28aa41845d4ef
-9c86d35a3f0af4a793fada7dfe726e9cc66782ea
-9836511a2b6d7cf48b1a54cb3158e5eac674081a
-b431e9b684df11c811892bd9d2a5711355f0076e
-
-This is a collection of an existing patch to remove csrgen for 4.7.1 and
-additional patches that have been added for 4.7.90 pre1.
-
-Additional reverted csrgen patches:
-
-852618fd6529fbdd7b03077fae37c6fbbe45b51b
-0ac1d3ea62efd9751fcc59cea46bcdafe1f11c37
-7633d62d858c14523a99143aa0ff36f76bb4ff68
-53f87ee5cd9d19f6fb91a9a1eafc8ea798095954
-395a68d20887d0ac010e480e68b225d6dfeff726
-03786ad9f3bd5edc351040847b8a49c9cd9288b2
-c9d710a446d10aad72795e15bf041b87102628c1
-2b90c8a20e45ade9bfd27731cccc94a34cf3f61e
-61dde27f70b9f8dd1b57ad1fbc3744f3c380613a
-806784dbd9e69a89c7a705c89bf42ba1fd4265c9
-79378c90512a1cdd5f3d5ec6482e434caea06e01
-bd5a5012d24820b54cdca2955f5405b84de1178c
-26ab51ddf47f421f3404709052db89f08c05adaa
-a53e17830c3d4fd59a62248d4447491675c6a80e
-e7588ab2dc73e7f66ebc6cdcfb99470540e37731
-136c6c3e2a4f77a27f435efd4a1cd95c9e089314
-5420e9cfbe7803808b6e26d2dae64f2a6a50149a
-
-Original patch from 4.7.1:
-
-From 468bcf90cb985e2b1eb394bd752dc39aa4b75582 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 19 Jul 2018 18:37:18 -0400
-Subject: [PATCH] Remove csrgen
-
-This reverts commits:
-* 72de679eb445c975ec70cd265d37d4927823ce5b
-* 177f07e163d6d591a1e609d35e0a6f6f5347551e
-* 80be18162921268be9c8981495c9e8a4de0c85cd
-* 83e2c2b65eeb5a3aa4a59c0535e9177aac5e4637
-* ada91c20588046bb147fc701718d3da4d2c080ca
-* 4350dcdea22fd2284836315d0ae7d38733a7620e
-* 39a5d9c5aae77687f67d9be02457733bdfb99ead
-* a26cf0d7910dd4c0a4da08682b4be8d3d94ba520
-* afd7c05d11432304bfdf183832a21d419f363689
-* f1a1c6eca1b294f24174d7b0e1f78de46d9d5b05
-* fc58eff6a3d7fe805e612b8b002304d8b9cd4ba9
-* 10ef5947860f5098182b1f95c08c1158e2da15f9
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1432630
----
- freeipa.spec.in                                    |  14 -
- ipaclient/csrgen.py                                | 488 ---------------------
- ipaclient/csrgen/profiles/caIPAserviceCert.json    |  15 -
- ipaclient/csrgen/profiles/userCert.json            |  15 -
- ipaclient/csrgen/rules/dataDNS.json                |   8 -
- ipaclient/csrgen/rules/dataEmail.json              |   8 -
- ipaclient/csrgen/rules/dataHostCN.json             |   8 -
- ipaclient/csrgen/rules/dataSubjectBase.json        |   8 -
- ipaclient/csrgen/rules/dataUsernameCN.json         |   8 -
- ipaclient/csrgen/rules/syntaxSAN.json              |   8 -
- ipaclient/csrgen/rules/syntaxSubject.json          |   9 -
- ipaclient/csrgen/templates/openssl_base.tmpl       |  17 -
- ipaclient/csrgen/templates/openssl_macros.tmpl     |  29 --
- ipaclient/csrgen_ffi.py                            | 331 --------------
- ipaclient/plugins/cert.py                          |  80 ----
- ipaclient/plugins/csrgen.py                        | 128 ------
- ipaclient/setup.py                                 |   8 -
- .../data/test_csrgen/configs/caIPAserviceCert.conf |  16 -
- .../data/test_csrgen/configs/userCert.conf         |  16 -
- .../data/test_csrgen/profiles/profile.json         |   8 -
- .../data/test_csrgen/rules/basic.json              |   5 -
- .../data/test_csrgen/rules/options.json            |   8 -
- .../data/test_csrgen/templates/identity_base.tmpl  |   1 -
- ipatests/test_ipaclient/test_csrgen.py             | 304 -------------
- 24 files changed, 1540 deletions(-)
- delete mode 100644 ipaclient/csrgen.py
- delete mode 100644 ipaclient/csrgen/profiles/caIPAserviceCert.json
- delete mode 100644 ipaclient/csrgen/profiles/userCert.json
- delete mode 100644 ipaclient/csrgen/rules/dataDNS.json
- delete mode 100644 ipaclient/csrgen/rules/dataEmail.json
- delete mode 100644 ipaclient/csrgen/rules/dataHostCN.json
- delete mode 100644 ipaclient/csrgen/rules/dataSubjectBase.json
- delete mode 100644 ipaclient/csrgen/rules/dataUsernameCN.json
- delete mode 100644 ipaclient/csrgen/rules/syntaxSAN.json
- delete mode 100644 ipaclient/csrgen/rules/syntaxSubject.json
- delete mode 100644 ipaclient/csrgen/templates/openssl_base.tmpl
- delete mode 100644 ipaclient/csrgen/templates/openssl_macros.tmpl
- delete mode 100644 ipaclient/csrgen_ffi.py
- delete mode 100644 ipaclient/plugins/csrgen.py
- delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
- delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
- delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json
- delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/rules/basic.json
- delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/rules/options.json
- delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
- delete mode 100644 ipatests/test_ipaclient/test_csrgen.py
-
-diff -urN freeipa-4.8.0/freeipa.spec.in freeipa-4.8.0.removed_csrgen/freeipa.spec.in
---- freeipa-4.8.0/freeipa.spec.in	2019-06-29 10:01:30.458735813 +0200
-+++ freeipa-4.8.0.removed_csrgen/freeipa.spec.in	2019-07-03 13:24:38.471222723 +0200
-@@ -1247,13 +1247,6 @@
- %dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
- %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
- %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
--%dir %{python3_sitelib}/ipaclient/csrgen
--%dir %{python3_sitelib}/ipaclient/csrgen/profiles
--%{python3_sitelib}/ipaclient/csrgen/profiles/*.json
--%dir %{python3_sitelib}/ipaclient/csrgen/rules
--%{python3_sitelib}/ipaclient/csrgen/rules/*.json
--%dir %{python3_sitelib}/ipaclient/csrgen/templates
--%{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl
- %{python3_sitelib}/ipaclient-*.egg-info
- 
- 
-diff -urN freeipa-4.8.0/ipaclient/csrgen/profiles/caIPAserviceCert.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/caIPAserviceCert.json
---- freeipa-4.8.0/ipaclient/csrgen/profiles/caIPAserviceCert.json	2019-07-03 08:42:41.844539797 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/caIPAserviceCert.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,15 +0,0 @@
--[
--    {
--        "syntax": "syntaxSubject",
--        "data": [
--            "dataHostCN",
--            "dataSubjectBase"
--        ]
--    },
--    {
--        "syntax": "syntaxSAN",
--        "data": [
--            "dataDNS"
--        ]
--    }
--]
-diff -urN freeipa-4.8.0/ipaclient/csrgen/profiles/userCert.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/userCert.json
---- freeipa-4.8.0/ipaclient/csrgen/profiles/userCert.json	2019-07-03 08:42:41.848539737 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/userCert.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,15 +0,0 @@
--[
--    {
--        "syntax": "syntaxSubject",
--        "data": [
--            "dataUsernameCN",
--            "dataSubjectBase"
--        ]
--    },
--    {
--        "syntax": "syntaxSAN",
--        "data": [
--            "dataEmail"
--        ]
--    }
--]
-diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataDNS.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataDNS.json
---- freeipa-4.8.0/ipaclient/csrgen/rules/dataDNS.json	2019-07-03 08:42:41.853539663 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataDNS.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "DNS = {{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
--  },
--  "options": {
--    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
--  }
--}
-diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataEmail.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataEmail.json
---- freeipa-4.8.0/ipaclient/csrgen/rules/dataEmail.json	2019-07-03 08:42:41.857539603 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataEmail.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "email = {{subject.mail.0}}"
--  },
--  "options": {
--    "data_source": "subject.mail.0"
--  }
--}
-diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataHostCN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataHostCN.json
---- freeipa-4.8.0/ipaclient/csrgen/rules/dataHostCN.json	2019-07-03 08:42:41.861539544 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataHostCN.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
--  },
--  "options": {
--    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
--  }
--}
-diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataSubjectBase.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataSubjectBase.json
---- freeipa-4.8.0/ipaclient/csrgen/rules/dataSubjectBase.json	2019-07-03 08:42:41.865539484 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataSubjectBase.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "{{config.ipacertificatesubjectbase.0}}"
--  },
--  "options": {
--    "data_source": "config.ipacertificatesubjectbase.0"
--  }
--}
-diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataUsernameCN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataUsernameCN.json
---- freeipa-4.8.0/ipaclient/csrgen/rules/dataUsernameCN.json	2019-07-03 08:42:41.869539424 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataUsernameCN.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "CN={{subject.uid.0}}"
--  },
--  "options": {
--    "data_source": "subject.uid.0"
--  }
--}
-diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSAN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSAN.json
---- freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSAN.json	2019-07-03 08:42:41.874539350 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSAN.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "subjectAltName = @{% call openssl.section() %}{{ datarules|join('\n') }}{% endcall %}"
--  },
--  "options": {
--    "extension": true
--  }
--}
-diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSubject.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSubject.json
---- freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSubject.json	2019-07-03 08:42:41.878539290 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSubject.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,9 +0,0 @@
--{
--  "rule": {
--    "template": "distinguished_name = {% call openssl.section() %}{{ datarules|reverse|join('\n') }}{% endcall %}"
--  },
--  "options": {
--    "required": true,
--    "data_source_combinator": "and"
--  }
--}
-diff -urN freeipa-4.8.0/ipaclient/csrgen/templates/openssl_base.tmpl freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_base.tmpl
---- freeipa-4.8.0/ipaclient/csrgen/templates/openssl_base.tmpl	2019-07-03 08:42:41.882539231 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_base.tmpl	1970-01-01 01:00:00.000000000 +0100
-@@ -1,17 +0,0 @@
--{% raw -%}
--{% import "openssl_macros.tmpl" as openssl -%}
--{% endraw -%}
--[ req ]
--prompt = no
--encrypt_key = no
--
--{{ parameters|join('\n') }}
--{% raw %}{% set rendered_extensions -%}{% endraw %}
--{{ extensions|join('\n') }}
--{% raw -%}
--{%- endset -%}
--{% if rendered_extensions -%}
--req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall %}
--{% endif %}
--{{ openssl.openssl_sections|join('\n\n') }}
--{%- endraw %}
-diff -urN freeipa-4.8.0/ipaclient/csrgen/templates/openssl_macros.tmpl freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_macros.tmpl
---- freeipa-4.8.0/ipaclient/csrgen/templates/openssl_macros.tmpl	2019-07-03 08:42:41.886539171 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_macros.tmpl	1970-01-01 01:00:00.000000000 +0100
-@@ -1,29 +0,0 @@
--{# List containing rendered sections to be included at end #}
--{% set openssl_sections = [] %}
--
--{#
--List containing one entry for each section name allocated. Because of
--scoping rules, we need to use a list so that it can be a "per-render global"
--that gets updated in place. Real globals are shared by all templates with the
--same environment, and variables defined in the macro don't persist after the
--macro invocation ends.
--#}
--{% set openssl_section_num = [] %}
--
--{% macro section() -%}
--{% set name -%}
--sec{{ openssl_section_num|length -}}
--{% endset -%}
--{% do openssl_section_num.append('') -%}
--{% set contents %}{{ caller() }}{% endset -%}
--{% if contents -%}
--{% set sectiondata = formatsection(name, contents) -%}
--{% do openssl_sections.append(sectiondata) -%}
--{% endif -%}
--{{ name -}}
--{% endmacro %}
--
--{% macro formatsection(name, contents) -%}
--[ {{ name }} ]
--{{ contents -}}
--{% endmacro %}
-diff -urN freeipa-4.8.0/ipaclient/csrgen_ffi.py freeipa-4.8.0.removed_csrgen/ipaclient/csrgen_ffi.py
---- freeipa-4.8.0/ipaclient/csrgen_ffi.py	2019-07-03 08:42:41.816540214 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen_ffi.py	1970-01-01 01:00:00.000000000 +0100
-@@ -1,387 +0,0 @@
--from cffi import FFI
--import ctypes.util
--
--from ipalib import errors
--
--_ffi = FFI()
--
--_ffi.cdef('''
--/* libcrypto/crypto.h */
--unsigned long OpenSSL_version_num(void);
--unsigned long SSLeay(void);
--const char * OpenSSL_version(int t);
--const char * SSLeay_version(int t);
--
--#define OPENSSL_VERSION 0
--''')
--
--_libcrypto = _ffi.dlopen(ctypes.util.find_library('crypto'))
--
--# SSLeay_version has been renamed with OpenSSL_version in OpenSSL 1.1.0
--# LibreSSL has OpenSSL_version since 2.7.0
--try:
--    OpenSSL_version = _libcrypto.OpenSSL_version
--except AttributeError:
--    OpenSSL_version = _libcrypto.SSLeay_version
--
--_version = OpenSSL_version(_libcrypto.OPENSSL_VERSION)
--_version = _ffi.string(_version).decode('utf-8')
--LIBRESSL = _version.startswith('LibreSSL')
--if not _version.startswith("OpenSSL") and not LIBRESSL:
--    raise ImportError("Only LibreSSL and OpenSSL are supported")
--
--# SSLeay has been renamed with OpenSSL_version_num in OpenSSL 1.1.0
--# LibreSSL has OpenSSL_version_num since 2.7.0
--try:
--    OpenSSL_version_num = _libcrypto.OpenSSL_version_num
--except AttributeError:
--    OpenSSL_version_num = _libcrypto.SSLeay
--
--# OpenSSL_version_num()/SSLeay() returns the value of OPENSSL_VERSION_NUMBER
--#
--# OPENSSL_VERSION_NUMBER is a numeric release version identifier:
--# MNNFFPPS: major minor fix patch status
--# For example,
--# 0x000906000 == 0.9.6 dev
--# 0x000906023 == 0.9.6b beta 3
--# 0x00090605f == 0.9.6e release
--_openssl_version = OpenSSL_version_num()
--
--_ffi.cdef('''
--typedef ... CONF;
--typedef ... CONF_METHOD;
--typedef ... BIO;
--typedef ... ipa_STACK_OF_CONF_VALUE;
--
--/* openssl/conf.h */
--typedef struct {
--    char *section;
--    char *name;
--    char *value;
--} CONF_VALUE;
--
--CONF *NCONF_new(CONF_METHOD *meth);
--void NCONF_free(CONF *conf);
--int NCONF_load_bio(CONF *conf, BIO *bp, long *eline);
--ipa_STACK_OF_CONF_VALUE *NCONF_get_section(const CONF *conf,
--                                        const char *section);
--char *NCONF_get_string(const CONF *conf, const char *group, const char *name);
--
--/* openssl/safestack.h */
--// int sk_CONF_VALUE_num(ipa_STACK_OF_CONF_VALUE *);
--// CONF_VALUE *sk_CONF_VALUE_value(ipa_STACK_OF_CONF_VALUE *, int);
--
--/* openssl/stack.h */
--typedef ... _STACK;
--
--int OPENSSL_sk_num(const _STACK *);
--void *OPENSSL_sk_value(const _STACK *, int);
--
--int sk_num(const _STACK *);
--void *sk_value(const _STACK *, int);
--
--/* openssl/bio.h */
--BIO *BIO_new_mem_buf(const void *buf, int len);
--int BIO_free(BIO *a);
--
--/* openssl/asn1.h */
--typedef struct ASN1_ENCODING_st {
--    unsigned char *enc;         /* DER encoding */
--    long len;                   /* Length of encoding */
--    int modified;               /* set to 1 if 'enc' is invalid */
--} ASN1_ENCODING;
--
--/* openssl/evp.h */
--typedef ... EVP_PKEY;
--
--void EVP_PKEY_free(EVP_PKEY *pkey);
--
--/* openssl/x509.h */
--typedef ... ASN1_INTEGER;
--typedef ... ASN1_BIT_STRING;
--typedef ... ASN1_OBJECT;
--typedef ... X509;
--typedef ... X509_CRL;
--typedef ... X509_NAME;
--typedef ... X509_PUBKEY;
--typedef ... ipa_STACK_OF_X509_ATTRIBUTE;
--
--typedef struct X509_req_info_st {
--    ASN1_ENCODING enc;
--    ASN1_INTEGER *version;
--    X509_NAME *subject;
--    X509_PUBKEY *pubkey;
--    /*  d=2 hl=2 l=  0 cons: cont: 00 */
--    ipa_STACK_OF_X509_ATTRIBUTE *attributes; /* [ 0 ] */
--} X509_REQ_INFO;
--''')
--
--# since OpenSSL 1.1.0 req_info field is no longer pointer to X509_REQ_INFO
--if _openssl_version >= 0x10100000 and not LIBRESSL:
--    _ffi.cdef('''
--    typedef struct X509_req_st {
--        X509_REQ_INFO req_info;
--    } X509_REQ;
--    ''')
--else:
--    _ffi.cdef('''
--    typedef struct X509_req_st {
--        X509_REQ_INFO *req_info;
--    } X509_REQ;
--    ''')
--
--_ffi.cdef('''
--X509_REQ *X509_REQ_new(void);
--void X509_REQ_free(X509_REQ *);
--EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
--int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
--int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type,
--                               const unsigned char *bytes, int len, int loc,
--                               int set);
--int X509_NAME_entry_count(X509_NAME *name);
--int i2d_X509_REQ_INFO(X509_REQ_INFO *a, unsigned char **out);
--
--/* openssl/objects.h */
--ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name);
--
--/* openssl/x509v3.h */
--typedef ... X509V3_CONF_METHOD;
--
--typedef struct v3_ext_ctx {
--    int flags;
--    X509 *issuer_cert;
--    X509 *subject_cert;
--    X509_REQ *subject_req;
--    X509_CRL *crl;
--    X509V3_CONF_METHOD *db_meth;
--    void *db;
--} X509V3_CTX;
--
--void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
--                    X509_REQ *req, X509_CRL *crl, int flags);
--void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
--int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
--                             X509_REQ *req);
--
--/* openssl/x509v3.h */
--unsigned long ERR_get_error(void);
--char *ERR_error_string(unsigned long e, char *buf);
--''')  # noqa: E501
--
--NULL = _ffi.NULL
--# openssl/conf.h
--NCONF_new = _libcrypto.NCONF_new
--NCONF_free = _libcrypto.NCONF_free
--NCONF_load_bio = _libcrypto.NCONF_load_bio
--NCONF_get_section = _libcrypto.NCONF_get_section
--NCONF_get_string = _libcrypto.NCONF_get_string
--
--# openssl/stack.h
--try:
--    sk_num = _libcrypto.OPENSSL_sk_num
--    sk_value = _libcrypto.OPENSSL_sk_value
--except AttributeError:
--    sk_num = _libcrypto.sk_num
--    sk_value = _libcrypto.sk_value
--
--
--def sk_CONF_VALUE_num(sk):
--    return sk_num(_ffi.cast("_STACK *", sk))
--
--
--def sk_CONF_VALUE_value(sk, i):
--    return _ffi.cast("CONF_VALUE *", sk_value(_ffi.cast("_STACK *", sk), i))
--
--
--# openssl/bio.h
--BIO_new_mem_buf = _libcrypto.BIO_new_mem_buf
--BIO_free = _libcrypto.BIO_free
--
--# openssl/x509.h
--X509_REQ_new = _libcrypto.X509_REQ_new
--X509_REQ_free = _libcrypto.X509_REQ_free
--X509_REQ_set_pubkey = _libcrypto.X509_REQ_set_pubkey
--d2i_PUBKEY_bio = _libcrypto.d2i_PUBKEY_bio
--i2d_X509_REQ_INFO = _libcrypto.i2d_X509_REQ_INFO
--X509_NAME_add_entry_by_OBJ = _libcrypto.X509_NAME_add_entry_by_OBJ
--X509_NAME_entry_count = _libcrypto.X509_NAME_entry_count
--
--
--def X509_REQ_get_subject_name(req):
--    return req.req_info.subject
--
--
--# openssl/objects.h
--OBJ_txt2obj = _libcrypto.OBJ_txt2obj
--
--# openssl/evp.h
--EVP_PKEY_free = _libcrypto.EVP_PKEY_free
--
--# openssl/asn1.h
--MBSTRING_UTF8 = 0x1000
--
--# openssl/x509v3.h
--X509V3_set_ctx = _libcrypto.X509V3_set_ctx
--X509V3_set_nconf = _libcrypto.X509V3_set_nconf
--X509V3_EXT_REQ_add_nconf = _libcrypto.X509V3_EXT_REQ_add_nconf
--
--# openssl/err.h
--ERR_get_error = _libcrypto.ERR_get_error
--ERR_error_string = _libcrypto.ERR_error_string
--
--
--def _raise_openssl_errors():
--    msgs = []
--
--    code = ERR_get_error()
--    while code != 0:
--        msg = _ffi.string(ERR_error_string(code, NULL))
--        try:
--            strmsg = msg.decode('utf-8')
--        except UnicodeDecodeError:
--            strmsg = repr(msg)
--        msgs.append(strmsg)
--        code = ERR_get_error()
--
--    raise errors.CSRTemplateError(reason='\n'.join(msgs))
--
--
--def _parse_dn_section(subj, dn_sk):
--    for i in range(sk_CONF_VALUE_num(dn_sk)):
--        v = sk_CONF_VALUE_value(dn_sk, i)
--        rdn_type = _ffi.string(v.name)
--
--        # Skip past any leading X. X: X, etc to allow for multiple instances
--        for idx, c in enumerate(rdn_type):
--            if c in b':,.':
--                if idx+1 < len(rdn_type):
--                    rdn_type = rdn_type[idx+1:]
--                break
--        if rdn_type.startswith(b'+'):
--            rdn_type = rdn_type[1:]
--            mval = -1
--        else:
--            mval = 0
--
--        # convert rdn_type to an OID
--        #
--        # OpenSSL is fussy about the case of the string.  For example,
