import ipa-4.8.4-2.module+el8.2.0+5265+c70de5c4

2020-01-22 06:15:30 -05:00 · 2020-01-22 06:15:30 -05:00 · d1dc358eba
parent 7c8968e6e6
commit d1dc358eba
12 changed files with 778 additions and 768 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/freeipa-4.7.90.pre1.tar.gz
+SOURCES/freeipa-4.8.4.tar.gz
--- a/.ipa.metadata
+++ b/.ipa.metadata
@ -1 +1 @@
-a61a3e7f174a021934368252c4773da6238de820 SOURCES/freeipa-4.7.90.pre1.tar.gz
+72c91f01b2039795223417dc6761edf8ee0f36ee SOURCES/freeipa-4.8.4.tar.gz
--- a/SOURCES/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
+++ b/SOURCES/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
@ -1,30 +0,0 @@
-From 486ba017ceab1fb240f2fc48fea6169bc8c97319 Mon Sep 17 00:00:00 2001
-From: Adam Williamson <awilliam@redhat.com>
-Date: Wed, 1 May 2019 16:19:53 -0700
-Subject: [PATCH] Correct default fontawesome path (broken by da2cf1c5)
-
-On Fedora/RHEL, it does not have a dash in it. The changes in
-da2cf1c5 inadvertently added a dash to the path in the 'base'
-paths definition (used on Fedora/RHEL), so the font wasn't found.
-
-Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
- ipaplatform/base/paths.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index 1cd2591bc..e1d396690 100644
--- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -249,7 +249,7 @@ class BasePathNamespace:
-     USERADD = "/usr/sbin/useradd"
-     FONTS_DIR = "/usr/share/fonts"
-     FONTS_OPENSANS_DIR = "/usr/share/fonts/open-sans"
-    FONTS_FONTAWESOME_DIR = "/usr/share/fonts/font-awesome"
-+    FONTS_FONTAWESOME_DIR = "/usr/share/fonts/fontawesome"
-     USR_SHARE_IPA_DIR = "/usr/share/ipa/"
-     USR_SHARE_IPA_CLIENT_DIR = "/usr/share/ipa/client"
-     CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
-- 
-2.21.0
-
--- a/SOURCES/0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch
+++ b/SOURCES/0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch
@ -0,0 +1,47 @@
+From 2c2cef7063315766d893b275185b422be3f3c019 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Dec 16 2019 20:37:17 +0000
+Subject: DNS install check: Fix overlapping DNS zone from the master itself
+
+
+The change to allow overlapping zone to be from the master itself has
+introduced two issues: The check for the master itself should only executed
+if options.force and options.allow_zone_overlap are both false and the
+reverse zone check later on was still handling ValueError instead of
+dnsutil.DNSZoneAlreadyExists.
+
+Both issues have been fixed and the deployment with existing name servers
+is properly working again.
+
+Fixes: https://pagure.io/freeipa/issue/8150
+Signed-off-by: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+
+---
+
+diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
+index 36ba6f8..9f08e86 100644
+--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
+@@ -135,15 +135,15 @@ def install_check(standalone, api, replica, options, hostname):
+                 logger.warning("%s Please make sure that the domain is "
+                                "properly delegated to this IPA server.",
+                                e)
+-
+-            hst = dnsutil.DNSName(hostname).make_absolute().to_text()
+-            if hst not in e.kwargs['ns']:
+-                raise ValueError(str(e))
+            else:
+                hst = dnsutil.DNSName(hostname).make_absolute().to_text()
+                if hst not in e.kwargs['ns']:
+                    raise ValueError(str(e))
+ 
+     for reverse_zone in options.reverse_zones:
+         try:
+             dnsutil.check_zone_overlap(reverse_zone)
+-        except ValueError as e:
+        except dnsutil.DNSZoneAlreadyExists as e:
+             if options.force or options.allow_zone_overlap:
+                 logger.warning('%s', str(e))
+             else:
+
--- a/SOURCES/0001-No-need-to-call-rhel-specific-domainname-service.patch
+++ b/SOURCES/0001-No-need-to-call-rhel-specific-domainname-service.patch
@ -1,32 +0,0 @@
-From b3378c32603e83ea3d4651cee3af99e644a30457 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Fri, 20 Jul 2018 11:06:55 -0400
-Subject