--        # lower-case 'o' (for "organization name") is not recognised.
--        # Therefore, try to convert the given string into an OID.  If
--        # that fails, convert it upper case and try again.
--        #
--        oid = OBJ_txt2obj(rdn_type, 0)
--        if oid == NULL:
--            oid = OBJ_txt2obj(rdn_type.upper(), 0)
--        if oid == NULL:
--            raise errors.CSRTemplateError(
--                reason='unrecognised attribute type: {}'
--                .format(rdn_type.decode('utf-8')))
--
--        if not X509_NAME_add_entry_by_OBJ(
--                subj, oid, MBSTRING_UTF8,
--                _ffi.cast("unsigned char *", v.value), -1, -1, mval):
--            _raise_openssl_errors()
--
--    if not X509_NAME_entry_count(subj):
--        raise errors.CSRTemplateError(
--            reason='error, subject in config file is empty')
--
--
--def build_requestinfo(config, public_key_info):
--    '''
--    Return a cffi buffer containing a DER-encoded CertificationRequestInfo.
--
--    The returned object implements the buffer protocol.
--
--    '''
--    reqdata = NULL
--    req = NULL
--    nconf_bio = NULL
--    pubkey_bio = NULL
--    pubkey = NULL
--
--    try:
--        reqdata = NCONF_new(NULL)
--        if reqdata == NULL:
--            _raise_openssl_errors()
--
--        nconf_bio = BIO_new_mem_buf(config, len(config))
--        errorline = _ffi.new('long[1]', [-1])
--        i = NCONF_load_bio(reqdata, nconf_bio, errorline)
--        if i < 0:
--            if errorline[0] < 0:
--                raise errors.CSRTemplateError(reason="Can't load config file")
--            else:
--                raise errors.CSRTemplateError(
--                    reason='Error on line %d of config file' % errorline[0])
--
--        dn_sect = NCONF_get_string(reqdata, b'req', b'distinguished_name')
--        if dn_sect == NULL:
--            raise errors.CSRTemplateError(
--                reason='Unable to find "distinguished_name" key in config')
--
--        dn_sk = NCONF_get_section(reqdata, dn_sect)
--        if dn_sk == NULL:
--            raise errors.CSRTemplateError(
--                reason='Unable to find "%s" section in config' %
--                _ffi.string(dn_sect))
--
--        pubkey_bio = BIO_new_mem_buf(public_key_info, len(public_key_info))
--        pubkey = d2i_PUBKEY_bio(pubkey_bio, NULL)
--        if pubkey == NULL:
--            _raise_openssl_errors()
--
--        req = X509_REQ_new()
--        if req == NULL:
--            _raise_openssl_errors()
--
--        subject = X509_REQ_get_subject_name(req)
--
--        _parse_dn_section(subject, dn_sk)
--
--        if not X509_REQ_set_pubkey(req, pubkey):
--            _raise_openssl_errors()
--
--        ext_ctx = _ffi.new("X509V3_CTX[1]")
--        X509V3_set_ctx(ext_ctx, NULL, NULL, req, NULL, 0)
--        X509V3_set_nconf(ext_ctx, reqdata)
--
--        extn_section = NCONF_get_string(reqdata, b"req", b"req_extensions")
--        if extn_section != NULL:
--            if not X509V3_EXT_REQ_add_nconf(
--                    reqdata, ext_ctx, extn_section, req):
--                _raise_openssl_errors()
--
--        if _openssl_version < 0x10100000 or LIBRESSL:
--            der_len = i2d_X509_REQ_INFO(req.req_info, NULL)
--        else:
--            req_info = _ffi.new("X509_REQ_INFO *", req.req_info)
--            der_len = i2d_X509_REQ_INFO(req_info, NULL)
--            req.req_info = req_info[0]
--        if der_len < 0:
--            _raise_openssl_errors()
--
--        der_buf = _ffi.new("unsigned char[%d]" % der_len)
--        der_out = _ffi.new("unsigned char **", der_buf)
--        if _openssl_version < 0x10100000 or LIBRESSL:
--            der_len = i2d_X509_REQ_INFO(req.req_info, der_out)
--        else:
--            der_len = i2d_X509_REQ_INFO(req_info, der_out)
--            req.req_info = req_info[0]
--        if der_len < 0:
--            _raise_openssl_errors()
--
--        return _ffi.buffer(der_buf, der_len)
--
--    finally:
--        if reqdata != NULL:
--            NCONF_free(reqdata)
--        if req != NULL:
--            X509_REQ_free(req)
--        if nconf_bio != NULL:
--            BIO_free(nconf_bio)
--        if pubkey_bio != NULL:
--            BIO_free(pubkey_bio)
--        if pubkey != NULL:
--            EVP_PKEY_free(pubkey)
-diff -urN freeipa-4.8.0/ipaclient/csrgen.py freeipa-4.8.0.removed_csrgen/ipaclient/csrgen.py
---- freeipa-4.8.0/ipaclient/csrgen.py	2019-07-03 08:42:41.811540288 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen.py	1970-01-01 01:00:00.000000000 +0100
-@@ -1,488 +0,0 @@
--#
--# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
--#
--
--import base64
--import collections
--import errno
--import json
--import logging
--import os
--import os.path
--import pipes
--import subprocess
--import traceback
--import codecs
--
--import pkg_resources
--
--from cryptography.hazmat.backends import default_backend
--from cryptography.hazmat.primitives.asymmetric import padding
--from cryptography.hazmat.primitives import hashes
--from cryptography.hazmat.primitives.serialization import (
--    load_pem_private_key, Encoding, PublicFormat)
--from cryptography.x509 import load_pem_x509_certificate
--import jinja2
--import jinja2.ext
--import jinja2.sandbox
--from pyasn1.codec.der import decoder, encoder
--from pyasn1.type import univ
--from pyasn1_modules import rfc2314
--import six
--
--from ipalib import api
--from ipalib import errors
--from ipalib.text import _
--
--if six.PY3:
--    unicode = str
--
--__doc__ = _("""
--Routines for constructing certificate signing requests using IPA data and
--stored templates.
--""")
--
--logger = logging.getLogger(__name__)
--
--
--class IndexableUndefined(jinja2.Undefined):
--    def __getitem__(self, key):
--        return jinja2.Undefined(
--            hint=self._undefined_hint, obj=self._undefined_obj,
--            name=self._undefined_name, exc=self._undefined_exception)
--
--
--class IPAExtension(jinja2.ext.Extension):
--    """Jinja2 extension providing useful features for CSR generation rules."""
--
--    def __init__(self, environment):
--        super(IPAExtension, self).__init__(environment)
--
--        environment.filters.update(
--            quote=self.quote,
--            required=self.required,
--        )
--
--    def quote(self, data):
--        return pipes.quote(data)
--
--    def required(self, data, name):
--        if not data:
--            raise errors.CSRTemplateError(
--                reason=_(
--                    'Required CSR generation rule %(name)s is missing data') %
--                {'name': name})
--        return data
--
--
--class Formatter:
--    """
--    Class for processing a set of CSR generation rules into a template.
--
--    The template can be rendered with user and database data to produce a
--    config, which specifies how to build a CSR.
--
--    Subclasses of Formatter should set the value of base_template_name to the
--    filename of a base template with spaces for the processed rules.
--    Additionally, they should override the _get_template_params method to
--    produce the correct output for the base template.
--    """
--    base_template_name = None
--
--    def __init__(self, csr_data_dir=None):
--        # chain loaders:
--        # 1) csr_data_dir/templates
--        # 2) /etc/ipa/csrgen/templates
--        # 3) ipaclient/csrgen/templates
--        loaders = []
--        if csr_data_dir is not None:
--            loaders.append(jinja2.FileSystemLoader(
--                os.path.join(csr_data_dir, 'templates'))
--            )
--        loaders.append(jinja2.FileSystemLoader(
--            os.path.join(api.env.confdir, 'csrgen/templates'))
--        )
--        loaders.append(jinja2.PackageLoader('ipaclient', 'csrgen/templates'))
--
--        self.jinja2 = jinja2.sandbox.SandboxedEnvironment(
--            loader=jinja2.ChoiceLoader(loaders),
--            extensions=[jinja2.ext.ExprStmtExtension, IPAExtension],
--            keep_trailing_newline=True, undefined=IndexableUndefined)
--
--        self.passthrough_globals = {}
--
--    def _define_passthrough(self, call):
--        """Some macros are meant to be interpreted during the final render, not
--        when data rules are interpolated into syntax rules. This method allows
--        those macros to be registered so that calls to them are passed through
--        to the prepared rule rather than interpreted.
--        """
--
--        def passthrough(caller):
--            return u'{%% call %s() %%}%s{%% endcall %%}' % (call, caller())
--
--        parts = call.split('.')
--        current_level = self.passthrough_globals
--        for part in parts[:-1]:
--            if part not in current_level:
--                current_level[part] = {}
--            current_level = current_level[part]
--        current_level[parts[-1]] = passthrough
--
--    def build_template(self, rules):
--        """
--        Construct a template that can produce CSR generator strings.
--
--        :param rules: list of FieldMapping to use to populate the template.
--
--        :returns: jinja2.Template that can be rendered to produce the CSR data.
--        """
--        syntax_rules = []
--        for field_mapping in rules:
--            data_rules_prepared = [
--                self._prepare_data_rule(rule)
--                for rule in field_mapping.data_rules]
--
--            data_sources = []
--            for xrule in field_mapping.data_rules:
--                data_source = xrule.options.get('data_source')
--                if data_source:
--                    data_sources.append(data_source)
--
--            syntax_rules.append(self._prepare_syntax_rule(
--                field_mapping.syntax_rule, data_rules_prepared,
--                field_mapping.description, data_sources))
--
--        template_params = self._get_template_params(syntax_rules)
--        base_template = self.jinja2.get_template(
--            self.base_template_name, globals=self.passthrough_globals)
--
--        try:
--            combined_template_source = base_template.render(**template_params)
--        except jinja2.UndefinedError:
--            logger.debug(traceback.format_exc())
--            raise errors.CSRTemplateError(reason=_(
--                'Template error when formatting certificate data'))
--
--        logger.debug(
--            'Formatting with template: %s', combined_template_source)
--        combined_template = self.jinja2.from_string(combined_template_source)
--
--        return combined_template
--
--    def _wrap_conditional(self, rule, condition):
--        rule = '{%% if %s %%}%s{%% endif %%}' % (condition, rule)
--        return rule
--
--    def _wrap_required(self, rule, description):
--        template = '{%% filter required("%s") %%}%s{%% endfilter %%}' % (
--            description, rule)
--
--        return template
--
--    def _prepare_data_rule(self, data_rule):
--        template = data_rule.template
--
--        data_source = data_rule.options.get('data_source')
--        if data_source:
--            template = self._wrap_conditional(template, data_source)
--
--        return template
--
--    def _prepare_syntax_rule(
--            self, syntax_rule, data_rules, description, data_sources):
--        logger.debug('Syntax rule template: %s', syntax_rule.template)
--        template = self.jinja2.from_string(
--            syntax_rule.template, globals=self.passthrough_globals)
--        is_required = syntax_rule.options.get('required', False)
--        try:
--            prepared_template = template.render(datarules=data_rules)
--        except jinja2.UndefinedError:
--            logger.debug(traceback.format_exc())
--            raise errors.CSRTemplateError(reason=_(
--                'Template error when formatting certificate data'))
--
--        if data_sources:
--            combinator = ' %s ' % syntax_rule.options.get(
--                'data_source_combinator', 'or')
--            condition = combinator.join(data_sources)
--            prepared_template = self._wrap_conditional(
--                prepared_template, condition)
--
--        if is_required:
--            prepared_template = self._wrap_required(
--                prepared_template, description)
--
--        return prepared_template
--
--    def _get_template_params(self, syntax_rules):
--        """
--        Package the syntax rules into fields expected by the base template.
--
--        :param syntax_rules: list of prepared syntax rules to be included in
--            the template.
--
--        :returns: dict of values needed to render the base template.
--        """
--        raise NotImplementedError('Formatter class must be subclassed')
--
--
--class OpenSSLFormatter(Formatter):
--    """Formatter class generating the openssl config-file format."""
--
--    base_template_name = 'openssl_base.tmpl'
--
--    # Syntax rules are wrapped in this data structure, to keep track of whether
--    # each goes in the extension or the root section
--    SyntaxRule = collections.namedtuple(
--        'SyntaxRule', ['template', 'is_extension'])
--
--    def __init__(self, *args, **kwargs):
--        super(OpenSSLFormatter, self).__init__(*args, **kwargs)
--        self._define_passthrough('openssl.section')
--
--    def _get_template_params(self, syntax_rules):
--        parameters = [rule.template for rule in syntax_rules
--                      if not rule.is_extension]
--        extensions = [rule.template for rule in syntax_rules
--                      if rule.is_extension]
--
--        return {'parameters': parameters, 'extensions': extensions}
--
--    def _prepare_syntax_rule(
--            self, syntax_rule, data_rules, description, data_sources):
--        """Overrides method to pull out whether rule is an extension or not."""
--        prepared_template = super(OpenSSLFormatter, self)._prepare_syntax_rule(
--            syntax_rule, data_rules, description, data_sources)
--        is_extension = syntax_rule.options.get('extension', False)
--        return self.SyntaxRule(prepared_template, is_extension)
--
--
--class FieldMapping:
--    """Representation of the rules needed to construct a complete cert field.
--
--    Attributes:
--        description: str, a name or description of this field, to be used in
--            messages
--        syntax_rule: Rule, the rule defining the syntax of this field
--        data_rules: list of Rule, the rules that produce data to be stored in
--            this field
--    """
--    __slots__ = ['description', 'syntax_rule', 'data_rules']
--
--    def __init__(self, description, syntax_rule, data_rules):
--        self.description = description
--        self.syntax_rule = syntax_rule
--        self.data_rules = data_rules
--
--
--class Rule:
--    __slots__ = ['name', 'template', 'options']
--
--    def __init__(self, name, template, options):
--        self.name = name
--        self.template = template
--        self.options = options
--
--
--class RuleProvider:
--    def rules_for_profile(self, profile_id):
--        """
--        Return the rules needed to build a CSR using the given profile.
--
--        :param profile_id: str, name of the CSR generation profile to use
--
--        :returns: list of FieldMapping, filled out with the appropriate rules
--        """
--        raise NotImplementedError('RuleProvider class must be subclassed')
--
--
--class FileRuleProvider(RuleProvider):
--    def __init__(self, csr_data_dir=None):
--        self.rules = {}
--        self._csrgen_data_dirs = []
--        if csr_data_dir is not None:
--            self._csrgen_data_dirs.append(csr_data_dir)
--        self._csrgen_data_dirs.append(
--            os.path.join(api.env.confdir, 'csrgen')
--        )
--        self._csrgen_data_dirs.append(
--            pkg_resources.resource_filename('ipaclient', 'csrgen')
--        )
--
--    def _open(self, subdir, filename):
--        for data_dir in self._csrgen_data_dirs:
--            path = os.path.join(data_dir, subdir, filename)
--            try:
--                return open(path)
--            except IOError as e:
--                if e.errno != errno.ENOENT:
--                    raise
--        raise IOError(
--            errno.ENOENT,
--            "'{}' not found in {}".format(
--                os.path.join(subdir, filename),
--                ", ".join(self._csrgen_data_dirs)
--            )
--        )
--
--    def _rule(self, rule_name):
--        if rule_name not in self.rules:
--            try:
--                with self._open('rules', '%s.json' % rule_name) as f:
--                    ruleconf = json.load(f)
--            except IOError:
--                raise errors.NotFound(
--                    reason=_('No generation rule %(rulename)s found.') %
--                    {'rulename': rule_name})
--
--            try:
--                rule = ruleconf['rule']
--            except KeyError:
--                raise errors.EmptyResult(
--                    reason=_('Generation rule "%(rulename)s" is missing the'
--                             ' "rule" key') % {'rulename': rule_name})
--
--            options = ruleconf.get('options', {})
--
--            self.rules[rule_name] = Rule(
--                rule_name, rule['template'], options)
--
--        return self.rules[rule_name]
--
--    def rules_for_profile(self, profile_id):
--        try:
--            with self._open('profiles', '%s.json' % profile_id) as f:
--                profile = json.load(f)
--        except IOError:
--            raise errors.NotFound(
--                reason=_('No CSR generation rules are defined for profile'
--                         ' %(profile_id)s') % {'profile_id': profile_id})
--
--        field_mappings = []
--        for field in profile:
--            syntax_rule = self._rule(field['syntax'])
--            data_rules = [self._rule(name) for name in field['data']]
--            field_mappings.append(FieldMapping(
--                syntax_rule.name, syntax_rule, data_rules))
--        return field_mappings
--
--
--class CSRGenerator:
--    def __init__(self, rule_provider, formatter_class=OpenSSLFormatter):
--        self.rule_provider = rule_provider
--        self.formatter = formatter_class()
--
--    def csr_config(self, principal, config, profile_id):
--        render_data = {'subject': principal, 'config': config}
--
--        rules = self.rule_provider.rules_for_profile(profile_id)
--        template = self.formatter.build_template(rules)
--
--        try:
--            config = template.render(render_data)
--        except jinja2.UndefinedError:
--            logger.debug(traceback.format_exc())
--            raise errors.CSRTemplateError(reason=_(
--                'Template error when formatting certificate data'))
--
--        return config
--
--
--class CSRLibraryAdaptor:
--    def get_subject_public_key_info(self):
--        raise NotImplementedError('Use a subclass of CSRLibraryAdaptor')
--
--    def sign_csr(self, certification_request_info):
--        """Sign a CertificationRequestInfo.
--
--        :returns: bytes, a DER-encoded signed CSR.
--        """
--        raise NotImplementedError('Use a subclass of CSRLibraryAdaptor')
--
--
--class OpenSSLAdaptor:
--    def __init__(self, key=None, key_filename=None, password_filename=None):
--        """
--        Must provide either ``key_filename`` or ``key``.
--
--        """
--        if key_filename is not None:
--            with open(key_filename, 'rb') as key_file:
--                key_bytes = key_file.read()
--
--            password = None
--            if password_filename is not None:
--                with open(password_filename, 'rb') as password_file:
--                    password = password_file.read().strip()
--
--            self._key = load_pem_private_key(
--                key_bytes, password, default_backend())
--
--        elif key is not None:
--            self._key = key
--
--        else:
--            raise ValueError("Must provide 'key' or 'key_filename'")
--
--    def key(self):
--        return self._key
--
--    def get_subject_public_key_info(self):
--        pubkey_info = self.key().public_key().public_bytes(
--            Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
--        return pubkey_info
--
--    def sign_csr(self, certification_request_info):
--        reqinfo = decoder.decode(
--            certification_request_info, rfc2314.CertificationRequestInfo())[0]
--        csr = rfc2314.CertificationRequest()
--        csr.setComponentByName('certificationRequestInfo', reqinfo)
--
--        algorithm = rfc2314.SignatureAlgorithmIdentifier()
--        algorithm.setComponentByName(
--            'algorithm', univ.ObjectIdentifier(
--                '1.2.840.113549.1.1.11'))  # sha256WithRSAEncryption
--        csr.setComponentByName('signatureAlgorithm', algorithm)
--
--        signature = self.key().sign(
--            certification_request_info,
--            padding.PKCS1v15(),
--            hashes.SHA256()
--        )
--        asn1sig = univ.BitString("'{sig}'H".format(
--                                    sig=codecs.encode(signature, 'hex')
--                                    .decode('ascii'))
--                                 )
--        csr.setComponentByName('signature', asn1sig)
--        return encoder.encode(csr)
--
--
--class NSSAdaptor:
--    def __init__(self, database, password_filename):
--        self.database = database
--        self.password_filename = password_filename
--        self.nickname = base64.b32encode(os.urandom(40))
--
--    def get_subject_public_key_info(self):
--        temp_cn = base64.b32encode(os.urandom(40)).decode('ascii')
--
--        password_args = []
--        if self.password_filename is not None:
--            password_args = ['-f', self.password_filename]
--
--        subprocess.check_call(
--            ['certutil', '-S', '-n', self.nickname, '-s', 'CN=%s' % temp_cn,
--             '-x', '-t', ',,', '-d', self.database] + password_args)
--        cert_pem = subprocess.check_output(
--            ['certutil', '-L', '-n', self.nickname, '-a',
--             '-d', self.database] + password_args)
--
--        cert = load_pem_x509_certificate(cert_pem, default_backend())
--        pubkey_info = cert.public_key().public_bytes(
--            Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
--
--        return pubkey_info
--
--    def sign_csr(self, certification_request_info):
--        raise NotImplementedError('NSS is not yet supported')
-diff -urN freeipa-4.8.0/ipaclient/plugins/cert.py freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py
---- freeipa-4.8.0/ipaclient/plugins/cert.py	2019-07-03 08:42:41.978537802 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py	2019-07-03 13:24:38.477222594 +0200
-@@ -21,8 +21,6 @@
- 
- import base64
- 
--import six
--
- from ipaclient.frontend import MethodOverride
- from ipalib import errors
- from ipalib import x509
-@@ -31,9 +29,6 @@
- from ipalib.plugable import Registry
- from ipalib.text import _
- 
--if six.PY3:
--    unicode = str
--
- register = Registry()
- 
- 
-@@ -73,87 +68,12 @@
- 
- @register(override=True, no_fail=True)
- class cert_request(CertRetrieveOverride):
--    takes_options = CertRetrieveOverride.takes_options + (
--        Str(
--            'database?',
--            label=_('Path to NSS database'),
--            doc=_('Path to NSS database to use for private key'),
--        ),
--        Str(
--            'private_key?',
--            label=_('Path to private key file'),
--            doc=_('Path to PEM file containing a private key'),
--        ),
--        Str(
--            'password_file?',
--            label=_(
--                'File containing a password for the private key or database'),
--        ),
--        Str(
--            'csr_profile_id?',
--            label=_('Name of CSR generation profile (if not the same as'
--                    ' profile_id)'),
--        ),
--    )
--
-     def get_args(self):
-         for arg in super(cert_request, self).get_args():
-             if arg.name == 'csr':
-                 arg = arg.clone_retype(arg.name, File, required=False)
-             yield arg
- 
--    def forward(self, csr=None, **options):
--        database = options.pop('database', None)
--        private_key = options.pop('private_key', None)
--        csr_profile_id = options.pop('csr_profile_id', None)
--        password_file = options.pop('password_file', None)
--
--        if csr is None:
--            # Deferred import, ipaclient.csrgen is expensive to load.
--            # see https://pagure.io/freeipa/issue/7484
--            from ipaclient import csrgen
--
--            if database:
--                adaptor = csrgen.NSSAdaptor(database, password_file)
--            elif private_key:
--                adaptor = csrgen.OpenSSLAdaptor(
--                    key_filename=private_key, password_filename=password_file)
--            else:
--                raise errors.InvocationError(
--                    message=u"One of 'database' or 'private_key' is required")
--
--            pubkey_info = adaptor.get_subject_public_key_info()
--            pubkey_info_b64 = base64.b64encode(pubkey_info)
--
--            # If csr_profile_id is passed, that takes precedence.
--            # Otherwise, use profile_id. If neither are passed, the default
--            # in cert_get_requestdata will be used.
--            profile_id = csr_profile_id
--            if profile_id is None:
--                profile_id = options.get('profile_id')
--
--            response = self.api.Command.cert_get_requestdata(
--                profile_id=profile_id,
--                principal=options.get('principal'),
--                public_key_info=pubkey_info_b64)
--
--            req_info_b64 = response['result']['request_info']
--            req_info = base64.b64decode(req_info_b64)
--
--            csr = adaptor.sign_csr(req_info)
--
--            if not csr:
--                raise errors.CertificateOperationError(
--                    error=(_('Generated CSR was empty')))
--
--        else:
--            if database is not None or private_key is not None:
--                raise errors.MutuallyExclusiveError(reason=_(
--                    "Options 'database' and 'private_key' are not compatible"
--                    " with 'csr'"))
--
--        return super(cert_request, self).forward(csr, **options)
--
- 
- @register(override=True, no_fail=True)
- class cert_show(CertRetrieveOverride):
-diff -urN freeipa-4.8.0/ipaclient/plugins/cert.py.orig freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py.orig
---- freeipa-4.8.0/ipaclient/plugins/cert.py.orig	1970-01-01 01:00:00.000000000 +0100
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py.orig	2019-07-03 13:24:38.478222573 +0200
-@@ -0,0 +1,215 @@
-+# Authors:
-+#   Andrew Wnuk <awnuk@redhat.com>
-+#   Jason Gerard DeRose <jderose@redhat.com>
-+#   John Dennis <jdennis@redhat.com>
-+#
-+# Copyright (C) 2009  Red Hat
-+# see file 'COPYING' for use and warranty information
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation, either version 3 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+
-+import base64
-+
-+import six
-+
-+from ipaclient.frontend import MethodOverride
-+from ipalib import errors
-+from ipalib import x509
-+from ipalib import util
-+from ipalib.parameters import BinaryFile, File, Flag, Str
-+from ipalib.plugable import Registry
-+from ipalib.text import _
-+
-+if six.PY3:
-+    unicode = str
-+
-+register = Registry()
-+
-+
-+class CertRetrieveOverride(MethodOverride):
-+    takes_options = (
-+        Str(
-+            'certificate_out?',
-+            doc=_('Write certificate (chain if --chain used) to file'),
-+            include='cli',
-+            cli_metavar='FILE',
-+        ),
-+    )
-+
-+    def forward(self, *args, **options):
-+        if 'certificate_out' in options:
-+            certificate_out = options.pop('certificate_out')
-+            try:
-+                util.check_writable_file(certificate_out)
-+            except errors.FileError as e:
-+                raise errors.ValidationError(name='certificate-out',
-+                                             error=str(e))
-+        else:
-+            certificate_out = None
-+
-+        result = super(CertRetrieveOverride, self).forward(*args, **options)
-+
-+        if certificate_out is not None:
-+            if options.get('chain', False):
-+                certs = result['result']['certificate_chain']
-+            else:
-+                certs = [base64.b64decode(result['result']['certificate'])]
-+            certs = (x509.load_der_x509_certificate(cert) for cert in certs)
-+            x509.write_certificate_list(certs, certificate_out)
-+
-+        return result
-+
-+
-+@register(override=True, no_fail=True)
-+class cert_request(CertRetrieveOverride):
-+    takes_options = CertRetrieveOverride.takes_options + (
-+        Str(
-+            'database?',
-+            label=_('Path to NSS database'),
-+            doc=_('Path to NSS database to use for private key'),
-+        ),
-+        Str(
-+            'private_key?',
-+            label=_('Path to private key file'),
-+            doc=_('Path to PEM file containing a private key'),
-+        ),
-+        Str(
-+            'password_file?',
-+            label=_(
-+                'File containing a password for the private key or database'),
-+        ),
-+        Str(
-+            'csr_profile_id?',
-+            label=_('Name of CSR generation profile (if not the same as'
-+                    ' profile_id)'),
-+        ),
-+    )
-+
-+    def get_args(self):
-+        for arg in super(cert_request, self).get_args():
-+            if arg.name == 'csr':
-+                arg = arg.clone_retype(arg.name, File, required=False)
-+            yield arg
-+
-+    def forward(self, csr=None, **options):
-+        database = options.pop('database', None)
-+        private_key = options.pop('private_key', None)
-+        csr_profile_id = options.pop('csr_profile_id', None)
-+        password_file = options.pop('password_file', None)
-+
-+        if csr is None:
-+            # Deferred import, ipaclient.csrgen is expensive to load.
-+            # see https://pagure.io/freeipa/issue/7484
-+            from ipaclient import csrgen
-+
-+            if database:
-+                adaptor = csrgen.NSSAdaptor(database, password_file)
-+            elif private_key:
-+                adaptor = csrgen.OpenSSLAdaptor(
-+                    key_filename=private_key, password_filename=password_file)
-+            else:
-+                raise errors.InvocationError(
-+                    message=u"One of 'database' or 'private_key' is required")
-+
-+            pubkey_info = adaptor.get_subject_public_key_info()
-+            pubkey_info_b64 = base64.b64encode(pubkey_info)
-+
-+            # If csr_profile_id is passed, that takes precedence.
-+            # Otherwise, use profile_id. If neither are passed, the default
-+            # in cert_get_requestdata will be used.
-+            profile_id = csr_profile_id
-+            if profile_id is None:
-+                profile_id = options.get('profile_id')
-+
-+            response = self.api.Command.cert_get_requestdata(
-+                profile_id=profile_id,
-+                principal=options.get('principal'),
-+                public_key_info=pubkey_info_b64)
-+
-+            req_info_b64 = response['result']['request_info']
-+            req_info = base64.b64decode(req_info_b64)
-+
-+            csr = adaptor.sign_csr(req_info)
-+
-+            if not csr:
-+                raise errors.CertificateOperationError(
-+                    error=(_('Generated CSR was empty')))
-+
-+        else:
-+            if database is not None or private_key is not None:
-+                raise errors.MutuallyExclusiveError(reason=_(
-+                    "Options 'database' and 'private_key' are not compatible"
-+                    " with 'csr'"))
-+
-+        return super(cert_request, self).forward(csr, **options)
-+
-+
-+@register(override=True, no_fail=True)
-+class cert_show(CertRetrieveOverride):
-+    def get_options(self):
-+        for option in super(cert_show, self).get_options():
-+            if option.name == 'out':
-+                # skip server-defined --out
-+                continue
-+            if option.name == 'certificate_out':
-+                # add --out as a deprecated alias of --certificate-out
-+                option = option.clone_rename(
-+                    'out',
-+                    cli_name='certificate_out',
-+                    deprecated_cli_aliases={'out'},
-+                )
-+            yield option
-+
-+    def forward(self, *args, **options):
-+        try:
-+            options['certificate_out'] = options.pop('out')
-+        except KeyError:
-+            pass
-+
-+        return super(cert_show, self).forward(*args, **options)
-+
-+
-+@register(override=True, no_fail=True)
-+class cert_remove_hold(MethodOverride):
-+    has_output_params = (
-+        Flag('unrevoked',
-+            label=_('Unrevoked'),
-+        ),
-+        Str('error_string',
-+            label=_('Error'),
-+        ),
-+    )
-+
-+
-+@register(override=True, no_fail=True)
-+class cert_find(MethodOverride):
-+    takes_options = (
-+        BinaryFile(
-+            'file?',
-+            label=_("Input filename"),
-+            doc=_('File to load the certificate from.'),
-+            include='cli',
-+        ),
-+    )
-+
-+    def forward(self, *args, **options):
-+        if self.api.env.context == 'cli':
-+            if 'certificate' in options and 'file' in options:
-+                raise errors.MutuallyExclusiveError(
-+                    reason=_("cannot specify both raw certificate and file"))
-+            if 'certificate' not in options and 'file' in options:
-+                options['certificate'] = x509.load_unknown_x509_certificate(
-+                                            options.pop('file'))
-+
-+        return super(cert_find, self).forward(*args, **options)
-diff -urN freeipa-4.8.0/ipaclient/plugins/csrgen.py freeipa-4.8.0.removed_csrgen/ipaclient/plugins/csrgen.py
---- freeipa-4.8.0/ipaclient/plugins/csrgen.py	2019-07-03 08:42:41.990537623 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/plugins/csrgen.py	1970-01-01 01:00:00.000000000 +0100
-@@ -1,128 +0,0 @@
--#
--# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
--#
--
--import base64
--
--import six
--
--from ipalib import api
--from ipalib import errors
--from ipalib import output
--from ipalib import util
--from ipalib.frontend import Local, Str
--from ipalib.parameters import Bytes, Principal
--from ipalib.plugable import Registry
--from ipalib.text import _
--from ipapython import dogtag
--
--
--if six.PY3:
--    unicode = str
--
--register = Registry()
--
--__doc__ = _("""
--Commands to build certificate requests automatically
--""")
--
--
--@register()
--class cert_get_requestdata(Local):
--    __doc__ = _('Gather data for a certificate signing request.')
--
--    NO_CLI = True
--
--    takes_options = (
--        Principal(
--            'principal',
--            label=_('Principal'),
--            doc=_('Principal for this certificate (e.g.'
--                  ' HTTP/test.example.com)'),
--        ),
--        Str(
--            'profile_id?',
--            label=_('Profile ID'),
--            doc=_('CSR Generation Profile to use'),
--        ),
--        Bytes(
--            'public_key_info',
--            label=_('Subject Public Key Info'),
--            doc=_('DER-encoded SubjectPublicKeyInfo structure'),
--        ),
--        Str(
--            'out?',
--            doc=_('Write CertificationRequestInfo to file'),
--        ),
--    )
--
--    has_output = (
--        output.Output(
--            'result',
--            type=dict,
--            doc=_('Dictionary mapping variable name to value'),
--        ),
--    )
--
--    has_output_params = (
--        Str(
--            'request_info',
--            label=_('CertificationRequestInfo structure'),
--        )
--    )
--
--    def execute(self, *args, **options):
--        # Deferred import, ipaclient.csrgen is expensive to load.
--        # see https://pagure.io/freeipa/issue/7484
--        from ipaclient import csrgen
--        from ipaclient import csrgen_ffi
--
--        if 'out' in options:
--            util.check_writable_file(options['out'])
--
--        principal = options.get('principal')
--        profile_id = options.get('profile_id')
--        if profile_id is None:
--            profile_id = dogtag.DEFAULT_PROFILE
--        public_key_info = options.get('public_key_info')
--        public_key_info = base64.b64decode(public_key_info)
--
--        if self.api.env.in_server:
--            backend = self.api.Backend.ldap2
--        else:
--            backend = self.api.Backend.rpcclient
--        if not backend.isconnected():
--            backend.connect()
--
--        try:
--            if principal.is_host:
--                principal_obj = api.Command.host_show(
--                    principal.hostname, all=True)
--            elif principal.is_service:
--                principal_obj = api.Command.service_show(
--                    unicode(principal), all=True)
--            elif principal.is_user:
--                principal_obj = api.Command.user_show(
--                    principal.username, all=True)
--        except errors.NotFound:
--            raise errors.NotFound(
--                reason=_("The principal for this request doesn't exist."))
--        principal_obj = principal_obj['result']
--        config = api.Command.config_show()['result']
--
--        generator = csrgen.CSRGenerator(csrgen.FileRuleProvider())
--
--        csr_config = generator.csr_config(principal_obj, config, profile_id)
--        request_info = base64.b64encode(csrgen_ffi.build_requestinfo(
--            csr_config.encode('utf8'), public_key_info))
--
--        result = {}
--        if 'out' in options:
--            with open(options['out'], 'wb') as f:
--                f.write(request_info)
--        else:
--            result = dict(request_info=request_info)
--
--        return dict(
--            result=result
--        )
-diff -urN freeipa-4.8.0/ipaclient/setup.py freeipa-4.8.0.removed_csrgen/ipaclient/setup.py
---- freeipa-4.8.0/ipaclient/setup.py	2019-07-03 08:42:41.836539916 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipaclient/setup.py	2019-07-03 13:24:38.479222551 +0200
-@@ -41,13 +41,6 @@
-             "ipaclient.remote_plugins.2_156",
-             "ipaclient.remote_plugins.2_164",
-         ],
--        package_data={
--            'ipaclient': [
--                'csrgen/profiles/*.json',
--                'csrgen/rules/*.json',
--                'csrgen/templates/*.tmpl',
--            ],
--        },
-         install_requires=[
-             "cryptography",
-             "ipalib",
-@@ -63,7 +56,6 @@
-         extras_require={
-             "install": ["ipaplatform"],
-             "otptoken_yubikey": ["python-yubico", "pyusb"],
--            "csrgen": ["cffi", "jinja2"],
-             "ldap": ["python-ldap"],  # ipapython.ipaldap
-         },
-         zip_safe=False,
-diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
---- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf	2019-07-03 08:42:45.972478335 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf	1970-01-01 01:00:00.000000000 +0100
-@@ -1,16 +0,0 @@
--[ req ]
--prompt = no
--encrypt_key = no
--
--distinguished_name = sec0
--req_extensions = sec2
--
--[ sec0 ]
--O=DOMAIN.EXAMPLE.COM
--CN=machine.example.com
--
--[ sec1 ]
--DNS = machine.example.com
--
--[ sec2 ]
--subjectAltName = @sec1
-diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
---- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf	2019-07-03 08:42:45.976478276 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf	1970-01-01 01:00:00.000000000 +0100
-@@ -1,16 +0,0 @@
--[ req ]
--prompt = no
--encrypt_key = no
--
--distinguished_name = sec0
--req_extensions = sec2
--
--[ sec0 ]
--O=DOMAIN.EXAMPLE.COM
--CN=testuser
--
--[ sec1 ]
--email = testuser@example.com
--
--[ sec2 ]
--subjectAltName = @sec1
-diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json
---- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json	2019-07-03 08:42:45.980478216 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--[
--    {
--        "syntax": "basic",
--        "data": [
--            "options"
--        ]
--    }
--]
-diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json
---- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json	2019-07-03 08:42:45.984478157 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,5 +0,0 @@
--{
--  "rule": {
--    "template": "openssl_rule"
--  }
--}
-diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/options.json freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/options.json
---- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/options.json	2019-07-03 08:42:45.988478097 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/options.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,8 +0,0 @@
--{
--  "rule": {
--    "template": "openssl_rule"
--  },
--  "options": {
--    "rule_option": true
--  }
--}
-diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
---- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl	2019-07-03 08:42:45.993478023 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl	1970-01-01 01:00:00.000000000 +0100
-@@ -1 +0,0 @@
--{{ options|join(";") }}
-diff -urN freeipa-4.8.0/ipatests/test_ipaclient/test_csrgen.py freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/test_csrgen.py
---- freeipa-4.8.0/ipatests/test_ipaclient/test_csrgen.py	2019-07-03 08:42:45.963478469 +0200
-+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/test_csrgen.py	1970-01-01 01:00:00.000000000 +0100
-@@ -1,304 +0,0 @@
--#
--# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
--#
--
--import os
--import pytest
--
--from cryptography.hazmat.backends import default_backend
--from cryptography.hazmat.primitives.asymmetric import rsa
--from cryptography import x509
--
--from ipaclient import csrgen, csrgen_ffi
--from ipalib import errors
--
--BASE_DIR = os.path.dirname(__file__)
--CSR_DATA_DIR = os.path.join(BASE_DIR, 'data', 'test_csrgen')
--
--
--@pytest.fixture
--def formatter():
--    return csrgen.Formatter(csr_data_dir=CSR_DATA_DIR)
--
--
--@pytest.fixture
--def rule_provider():
--    return csrgen.FileRuleProvider(csr_data_dir=CSR_DATA_DIR)
--
--
--@pytest.fixture
--def generator():
--    return csrgen.CSRGenerator(csrgen.FileRuleProvider())
--
--
--class StubRuleProvider(csrgen.RuleProvider):
--    def __init__(self):
--        self.syntax_rule = csrgen.Rule(
--            'syntax', '{{datarules|join(",")}}', {})
--        self.data_rule = csrgen.Rule('data', 'data_template', {})
--        self.field_mapping = csrgen.FieldMapping(
--            'example', self.syntax_rule, [self.data_rule])
--        self.rules = [self.field_mapping]
--
--    def rules_for_profile(self, profile_id):
--        return self.rules
--
--
--class IdentityFormatter(csrgen.Formatter):
--    base_template_name = 'identity_base.tmpl'
--
--    def __init__(self):
--        super(IdentityFormatter, self).__init__(csr_data_dir=CSR_DATA_DIR)
--
--    def _get_template_params(self, syntax_rules):
--        return {'options': syntax_rules}
--
--
--class test_Formatter:
--    def test_prepare_data_rule_with_data_source(self, formatter):
--        data_rule = csrgen.Rule('uid', '{{subject.uid.0}}',
--                                {'data_source': 'subject.uid.0'})
--        prepared = formatter._prepare_data_rule(data_rule)
--        assert prepared == '{% if subject.uid.0 %}{{subject.uid.0}}{% endif %}'
--
--    def test_prepare_data_rule_no_data_source(self, formatter):
--        """Not a normal case, but we should handle it anyway"""
--        data_rule = csrgen.Rule('uid', 'static_text', {})
--        prepared = formatter._prepare_data_rule(data_rule)
--        assert prepared == 'static_text'
--
--    def test_prepare_syntax_rule_with_data_sources(self, formatter):
--        syntax_rule = csrgen.Rule(
--            'example', '{{datarules|join(",")}}', {})
--        data_rules = ['{{subject.field1}}', '{{subject.field2}}']
--        data_sources = ['subject.field1', 'subject.field2']
--        prepared = formatter._prepare_syntax_rule(
--            syntax_rule, data_rules, 'example', data_sources)
--
--        assert prepared == (
--            '{% if subject.field1 or subject.field2 %}{{subject.field1}},'
--            '{{subject.field2}}{% endif %}')
--
--    def test_prepare_syntax_rule_with_combinator(self, formatter):
--        syntax_rule = csrgen.Rule('example', '{{datarules|join(",")}}',
--                                  {'data_source_combinator': 'and'})
--        data_rules = ['{{subject.field1}}', '{{subject.field2}}']
--        data_sources = ['subject.field1', 'subject.field2']
--        prepared = formatter._prepare_syntax_rule(
--            syntax_rule, data_rules, 'example', data_sources)
--
--        assert prepared == (
--            '{% if subject.field1 and subject.field2 %}{{subject.field1}},'
--            '{{subject.field2}}{% endif %}')
--
--    def test_prepare_syntax_rule_required(self, formatter):
--        syntax_rule = csrgen.Rule('example', '{{datarules|join(",")}}',
--                                  {'required': True})
--        data_rules = ['{{subject.field1}}']
--        data_sources = ['subject.field1']
--        prepared = formatter._prepare_syntax_rule(
--            syntax_rule, data_rules, 'example', data_sources)
--
--        assert prepared == (
--            '{% filter required("example") %}{% if subject.field1 %}'
--            '{{subject.field1}}{% endif %}{% endfilter %}')
--
--    def test_prepare_syntax_rule_passthrough(self, formatter):
--        """
--        Calls to macros defined as passthrough are still call tags in the final
--        template.
--        """
--        formatter._define_passthrough('example.macro')
--
--        syntax_rule = csrgen.Rule(
--            'example',
--            '{% call example.macro() %}{{datarules|join(",")}}{% endcall %}',
--            {})
--        data_rules = ['{{subject.field1}}']
--        data_sources = ['subject.field1']
--        prepared = formatter._prepare_syntax_rule(
--            syntax_rule, data_rules, 'example', data_sources)
--
--        assert prepared == (
--            '{% if subject.field1 %}{% call example.macro() %}'
--            '{{subject.field1}}{% endcall %}{% endif %}')
--
--    def test_prepare_syntax_rule_no_data_sources(self, formatter):
--        """Not a normal case, but we should handle it anyway"""
--        syntax_rule = csrgen.Rule(
--            'example', '{{datarules|join(",")}}', {})
--        data_rules = ['rule1', 'rule2']
--        data_sources = []
--        prepared = formatter._prepare_syntax_rule(
--            syntax_rule, data_rules, 'example', data_sources)
--
--        assert prepared == 'rule1,rule2'
--
--
--class test_FileRuleProvider:
--    def test_rule_basic(self, rule_provider):
--        rule_name = 'basic'
--
--        rule = rule_provider._rule(rule_name)
--
--        assert rule.template == 'openssl_rule'
--
--    def test_rule_global_options(self, rule_provider):
--        rule_name = 'options'
--
--        rule = rule_provider._rule(rule_name)
--
--        assert rule.options['rule_option'] is True
--
--    def test_rule_nosuchrule(self, rule_provider):
--        with pytest.raises(errors.NotFound):
--            rule_provider._rule('nosuchrule')
--
--    def test_rules_for_profile_success(self, rule_provider):
--        rules = rule_provider.rules_for_profile('profile')
--
--        assert len(rules) == 1
--        field_mapping = rules[0]
--        assert field_mapping.syntax_rule.name == 'basic'
--        assert len(field_mapping.data_rules) == 1
--        assert field_mapping.data_rules[0].name == 'options'
--
--    def test_rules_for_profile_nosuchprofile(self, rule_provider):
--        with pytest.raises(errors.NotFound):
--            rule_provider.rules_for_profile('nosuchprofile')
--
--
--class test_CSRGenerator:
--    def test_userCert_OpenSSL(self, generator):
--        principal = {
--            'uid': ['testuser'],
--            'mail': ['testuser@example.com'],
--        }
--        config = {
--            'ipacertificatesubjectbase': [
--                'O=DOMAIN.EXAMPLE.COM'
--            ],
--        }
--
--        script = generator.csr_config(principal, config, 'userCert')
--        with open(os.path.join(
--                CSR_DATA_DIR, 'configs', 'userCert.conf')) as f:
--            expected_script = f.read()
--        assert script == expected_script
--
--    def test_caIPAserviceCert_OpenSSL(self, generator):
--        principal = {
--            'krbprincipalname': [
--                'HTTP/machine.example.com@DOMAIN.EXAMPLE.COM'
--            ],
--        }
--        config = {
--            'ipacertificatesubjectbase': [
--                'O=DOMAIN.EXAMPLE.COM'
--            ],
--        }
--
--        script = generator.csr_config(
--            principal, config, 'caIPAserviceCert')
--        with open(os.path.join(
--                CSR_DATA_DIR, 'configs', 'caIPAserviceCert.conf')) as f:
--            expected_script = f.read()
--        assert script == expected_script
--
--    def test_works_with_lowercase_attr_type_shortname(self, generator):
--        principal = {
--            'uid': ['testuser'],
--            'mail': ['testuser@example.com'],
--        }
--        template_env = {
--            'ipacertificatesubjectbase': [
--                'o=DOMAIN.EXAMPLE.COM'  # lower-case attr type shortname
--            ],
--        }
--        config = generator.csr_config(principal, template_env, 'userCert')
--
--        key = rsa.generate_private_key(
--            public_exponent=65537,
--            key_size=2048,
--            backend=default_backend(),
--        )
--        adaptor = csrgen.OpenSSLAdaptor(key=key)
--
--        reqinfo = bytes(csrgen_ffi.build_requestinfo(
--            config.encode('utf-8'), adaptor.get_subject_public_key_info()))
--        csr_der = adaptor.sign_csr(reqinfo)
--        csr = x509.load_der_x509_csr(csr_der, default_backend())
--        assert (
--            csr.subject.get_attributes_for_oid(x509.NameOID.COMMON_NAME)
--            == [x509.NameAttribute(x509.NameOID.COMMON_NAME, u'testuser')]
--        )
--        assert (
--            csr.subject.get_attributes_for_oid(x509.NameOID.ORGANIZATION_NAME)
--            == [x509.NameAttribute(
--                x509.NameOID.ORGANIZATION_NAME, u'DOMAIN.EXAMPLE.COM')]
--        )
--
--    def test_unrecognised_attr_type_raises(self, generator):
--        principal = {
--            'uid': ['testuser'],
--            'mail': ['testuser@example.com'],
--        }
--        template_env = {
--            'ipacertificatesubjectbase': [
--                'X=DOMAIN.EXAMPLE.COM'  # unrecognised attr type
--            ],
--        }
--        config = generator.csr_config(principal, template_env, 'userCert')
--
--        key = rsa.generate_private_key(
--            public_exponent=65537,
--            key_size=2048,
--            backend=default_backend(),
--        )
--        adaptor = csrgen.OpenSSLAdaptor(key=key)
--
--        with pytest.raises(
--                errors.CSRTemplateError,
--                match=r'^unrecognised attribute type: X$'):
--            csrgen_ffi.build_requestinfo(
--                config.encode('utf-8'), adaptor.get_subject_public_key_info())
--
--
--class test_rule_handling:
--    def test_optionalAttributeMissing(self, generator):
--        principal = {'uid': 'testuser'}
--        rule_provider = StubRuleProvider()
--        rule_provider.data_rule.template = '{{subject.mail}}'
--        rule_provider.data_rule.options = {'data_source': 'subject.mail'}
--        generator = csrgen.CSRGenerator(
--            rule_provider, formatter_class=IdentityFormatter)
--
--        script = generator.csr_config(
--            principal, {}, 'example')
--        assert script == '\n'
--
--    def test_twoDataRulesOneMissing(self, generator):
--        principal = {'uid': 'testuser'}
--        rule_provider = StubRuleProvider()
--        rule_provider.data_rule.template = '{{subject.mail}}'
--        rule_provider.data_rule.options = {'data_source': 'subject.mail'}
--        rule_provider.field_mapping.data_rules.append(csrgen.Rule(
--            'data2', '{{subject.uid}}', {'data_source': 'subject.uid'}))
--        generator = csrgen.CSRGenerator(
--            rule_provider, formatter_class=IdentityFormatter)
--
--        script = generator.csr_config(principal, {}, 'example')
--        assert script == ',testuser\n'
--
--    def test_requiredAttributeMissing(self):
--        principal = {'uid': 'testuser'}
--        rule_provider = StubRuleProvider()
--        rule_provider.data_rule.template = '{{subject.mail}}'
--        rule_provider.data_rule.options = {'data_source': 'subject.mail'}
--        rule_provider.syntax_rule.options = {'required': True}
--        generator = csrgen.CSRGenerator(
--            rule_provider, formatter_class=IdentityFormatter)
--
--        with pytest.raises(errors.CSRTemplateError):
--            _script = generator.csr_config(
--                principal, {}, 'example')
diff --git a/SOURCES/1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch b/SOURCES/1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
deleted file mode 100644
index 981d18c..0000000
--- a/SOURCES/1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From 2f8e87ce9ccaab51b32a395c6cf6c764434ed0e2 Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Thu, 11 Jun 2020 10:40:57 +0200
-Subject: [PATCH] Revert "WebUI: use python3-rjsmin to minify JavaScript files"
-
-This reverts commit d986e844bbd37ccc7a532175631a55acd315cda3.
----
- .lgtm.yml                            | 4 ++--
- freeipa.spec.in                      | 2 +-
- install/ui/build/freeipa/Makefile.am | 2 +-
- install/ui/src/webui.profile.js      | 4 ++--
- install/ui/util/build/README         | 4 ++--
- install/ui/util/compile.sh           | 8 ++++----
- 6 files changed, 12 insertions(+), 12 deletions(-)
-
-#diff --git a/.lgtm.yml b/.lgtm.yml
-#index b3898116e..e63615918 100644
-#--- a/.lgtm.yml
-#+++ b/.lgtm.yml
-#@@ -39,7 +39,7 @@ extraction:
-#         - python3-setuptools
-#         - python3-wheel
-#         - nodejs
-#-        - python3-rjsmin
-#+        - uglifyjs
-#         - systemd
-#         - 389-ds-base-dev
-#         - libssl-dev
-#@@ -79,7 +79,7 @@ extraction:
-#         - python3-setuptools
-#         - python3-wheel
-#         - nodejs
-#-        - python3-rjsmin
-#+        - uglifyjs
-#         - systemd
-#         - 389-ds-base-dev
-#         - libssl-dev
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index b6eb79593..a4682497a 100755
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -191,7 +191,7 @@ BuildRequires:  libsss_idmap-devel
- BuildRequires:  libsss_certmap-devel
- BuildRequires:  libsss_nss_idmap-devel >= %{sssd_version}
- BuildRequires:  nodejs(abi)
--BuildRequires:  python3-rjsmin
-+BuildRequires:  uglify-js
- BuildRequires:  libverto-devel
- BuildRequires:  libunistring-devel
- # 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
-diff --git a/install/ui/build/freeipa/Makefile.am b/install/ui/build/freeipa/Makefile.am
-index f4d97819e..05e82f4da 100644
---- a/install/ui/build/freeipa/Makefile.am
-+++ b/install/ui/build/freeipa/Makefile.am
-@@ -18,6 +18,6 @@ widgets := $(wildcard ../../src/freeipa/widgets/*.js)
- nav := $(wildcard ../../src/freeipa/navigation/*.js)
- 
- app.js: $(core) $(base) $(widgets) $(nav)
--	PYTHON=$(PYTHON) $(srcdir)/../../util/make-ui.sh
-+	$(srcdir)/../../util/make-ui.sh
- 
- core.js: app.js
-diff --git a/install/ui/src/webui.profile.js b/install/ui/src/webui.profile.js
-index 2d4d691dc..1d7a6cc84 100644
---- a/install/ui/src/webui.profile.js
-+++ b/install/ui/src/webui.profile.js
-@@ -9,7 +9,7 @@ var profile = (function(){
-         releaseName: "lib",
-         action: "release",
- 
--        // optimization done separately by python3-rjsmin
-+        // optimization done separately by uglify.js
-         layerOptimize: false,
-         optimize: false,
-         cssOptimize: false,
-@@ -123,4 +123,4 @@ var profile = (function(){
-             }
-         }
-     };
--})();
-+})();
-\ No newline at end of file
-diff --git a/install/ui/util/build/README b/install/ui/util/build/README
-index 2c4e0ecac..0772532d4 100644
---- a/install/ui/util/build/README
-+++ b/install/ui/util/build/README
-@@ -1,5 +1,5 @@
- build.js is builded dojo builder, with applied patches from 'patches' folder, by
--itself and compiled using python3-rjsmin
-+itself and compiled using uglify.js
- 
- _base/configRhino.js is unmodifed file from dojo/dojo. Required for a build to work.
- 
-@@ -9,4 +9,4 @@ Available via Academic Free License >= 2.1 OR the modified BSD license.
- see: http://dojotoolkit.org/license for details
- 
- = License =
--Full Dojo license is in LICENSE file.
-+Full Dojo license is in LICENSE file.
-\ No newline at end of file
-diff --git a/install/ui/util/compile.sh b/install/ui/util/compile.sh
-index 1516b815f..d14f90ab0 100755
---- a/install/ui/util/compile.sh
-+++ b/install/ui/util/compile.sh
-@@ -26,14 +26,14 @@ RDIR=$DIR/../release
- usage() {
- cat <<-__EOF__;
- NAME
--     compile.sh - Compiles layer file of Dojo build using Python rjsmin.
-+     compile.sh - Compiles layer file of Dojo build using uglify.js.
-                   Deletes all other files.
- 
- SYNOPSIS
-      path/to/compile.sh [--help] --release RELEASE --layer NAME/NAME
- 
- DESCRIPTION
--     Compiles layer file of Dojo build output using Python rjsmin.
-+     Compiles layer file of Dojo build output using uglify.js.
-      Deletes all other files.
- 
- OPTIONS
-@@ -105,7 +105,7 @@ if [[ ! $OUTPUT_FILE ]] ; then
-     OUTPUT_FILE=$RDIR/$RELEASE/$LAYER.js
- fi
- 
--# compile using python rjsmin
-+# compile using uglifyjs
- echo "Minimizing: $RDIR/$RELEASE/$LAYER.js"
- echo "Target file: $OUTPUT_FILE"
--${PYTHON:-python3} -m rjsmin < $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
-+uglifyjs $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
--- 
-2.26.2
-
diff --git a/SOURCES/freeipa-4.8.7.tar.gz.asc b/SOURCES/freeipa-4.8.7.tar.gz.asc
deleted file mode 100644
index 0dae99e..0000000
--- a/SOURCES/freeipa-4.8.7.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl7hNhYACgkQRxniuKu/
-Yhq2rxAAnK8YHbQtivjssWz6BBRiU5TKootA3fSqfvbhACYG14629/Dpc5IIkYZ1
-0AE4CUFA7Oi92emFbxrLJyeSuxuzTxSVmydJ5HW/OTkRRSnmjL5oeBg2D++B9OaO
-qVAXRZbi5YNfW5y//9BIRzCGw0RHpbR/QjZ1ipDymky6nr5IS+EhfZ0iHeEyiNXd
-OP3OJv538HSvRrv3mJvz52pKVfegw1OTd8yUnmuPEc9ClQfPQHjXqsOeFYCbR8fg
-59y0twMMrOc2J4eL0OkNE/By+o+1vAMUwEs736sCdbJJPigerfuK0e7ZxP+x98BP
-bmIBxv7eUf20Rn3An7+vTqQP60V4tS+FOnc2LD3OpHH4vy34ovWZfYZWVKbg0z1+
-5E/0TWifhlibbRZctDaxkZfFVchQnixHnO0Awv8wNxRzh/XvvsTPz1zJXk5kHk3r
-Ws2/GbeWTiJLe8sIXJz0MNTayWLnsDJG6BCRf+K0HwCdL80p4TG71dTwa9PW5HEy
-UklxW/zfr+chS1AszNgb8wJa6WtDHfQnktJwSSj7CkD3JdUVx+L/cJiOfbCM+WUi
-BRzhVhNUDX/FkpGUyvC4AYXX+wcwHph9BDChUDqcG886aIK28TAsie3Vwz/F7hKP
-TYpF1+YIImcRfUQ737pnbHL12o5yzfhkBfD2GMsojEd0x71B3PY=
-=B33Z
------END PGP SIGNATURE-----
diff --git a/SOURCES/freeipa-4.9.2.tar.gz.asc b/SOURCES/freeipa-4.9.2.tar.gz.asc
new file mode 100644
index 0000000..b84ced9
--- /dev/null
+++ b/SOURCES/freeipa-4.9.2.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmAqwW4ACgkQRxniuKu/
+YhoqEw/+J2+fMEF4qYDnb6LPs0h/xbiMU+WG5SI0Ybcy6FUrCp2utFqO6N8r7K3J
+k9WTcAXweqwEO5aP1fjvbQiIc55lQgN1rlJc+GtnBbPPKabrJB0xgx2VpP2MI8Jl
+JRSAdSNvSghaR1v0MYL3ly7GPRLUrb1+Avln+eJIHRfAuUjf9j4MWh7VNDsSp7pQ
+vMqz8OHEvSSRQYGKyJ5vQlcHRQNot2pZoWHVfEcRXMD6qn2N7yUU4o9wNOYvJMw8
+YEyInE24D13UV33F9K5QrLEaJ7lpIwJ9lmhAFuZoDUC81s5aAmLtNzUWcdwlOSzk
+tY4T+ucpq+0eH1gUiDm6bME7Uw87nc9KuNS3+Q+P2Y7RdUrrbLj8BIsz30VSk8n1
+rH2DZo/1NOFwQ5qDN92QjTeGotqCjwK/j+uRB12HkRgOHkouoZjqwcYRfdxmBhKd
+wk6BdDtvSP4voqqoeuZNCbeOKCYsqE2HlGZE9YiLbBAQs081Ir9Tajpn8sgMVURi
+7kQN7Xq9/jEl7sQ14VkRMQP8A+rRkmLM1sW3vqhMFDSOyi+qQNnzAnR28qxDBXC3
+4gG/yFGgqX7mSXsfvTVrjhcVEO6IsqkkPAcFR3Xivpy146LoONSlIGgtA8mGMIeO
+Zd3awH4T8kAt3d9RBI+R34sZm//uKQgOKDrAx0VjekFkK0tj2qU=
+=XC/f
+-----END PGP SIGNATURE-----
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 532c8b2..99de2e5 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -1,12 +1,24 @@
+# ipatests enabled by default, can be disabled with --without ipatests
+%bcond_without ipatests
+# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
+# On RHEL 8 we should use --with ipa_join_xml
+%bcond_without ipa_join_xml
+
+# Linting is disabled by default, needed for upstream testing
+%bcond_with lint
+
+# Build documentation with sphinx
+%bcond_with doc
+
+# Build Python wheels
+%bcond_with wheels
+
 # 389-ds-base 1.4 no longer supports i686 platform, build only client
 # packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386
-%if 0%{?fedora} >= 28 || 0%{?rhel} > 7
-    %ifarch %{ix86}
-        %{!?ONLY_CLIENT:%global ONLY_CLIENT 1}
-    %endif
+%ifarch %{ix86}
+    %{!?ONLY_CLIENT:%global ONLY_CLIENT 1}
 %endif
 
-
 # Define ONLY_CLIENT to only make the ipa-client and ipa-python
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
@@ -16,37 +28,27 @@
     %global enable_server_option --enable-server
 %endif
 
-# Build ipatests
-%if 0%{?rhel}
+%if %{ONLY_CLIENT}
     %global with_ipatests 0
 %endif
-%if ! %{ONLY_CLIENT}
-    %{!?with_ipatests:%global with_ipatests 1}
-%endif
-%if 0%{?with_ipatests}
+
+# Whether to build ipatests
+%if %{with ipatests}
     %global with_ipatests_option --with-ipatests
 %else
     %global with_ipatests_option --without-ipatests
 %endif
 
-# Python 2/3 packages and default Python interpreter
-%if 0%{?rhel} > 7
-    %global with_default_python 3
+# Whether to use XML-RPC with ipa-join
+%if %{with ipa_join_xml}
+    %global with_ipa_join_xml_option --with-ipa-join-xml
+%else
+    %global with_ipa_join_xml_option --without-ipa-join-xml
 %endif
 
-%if 0%{?fedora} >= 29
-    # F29 only supports Python 3 as default Python
-    %global with_default_python 3
-%endif
-
-%{!?with_default_python:%global with_default_python 3}
-
-%global with_python3 1
-%global python %{__python3}
-
 # lint is not executed during rpmbuild
 # %%global with_lint 1
-%if 0%{?with_lint}
+%if %{with lint}
     %global linter_options --enable-pylint --with-jslint
 %else
     %global linter_options --disable-pylint --without-jslint
@@ -68,43 +70,45 @@
 %global python_netaddr_version 0.7.19
 # Require 4.7.0 which brings Python 3 bindings
 %global samba_version 4.12.3-12
-%global slapi_nis_version 0.56.4
-# Require 3.14.3-24 - Allow ipa_ods_exporter_t domain to read krb5_keytab files
-# SELinux context for /etc/named directory, RHBZ#1759495
 %global selinux_policy_version 3.14.3-52
-%global slapi_nis_version 0.56.1-4
+%global slapi_nis_version 0.56.4
 %global python_ldap_version 3.1.0-1
 # python3-lib389
 # Fix for "Installation fails: Replica Busy"
 # https://pagure.io/389-ds-base/issue/49818
 %global ds_version 1.4.2.4-6
-%global httpd_version 2.4.6-31
+# Fix for TLS 1.3 PHA, RHBZ#1775158
+%global httpd_version 2.4.37-21
+%global bind_version 9.11.20-6
 
 %else
 # Fedora
 %global package_name freeipa
 %global alt_name ipa
-# Fix for CVE-2018-20217
-%global krb5_version 1.17-17
-%global krb5_kdb_version 7.0
+# Fix for CVE-2020-28196
+%global krb5_version 1.18.2-29
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.16
 # Require 4.7.0 which brings Python 3 bindings
 # Require 4.12 which has DsRGetForestTrustInformation access rights fixes
-#global samba_version 2:4.12
-%global samba_version 2:4.9.0
-# SELinux context for /etc/named directory, RHBZ#1759495
-#global selinux_policy_version 3.14.3-52
-%global selinux_policy_version 3.14.3-41
-#global slapi_nis_version 0.56.4
-%global slapi_nis_version 0.56.3
+%global samba_version 2:4.12.10
+
+# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
+%global selinux_policy_version 3.14.5-45
+%global slapi_nis_version 0.56.5
+
+%global krb5_kdb_version 8.0
 
 # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
 %global python_ldap_version 3.1.0-1
-# Fix for create suffix
-# https://pagure.io/389-ds-base/issue/49984
-%global ds_version 1.4.1.1
+# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
+# https://pagure.io/freeipa/issue/8515
+%global ds_version 1.4.3
 
+# Fix for TLS 1.3 PHA, RHBZ#1775146
+%global httpd_version 2.4.41-9
+
+%global bind_version 9.11.24-1
 # Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
 # Some packages don't provide new dist aliases.
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
@@ -112,26 +116,45 @@
 # Fedora
 %endif
 
+# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11
+# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9)
+%if 0%{?fedora} || 0%{?rhel} >= 9
+    %global openssl_pkcs11_version 0.4.10-6
+    %global softhsm_version 2.5.0-4
+%else
+    %global with_bind_pkcs11 1
+%endif
+
+%if 0%{?rhel} == 8
 # PKIConnection has been modified to always validate certs.
 # https://pagure.io/freeipa/issue/8379
 %global pki_version 10.9.0-0.4
-
-# https://pagure.io/certmonger/issue/90
-%global certmonger_version 0.79.7-3
-
-# NSS release with fix for p11-kit-proxy issue, affects F28
-# https://pagure.io/freeipa/issue/7810
-%if 0%{?fedora} == 28
-%global nss_version 3.41.0-3
 %else
-%global nss_version 3.44.0-4
+# New KRA profile, ACME support
+# https://pagure.io/freeipa/issue/8545
+%global pki_version 10.10.0-2
 %endif
 
-%global sssd_version 2.2.3-11
+# RHEL 8.3+, F32+ has 0.79.13
+%global certmonger_version 0.79.7-3
 
-%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
+# RHEL 8.2+, F32+ has 3.58
+%global nss_version 3.44.0-4
+
+# RHEL 8.3+, F32+
+%global sssd_version 2.4.0
+
+%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
 %global kdcproxy_version 0.4-3
 
+%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9
+# systemd with resolved enabled
+# see https://pagure.io/freeipa/issue/8275
+%global systemd_version 246.6-3
+%else
+%global systemd_version 239
+%endif
+
 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
 %global gettext_domain ipa
@@ -140,22 +163,29 @@
 
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.8.7
+%define IPA_VERSION 4.9.2
+# Release candidate version -- uncomment with one percent for RC versions
+#%%global rc_version %%nil
 %define AT_SIGN @
 # redefine IPA_VERSION only if its value matches the Autoconf placeholder
 %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
     %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
 %endif
 
+%define NON_DEVELOPER_BUILD ("%{lua: print(rpm.expand('%{suffix:%IPA_VERSION}'):find('^dev'))}" == "nil")
+
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        16%{?dist}
+Release:        3%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
 URL:            http://www.freeipa.org/
-Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
-Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
+Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz
+# Only use detached signature for the distribution builds. If it is a developer build, skip it
+%if %{NON_DEVELOPER_BUILD}
+Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc
+%endif
 
 # RHEL spec file only: START: Change branding to IPA and Identity Management
 # Moved branding logos and background to redhat-logos-ipa-80.4:
@@ -164,40 +194,24 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as
 # RHEL spec file only: END: Change branding to IPA and Identity Management
 
 # RHEL spec file only: START
-Patch0001:      0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch
-Patch0002:      0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch
-Patch0003:      0003-Use-256-bit-AJP-secret_rhbz#1849914.patch
-Patch0004:      0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch
-Patch0005:      0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch
-Patch0006:      0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch
-Patch0007:      0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch
-Patch0008:      0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch
-Patch0009:      0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch
-Patch0010:      0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch
-Patch0011:      0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch
-Patch0012:      0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch
-Patch0013:      0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch
-Patch0014:      0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch
-Patch0015:      0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch
-Patch0016:      0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch
-Patch0017:      0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
-Patch0018:      0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
-Patch0019:      0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
-Patch0020:      0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
-Patch0021:      0021-Fix-nsslapd-db-lock-tuning-of-BDB-backend_rhbz#1882472.patch
-Patch0022:      0022-rpcserver-fallback-to-non-armored-kinit-in-case-of-trusted-domains_rhbz#1914821.patch
-Patch0023:      0023-pylint-remove-unused-variable_rhbz#1914821.patch
-Patch0024:      0024-wgi-plugins.py-ignore-empty-plugin-directories_rhbz#1895910.patch
-Patch0025:      0025-ipatests-support-subordinate-upn-suffixes_rhbz#1914823.patch
-Patch0026:      0026-ipa-kdb-support-subordinate-superior-UPN-suffixes_rhbz#1914823.patch
-Patch0027:      0027-ad-trust-accept-subordinate-domains-of-the-forest-trust-root_rhbz#1914823.patch
-Patch0028:      0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch
-Patch0029:      0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch
+%if %{NON_DEVELOPER_BUILD}
+%if 0%{?rhel} >= 8
+Patch0001:      0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch
+Patch0002:      0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch
+Patch0003:      0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch
+Patch0004:      0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch
+Patch0005:      0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch
+Patch0006:      0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch
+Patch0007:      0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch
+Patch0008:      0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch
+Patch0009:      0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
+Patch0010:      0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
-Patch1002:      1002-4.8.0-Remove-csrgen.patch
-Patch1003:      1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
+%endif
+%endif
 # RHEL spec file only: END
 
+
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
 
@@ -207,20 +221,29 @@ BuildRequires:  openldap-devel
 # DAL version change may cause code crash or memory leaks, it is better to fail early.
 BuildRequires:  krb5-kdb-version = %{krb5_kdb_version}
 BuildRequires:  krb5-kdb-devel-version = %{krb5_kdb_version}
+BuildRequires:  krb5-devel >= %{krb5_version}
+BuildRequires:  pkgconfig(krb5)
+%if %{with ipa_join_xml}
 # 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
 BuildRequires:  xmlrpc-c-devel >= 1.27.4
+%else
+BuildRequires:  libcurl-devel
+BuildRequires:  jansson-devel
+%endif
 BuildRequires:  popt-devel
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  pkgconfig
+BuildRequires:  pkgconf
 BuildRequires:  autoconf
 BuildRequires:  automake
+BuildRequires:  make
 BuildRequires:  libtool
 BuildRequires:  gettext
 BuildRequires:  gettext-devel
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
-BuildRequires:  systemd
+BuildRequires:  systemd >= %{systemd_version}
 # systemd-tmpfiles which is executed from make install requires apache user
 BuildRequires:  httpd
 BuildRequires:  nspr-devel
@@ -233,17 +256,23 @@ BuildRequires:  samba-devel >= %{samba_version}
 BuildRequires:  libtalloc-devel
 BuildRequires:  libtevent-devel
 BuildRequires:  libuuid-devel
+BuildRequires:  libpwquality-devel
 BuildRequires:  libsss_idmap-devel
 BuildRequires:  libsss_certmap-devel
-# 1.15.3: sss_nss_getlistbycert (https://pagure.io/SSSD/sssd/issue/3050)
 BuildRequires:  libsss_nss_idmap-devel >= %{sssd_version}
-BuildRequires:  nodejs
+BuildRequires:  nodejs(abi)
+# use old dependency on RHEL 8 for now
+%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9
+BuildRequires:  python3-rjsmin
+%else
 BuildRequires:  uglify-js
+%endif
 BuildRequires:  libverto-devel
 BuildRequires:  libunistring-devel
 # 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
 # 0.13.0-2: fix for missing dependency on python-six
 BuildRequires:  python3-lesscpy >= 0.13.0-2
+BuildRequires:  cracklib-dicts
 # ONLY_CLIENT
 %endif
 
@@ -258,11 +287,12 @@ BuildRequires:  python3-netaddr >= %{python_netaddr_version}
 BuildRequires:  python3-pyasn1
 BuildRequires:  python3-pyasn1-modules
 BuildRequires:  python3-six
+BuildRequires:  python3-psutil
 
 #
 # Build dependencies for wheel packaging and PyPI upload
 #
-%if 0%{?with_wheels}
+%if %{with wheels}
 BuildRequires:  dbus-glib-devel
 BuildRequires:  libffi-devel
 BuildRequires:  python3-tox
@@ -275,14 +305,22 @@ BuildRequires:  python3-wheel
 # with_wheels
 %endif
 
+%if %{with doc}
+BuildRequires: python3-sphinx
+BuildRequires: python3-m2r
+%endif
+
 #
 # Build dependencies for lint and fastcheck
 #
-%if 0%{?with_lint}
+%if %{with lint}
+BuildRequires:  git
 BuildRequires:  jsl
+BuildRequires:  nss-tools
 BuildRequires:  rpmlint
 BuildRequires:  softhsm
 
+BuildRequires:  keyutils
 BuildRequires:  python3-augeas
 BuildRequires:  python3-cffi
 BuildRequires:  python3-cryptography >= 1.6
@@ -290,6 +328,7 @@ BuildRequires:  python3-custodia >= 0.3.1
 BuildRequires:  python3-dateutil
 BuildRequires:  python3-dbus
 BuildRequires:  python3-dns >= 1.15
+BuildRequires:  python3-docker
 BuildRequires:  python3-gssapi >= 1.2.0
 BuildRequires:  python3-jinja2
 BuildRequires:  python3-jwcrypto >= 0.4.2
@@ -302,12 +341,13 @@ BuildRequires:  python3-lxml
 BuildRequires:  python3-netaddr >= %{python_netaddr_version}
 BuildRequires:  python3-netifaces
 BuildRequires:  python3-paste
+BuildRequires:  python3-pexpect
 BuildRequires:  python3-pki >= %{pki_version}
 BuildRequires:  python3-polib
 BuildRequires:  python3-pyasn1
 BuildRequires:  python3-pyasn1-modules
 BuildRequires:  python3-pycodestyle
-%if 0%{?fedora} >= 29
+%if 0%{?fedora} || 0%{?rhel} > 8
 # https://bugzilla.redhat.com/show_bug.cgi?id=1648299
 BuildRequires:  python3-pylint >= 2.1.1-2
 %else
@@ -322,6 +362,7 @@ BuildRequires:  python3-sss
 BuildRequires:  python3-sss-murmur
 BuildRequires:  python3-sssdconfig >= %{sssd_version}
 BuildRequires:  python3-systemd
+BuildRequires:  python3-yaml
 BuildRequires:  python3-yubico
 # with_lint
 %endif
@@ -337,7 +378,7 @@ BuildRequires:  krb5-server >= %{krb5_version}
 %endif
 
 # Build dependencies for SELinux policy
-%if 0%{?with_selinux}
+%if %{with selinux}
 BuildRequires:  selinux-policy-devel >= %{selinux_policy_version}
 %endif
 
@@ -362,7 +403,8 @@ Requires: 389-ds-base >= %{ds_version}
 Requires: openldap-clients > 2.4.35-4
 Requires: nss-tools >= %{nss_version}
 Requires(post): krb5-server >= %{krb5_version}
-Requires(post): krb5-kdb-version = %{krb5_kdb_version}
+Requires(post): krb5-server >= %{krb5_base_version}
+Requires: krb5-kdb-version = %{krb5_kdb_version}
 Requires: krb5-pkinit-openssl >= %{krb5_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
@@ -378,17 +420,19 @@ Requires: mod_session >= %{httpd_version}
 # 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
 Requires: mod_lookup_identity >= 0.9.9
 Requires: acl
-Requires: systemd-units >= 38
+Requires: systemd-units >= %{systemd_version}
+Requires(pre): systemd-units >= %{systemd_version}
+Requires(post): systemd-units >= %{systemd_version}
+Requires(preun): systemd-units >= %{systemd_version}
+Requires(postun): systemd-units >= %{systemd_version}
 Requires(pre): shadow-utils
-Requires(pre): systemd-units
-Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= %{slapi_nis_version}
 Requires: pki-ca >= %{pki_version}
 Requires: pki-kra >= %{pki_version}
-Requires(preun): systemd-units
-Requires(postun): systemd-units
+# pki-acme package was split out in pki-10.10.0
+Requires: (pki-acme >= %{pki_version} if pki-ca >= 10.10.0)
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= %{certmonger_version}
@@ -404,6 +448,8 @@ Requires: oddjob
 # 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
 Requires: gssproxy >= 0.7.0-2
 Requires: sssd-dbus >= %{sssd_version}
+Requires: libpwquality
+Requires: cracklib-dicts
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
@@ -421,8 +467,10 @@ Obsoletes: %{name}-server <= 4.2.0
 Conflicts: nss-pam-ldapd < 0.8.4
 
 # RHEL spec file only: START: Do not build tests
+%if 0%{?rhel} == 8
 # ipa-tests subpackage was moved to separate srpm
 Conflicts: ipa-tests < 3.3.3-9
+%endif
 # RHEL spec file only: END: Do not build tests
 
 %description server
@@ -453,7 +501,14 @@ Requires: python3-lxml
 Requires: python3-pki >= %{pki_version}
 Requires: python3-pyasn1 >= 0.3.2-2
 Requires: python3-sssdconfig >= %{sssd_version}
+Requires: python3-psutil
 Requires: rpm-libs
+# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support
+%if 0%{?rhel}
+Requires: python3-urllib3 >= 1.24.2-3
+%else
+Requires: python3-urllib3 >= 1.25.7
+%endif
 
 %description -n python3-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -469,9 +524,9 @@ Summary: Common files used by IPA server
 BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= %{httpd_version}
-Requires: systemd-units >= 38
+Requires: systemd-units >= %{systemd_version}
 Requires: custodia >= 0.3.1
-%if 0%{?rhel} > 7
+%if 0%{?rhel} >= 8
 Requires: redhat-logos-ipa >= 80.4
 %endif
 
@@ -493,11 +548,18 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing
 BuildArch: noarch
 Requires: %{name}-server = %{version}-%{release}
 Requires: bind-dyndb-ldap >= 11.2-2
-Requires: bind >= 9.11.0-6.P2
-Requires: bind-utils >= 9.11.0-6.P2
-Requires: bind-pkcs11 >= 9.11.0-6.P2
-Requires: bind-pkcs11-utils >= 9.11.0-6.P2
-Requires: opendnssec >= 1.4.6-4
+Requires: bind >= %{bind_version}
+Requires: bind-utils >= %{bind_version}
+%if %{with bind_pkcs11}
+Requires: bind-pkcs11 >= %{bind_version}
+Requires: bind-pkcs11-utils >= %{bind_version}
+%else
+Requires: softhsm >= %{softhsm_version}
+Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
+%endif
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
+# RHEL 8.3+ and Fedora 32+ have 2.1
+Requires: opendnssec >= 2.1.6-5
 %{?systemd_requires}
 
 Provides: %{alt_name}-server-dns = %{version}
@@ -520,8 +582,9 @@ Requires: %{name}-common = %{version}-%{release}
 Requires: samba >= %{samba_version}
 Requires: samba-winbind
 Requires: libsss_idmap
+%if 0%{?rhel}
 Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
-
+%endif
 Requires(post): python3
 Requires: python3-samba
 Requires: python3-libsss_nss_idmap
@@ -562,9 +625,14 @@ Requires: krb5-workstation >= %{krb5_version}
 Requires: authselect >= 0.4-2
 Requires: curl
 # NIS domain name config: /usr/lib/systemd/system/*-domainname.service
+# All Fedora 28+ and RHEL8+ contain the service in hostname package
 Requires: hostname
 Requires: libcurl >= 7.21.7-2
+%if %{with ipa_join_xml}
 Requires: xmlrpc-c >= 1.27.4
+%else
+Requires: jansson
+%endif
 Requires: sssd-ipa >= %{sssd_version}
 Requires: certmonger >= %{certmonger_version}
 Requires: nss-tools >= %{nss_version}
@@ -588,8 +656,10 @@ Obsoletes: %{alt_name}-admintools < 4.4.1
 Obsoletes: %{name}-admintools < 4.4.1
 Provides: %{name}-admintools = %{version}-%{release}
 
+%if 0%{?rhel} == 8
 # Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module
 Conflicts: crypto-policies < 20200629-1
+%endif
 
 %description client
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -618,16 +688,18 @@ Requires: cifs-utils
 This package provides command-line tools to deploy Samba domain member
 on the machine enrolled into a FreeIPA environment
 
-%if ! %{ONLY_CLIENT}
 %package client-epn
 Summary: Tools to configure Expiring Password Notification in IPA
 Group: System Environment/Base
 Requires: %{name}-client = %{version}-%{release}
+Requires: systemd-units >= %{systemd_version}
+Requires(post): systemd-units >= %{systemd_version}
+Requires(preun): systemd-units >= %{systemd_version}
+Requires(postun): systemd-units >= %{systemd_version}
 
 %description client-epn
 This package provides a service to collect and send expiring password
 notifications via email (SMTP).
-%endif
 
 %package -n python3-ipaclient
 Summary: Python libraries used by IPA client
@@ -639,7 +711,6 @@ Requires: python3-ipalib = %{version}-%{release}
 Requires: python3-augeas
 Requires: python3-dns >= 1.15
 Requires: python3-jinja2
-# RHEL spec file only: DELETED: Remove csrgen
 
 %description -n python3-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -650,7 +721,6 @@ and integration with Active Directory based infrastructures (Trusts).
 If your network uses IPA for authentication, this package should be
 installed on every client machine.
 
-
 %package client-common
 Summary: Common files used by IPA client
 BuildArch: noarch
@@ -658,6 +728,12 @@ BuildArch: noarch
 Provides: %{alt_name}-client-common = %{version}
 Conflicts: %{alt_name}-client-common
 Obsoletes: %{alt_name}-client-common < %{version}
+# python2-ipa* packages are no longer available in 4.8.
+Obsoletes: python2-ipaclient < 4.8.0-1
+Obsoletes: python2-ipalib < 4.8.0-1
+Obsoletes: python2-ipaserver < 4.8.0-1
+Obsoletes: python2-ipatests < 4.8.0-1
+
 
 %description client-common
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -753,11 +829,11 @@ Obsoletes: %{alt_name}-common < %{version}
 
 Conflicts: %{alt_name}-python < %{version}
 
-%if 0%{?with_selinux}
+%if %{with selinux}
 # This ensures that the *-selinux package and all it’s dependencies are not
 # pulled into containers and other systems that do not use SELinux. The
 # policy defines types and file contexts for client and server.
-Requires:       (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
+Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
 %endif
 
 %description common
@@ -769,7 +845,7 @@ and integration with Active Directory based infrastructures (Trusts).
 If you are using IPA, you need to install this package.
 
 
-%if 0%{?with_ipatests}
+%if %{with ipatests}
 
 %package -n python3-ipatests
 Summary: IPA tests and test tools
@@ -778,18 +854,28 @@ BuildArch: noarch
 Requires: python3-ipaclient = %{version}-%{release}
 Requires: python3-ipaserver = %{version}-%{release}
 Requires: iptables
-Requires: ldns-utils
 Requires: python3-coverage
 Requires: python3-cryptography >= 1.6
+Requires: python3-pexpect
+%if 0%{?fedora}
+# These packages do not exist on RHEL and for ipatests use
+# they are installed on the controller through other means
+Requires: ldns-utils
+# update-crypto-policies
+Requires: crypto-policies-scripts
 Requires: python3-polib
 Requires: python3-pytest >= 3.9.1
 Requires: python3-pytest-multihost >= 0.5
 Requires: python3-pytest-sourceorder
+Requires: sshpass
+%endif
 Requires: python3-sssdconfig >= %{sssd_version}
 Requires: tar
 Requires: xz
 Requires: openssh-clients
-Requires: sshpass
+%if 0%{?rhel}
+AutoReqProv: no
+%endif
 
 %description -n python3-ipatests
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -799,11 +885,11 @@ features for further integration with Linux based clients (SUDO, automount)
 and integration with Active Directory based infrastructures (Trusts).
 This package contains tests that verify IPA functionality under Python 3.
 
-# with_ipatests
+# with ipatests
 %endif
 
 
-%if 0%{?with_selinux}
+%if %{with selinux}
 # SELinux subpackage
 %package selinux
 Summary:             FreeIPA SELinux policy
@@ -814,12 +900,11 @@ Requires(post):      selinux-policy-%{selinuxtype}
 
 %description selinux
 Custom SELinux policy module for FreeIPA
-# with_selinux
+# with selinux
 %endif
 
 
 %prep
-# RHEL spec file only: START
 # Update timestamps on the files touched by a patch, to avoid non-equal
 # .pyc/.pyo files across the multilib peers within a build, where "Level"
 # is the patch prefix option (e.g. -p1)
@@ -835,9 +920,7 @@ UpdateTimestamps() {
   done
 }
 
-%setup -n freeipa-%{version} -q
-
-# RHEL spec file only: START
+%setup -n freeipa-%{version}%{?rc_version} -q
 
 # To allow proper application patches to the stripped po files, strip originals
 pushd po
@@ -852,26 +935,16 @@ for p in %patches ; do
     UpdateTimestamps -p1 $p
 done
 
-# RHEL spec file only: END
-
-# RHEL spec file only: START
-# Moved branding logos and background to redhat-logos-ipa-80.4:
-# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
-# product-name.png
-# RHEL spec file only: END
-
 %build
-# RHEL spec file only: START
-autoreconf -i -f
-# RHEL spec file only: END
-
 # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
 export PATH=/usr/bin:/usr/sbin:$PATH
 
 export PYTHON=%{__python3}
+autoreconf -ivf
 %configure --with-vendor-suffix=-%{release} \
            %{enable_server_option} \
            %{with_ipatests_option} \
+           %{with_ipa_join_xml_option} \
            %{linter_options}
 
 # run build in default dir
@@ -892,18 +965,29 @@ make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir}
 # All files and directories created by spec install should be marked as ghost.
 # (These are typically configuration files created by IPA installer.)
 # All other artifacts should be created by make install.
-#
 
-%{__make} python_install DESTDIR=%{?buildroot} INSTALL="%{__install} -p"
-
-# default installation
-# This installs all Python packages twice and overrides the ipa-test
-# commands. We'll fix the command links later with ln --force.
 %make_install
 
+# don't package ipasphinx for now
+rm -rf %{buildroot}%{python3_sitelib}/ipasphinx*
+
+%if %{with ipatests}
+mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version}
+mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version}
+mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version}
+ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3
+ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3
+ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3
+ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests
+ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config
+ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task
+# with_ipatests
+%endif
+
 # remove files which are useful only for make uninstall
 find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
 
+%if 0%{?rhel}
 # RHEL spec file only: START
 # Moved branding logos and background to redhat-logos-ipa-80.4:
 # header-logo.png, login-screen-background.jpg, login-screen-logo.png,
@@ -912,6 +996,7 @@ rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png
 rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg
 rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
 rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png
+%endif
 # RHEL spec file only: END
 
 %find_lang %{gettext_domain}
@@ -963,18 +1048,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d
 # ONLY_CLIENT
 %endif
 
-%if %{ONLY_CLIENT}
-# Remove ipa-epn parts as we don't have ipa-epn systemd integration generated
-# for client-only build
-rm %{buildroot}/%{_sbindir}/ipa-epn
-rm %{buildroot}/%{_sysconfdir}/ipa/epn.conf
-rm -rf %{buildroot}/%{_sysconfdir}/ipa/epn
-rm %{buildroot}/%{_mandir}/man1/ipa-epn.1*
-rm %{buildroot}/%{_mandir}/man5/epn.conf.5*
-rm %{buildroot}/%{_unitdir}/ipa-epn.service
-rm %{buildroot}/%{_unitdir}/ipa-epn.timer
-%endif
-
 %if ! %{ONLY_CLIENT}
 
 %post server
@@ -991,7 +1064,7 @@ fi
 
 %posttrans server
 # don't execute upgrade and restart of IPA when server is not installed
-%{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1
 
 if [  $? -eq 0 ]; then
     # This is necessary for Fedora system upgrades which by default
@@ -1007,6 +1080,11 @@ if [  $? -eq 0 ]; then
     if [  $? -eq 0 ]; then
         /bin/systemctl restart ipa.service >/dev/null
     fi
+
+    /bin/systemctl is-enabled ipa-ccache-sweep.timer >/dev/null 2>&1
+    if [  $? -eq 1 ]; then
+        /bin/systemctl enable ipa-ccache-sweep.timer>/dev/null
+    fi
 fi
 # END
 
@@ -1070,7 +1148,7 @@ fi
 
 
 %posttrans server-trust-ad
-%{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1
 if [  $? -eq 0 ]; then
 # NOTE: systemd specific section
     /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
@@ -1088,6 +1166,17 @@ fi
 # ONLY_CLIENT
 %endif
 
+%preun client-epn
+%systemd_preun ipa-epn.service
+%systemd_preun ipa-epn.timer
+
+%postun client-epn
+%systemd_postun ipa-epn.service
+%systemd_postun ipa-epn.timer
+
+%post client-epn
+%systemd_post ipa-epn.service
+%systemd_post ipa-epn.timer
 
 %post client
 if [ $1 -gt 1 ] ; then
@@ -1111,20 +1200,17 @@ if [ $1 -gt 1 ] ; then
             cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
         fi
 
-        %{python} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
-    fi
-
-    if [ $restore -ge 2 ]; then
-        %{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
-    fi
-
-    if [ $restore -ge 2 ]; then
-        sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config
+        %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
+        %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
+        SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
+        if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
+            sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
+        fi
     fi
 fi
 
 
-%if 0%{?with_selinux}
+%if %{with selinux}
 # SELinux contexts are saved so that only affected files can be
 # relabeled after the policy module installation
 %pre selinux
@@ -1146,7 +1232,7 @@ fi
 %endif
 
 
-%triggerin client -- openssh-server
+%triggerin client -- openssh-server < 8.2
 # Has the client been configured?
 restore=0
 test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
@@ -1182,6 +1268,38 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
 fi
 
 
+%triggerin client -- openssh-server >= 8.2
+# Has the client been configured?
+restore=0
+test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+    # If the snippet already exists, skip
+    if [ ! -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then
+        # Take the values from /etc/ssh/sshd_config and put them in 04-ipa.conf
+        grep -E '^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)' /etc/ssh/sshd_config 2>/dev/null > /etc/ssh/sshd_config.d/04-ipa.conf
+        # Remove the values from sshd_conf
+        sed -ri '
+            /^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)[ \t]/ d
+        ' /etc/ssh/sshd_config
+
+        /bin/systemctl condrestart sshd.service 2>&1 || :
+    fi
+    # If the snippet has been created, ensure that it is included
+    # either by /etc/ssh/sshd_config.d/*.conf or directly
+    if [ -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then
+        if ! grep -E -q  '^\s*Include\s*/etc/ssh/sshd_config.d/\*\.conf' /etc/ssh/sshd_config 2> /dev/null ; then
+            if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/04-ipa\.conf' /etc/ssh/sshd_config 2> /dev/null ; then
+                # Include the snippet
+                echo "Include /etc/ssh/sshd_config.d/04-ipa.conf" > /etc/ssh/sshd_config.ipanew
+                cat /etc/ssh/sshd_config >> /etc/ssh/sshd_config.ipanew
+                mv -fZ --backup=existing --suffix .ipaold /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+            fi
+        fi
+    fi
+fi
+
+
 %if ! %{ONLY_CLIENT}
 
 %files server
@@ -1210,14 +1328,11 @@ fi
 %{_sbindir}/ipa-pkinit-manage
 %{_sbindir}/ipa-crlgen-manage
 %{_sbindir}/ipa-cert-fix
+%{_sbindir}/ipa-acme-manage
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
 %dir %{_libexecdir}/ipa
-%dir %{_libexecdir}/ipa/custodia
-%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
-%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
-%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
-%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
+%{_libexecdir}/ipa/ipa-ccache-sweeper
 %{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-custodia-check
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
@@ -1226,6 +1341,11 @@ fi
 %{_libexecdir}/ipa/ipa-pki-wait-running
 %{_libexecdir}/ipa/ipa-otpd
 %{_libexecdir}/ipa/ipa-print-pac
+%dir %{_libexecdir}/ipa/custodia
+%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
+%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
+%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
+%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
 %dir %{_libexecdir}/ipa/oddjob
 %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
 %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
@@ -1237,6 +1357,8 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa.service
 %attr(644,root,root) %{_unitdir}/ipa-otpd.socket
 %attr(644,root,root) %{_unitdir}/ipa-otpd@.service
+%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service
+%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer
 # END
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
 %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
@@ -1245,7 +1367,6 @@ fi
 %attr(755,root,root) %{plugin_dir}/libipa_uuid.so
 %attr(755,root,root) %{plugin_dir}/libipa_modrdn.so
 %attr(755,root,root) %{plugin_dir}/libipa_lockout.so
-%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
 %attr(755,root,root) %{plugin_dir}/libipa_dns.so
 %attr(755,root,root) %{plugin_dir}/libipa_range_check.so
 %attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
@@ -1278,6 +1399,7 @@ fi
 %{_mandir}/man1/ipa-pkinit-manage.1*
 %{_mandir}/man1/ipa-crlgen-manage.1*
 %{_mandir}/man1/ipa-cert-fix.1*
+%{_mandir}/man1/ipa-acme-manage.1*
 
 
 %files -n python3-ipaserver
@@ -1302,6 +1424,7 @@ fi
 %{_usr}/share/ipa/kdcproxy.wsgi
 %{_usr}/share/ipa/ipaca*.ini
 %{_usr}/share/ipa/*.ldif
+%exclude %{_datadir}/ipa/ipa-cldap-conf.ldif
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template
 %dir %{_usr}/share/ipa/advise
@@ -1334,10 +1457,15 @@ fi
 %{_usr}/share/ipa/ui/js/freeipa/core.js
 %dir %{_usr}/share/ipa/ui/js/plugins
 %dir %{_usr}/share/ipa/ui/images
+%if 0%{?rhel}
 %{_usr}/share/ipa/ui/images/facet-*.png
 # Moved branding logos and background to redhat-logos-ipa-80.4:
 # header-logo.png, login-screen-background.jpg, login-screen-logo.png,
 # product-name.png
+%else
+%{_usr}/share/ipa/ui/images/*.jpg
+%{_usr}/share/ipa/ui/images/*.png
+%endif
 %dir %{_usr}/share/ipa/wsgi
 %{_usr}/share/ipa/wsgi/plugins.py*
 %dir %{_sysconfdir}/ipa
@@ -1395,6 +1523,8 @@ fi
 %{_sbindir}/ipa-adtrust-install
 %{_usr}/share/ipa/smb.conf.empty
 %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
+%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
+%{_datadir}/ipa/ipa-cldap-conf.ldif
 %{_mandir}/man1/ipa-adtrust-install.1*
 %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
 %{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
@@ -1424,6 +1554,8 @@ fi
 %{_mandir}/man1/ipa-client-automount.1*
 %{_mandir}/man1/ipa-certupdate.1*
 %{_mandir}/man1/ipa-join.1*
+%dir %{_libexecdir}/ipa/acme
+%{_libexecdir}/ipa/acme/certbot-dns-ipa
 
 %files client-samba
 %doc README.md Contributors.txt
@@ -1431,7 +1563,7 @@ fi
 %{_sbindir}/ipa-client-samba
 %{_mandir}/man1/ipa-client-samba.1*
 
-%if ! %{ONLY_CLIENT}
+
 %files client-epn
 %doc README.md Contributors.txt
 %dir %{_sysconfdir}/ipa/epn
@@ -1443,7 +1575,7 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa-epn.timer
 %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
 %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
-%endif
+
 
 %files -n python3-ipaclient
 %doc README.md Contributors.txt
@@ -1463,7 +1595,6 @@ fi
 %dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
 %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
 %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
-# RHEL spec file only: DELETED: Remove csrgen
 %{python3_sitelib}/ipaclient-*.egg-info
 
 
@@ -1501,7 +1632,7 @@ fi
 %doc README.md Contributors.txt
 %license COPYING
 %dir %{_usr}/share/ipa
-
+%dir %{_libexecdir}/ipa
 
 %files -n python3-ipalib
 %doc README.md Contributors.txt
@@ -1515,7 +1646,7 @@ fi
 %{python3_sitelib}/ipaplatform-*.egg-info
 
 
-%if 0%{?with_ipatests}
+%if %{with ipatests}
 
 
 %files -n python3-ipatests
@@ -1523,6 +1654,12 @@ fi
 %license COPYING
 %{python3_sitelib}/ipatests
 %{python3_sitelib}/ipatests-*.egg-info
+%{_bindir}/ipa-run-tests-3
+%{_bindir}/ipa-test-config-3
+%{_bindir}/ipa-test-task-3
+%{_bindir}/ipa-run-tests-%{python3_version}
+%{_bindir}/ipa-test-config-%{python3_version}
+%{_bindir}/ipa-test-task-%{python3_version}
 %{_bindir}/ipa-run-tests
 %{_bindir}/ipa-test-config
 %{_bindir}/ipa-test-task
@@ -1530,54 +1667,107 @@ fi
 %{_mandir}/man1/ipa-test-config.1*
 %{_mandir}/man1/ipa-test-task.1*
 
-# with_ipatests
+# with ipatests
 %endif
 
 
-%if 0%{?with_selinux}
+%if %{with selinux}
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
-# with_selinux
+# with selinux
 %endif
 
 
 %changelog
-* Tue Mar  9 2021 Thomas Woerner <twoerner@redhat.com> - 4.8.7-16
+* Fri Mar 19 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-3
+- ipa-client-install displays false message
+  'sudo binary does not seem to be present on this system'
+  Resolves: RHBZ#1939371
+
+* Thu Mar  4 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-2
+- Sync ipatests from upstream to RHEL packages for FreeIPA 4.9 branch
+  Resolves: RHBZ#1932289
 - Fix krb5kdc is crashing intermittently on IPA server
-  Resolves: RHBZ#1935146
+  Resolves: RHBZ#1932784
 
-* Fri Feb 19 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.7-15
-- ipa-kdb: fix crash in MS-PAC cache init code
-  Resolves: RHBZ#1930562
+* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-1
+- Upstream release FreeIPA 4.9.2
+  Related: RHBZ#1891832
 
-* Tue Jan 12 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.8.7-14
-- wgi/plugins.py: ignore empty plugin directories
-  Resolves: RHBZ#1895910
-- rpcserver: fallback to non-armored kinit in case of trusted domains
-  Resolves: RHBZ#1914821
-- pylint: remove unused variable
-  Resolves: RHBZ#1914821
+* Wed Jan 27 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.1-1
+- Upstream release FreeIPA 4.9.1
+  Related: RHBZ#1891832
+
+* Mon Jan  4 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.0-1
+- Upstream final release FreeIPA 4.9.0
+  Related: RHBZ#1891832
+
+* Fri Dec 11 2020 Thomas Woerner <twoerner@redhat.com> - 4.9.0-0.5.rc3
+- Upstream pre release FreeIPA 4.9.0rc3
+  Related: RHBZ#1891832
+
+* Fri Dec  4 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.3.rc2
+- Remove ipa-server dependency from ipa-selinux subpackage
+- Related: RHBZ#1891832
+
+* Fri Dec  4 2020 Thomas Woerner <twoerner@redhat.com> - 4.9.0-0.2.rc2
+- Upstream pre release FreeIPA 4.9.0rc2
+  Related: RHBZ#1891832
+- Synchronize spec file with upstream and Fedora
+  Related: RHBZ#1891832
+- Traceback while doing ipa-backup
+  Resolves: RHBZ#1901068
+- ipa-client-install changes system wide ssh configuration
+  Resolves: RRBZ#1544379
 - ipa-kdb: support subordinate/superior UPN suffixes
-  Resolves: RHBZ#1914823
-- ad trust: accept subordinate domains of the forest trust root
-  Resolves: RHBZ#1914823
-- ipatests: support subordinate upn suffixes
-  Resolves: RHBZ#1914823
+  Resolves: RHBZ#1891056
+- KRA Transport and Storage Certificates do not renew
+  Resolves: RHBZ#1872603
+- Move where the restore state is marked during IPA server upgrade
+  Resolves: RHBZ#1569011
+- Intermittent IdM Client Registration Failures
+  Resolves: RHBZ#1812871
+- Nightly test failure in test_acme.py::TestACME::test_third_party_certs
+  (updates-testing)
+  Resolves: RHBZ#1903025
+- Add IPA RA Agent to ACME group on the CA
+  Resolves: RHBZ#1902727
 
-* Thu Oct 08 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-13
+* Mon Nov 23 2020 Thomas Woerner <twoerner@redhat.com> - 4.9.0-0.1.rc1
+- Fix requirement for python3-kdcproxy, add no autoreqprov for ipatests sub
+  package
+  Related: RHBZ#1891832
+
+* Mon Nov 23 2020 Thomas Woerner <twoerner@redhat.com> - 4.9.0-0.rc1
+- Upstream pre release FreeIPA 4.9.0rc1
+  Resolves: RHBZ#1891832
+- Requirements and design for libpwquality integration
+  Resolves: RHBZ#1340463
+- When parsing options require name/value pairs
+  Resolves: RHBZ#1357495
+- WebUI: Fix issue with opening links in new tab/window
+  Resolves: RHBZ#1484088
+- Use a state to determine if a 389-ds upgrade is in progress
+  Resolves: RHBZ#1569011
+- Unlock user accounts after a password reset and replicate that unlock to
+  all IdM servers
+  Resolves: RHBZ#1784657
+- Set the certmonger subject with a string, not an object
+  Resolves: RHBZ#1810148
+- Implement ACME certificate enrolment
+  Resolves: RHBZ#1851835
+- [WebUI] Backport jQuery patches from newer versions of the library (e.g.
+  3.5.0)
+  Resolves: RHBZ#1859249
+- It is not possible to edit KDC database when the FreeIPA server is running
+  Resolves: RHBZ#1875001
 - Fix nsslapd-db-lock tuning of BDB backend
-  Resolves: RHBZ#1882472
-
-* Wed Sep 23 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-12
-- Require selinux sub package in the proper version
-  Related: RHBZ#1868432
-- SELinux: do not double-define node_t and pki_tomcat_cert_t
-  Related: RHBZ#1868432
-- SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests
-  Related: RHBZ#1868432
-- dogtaginstance.py: add --debug to pkispawn
-  Resolves: RHBZ#1879604
+  Resolves: RHBZ#1882340
+- ipa-kdb: support subordinate/superior UPN suffixes
+  Resolves: RHBZ#1891056
+- wgi/plugins.py: ignore empty plugin directories
+  Resolves: RHBZ#1894800
 
 * Thu Sep 10 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-11
 - SELinux Policy: let custodia replicate keys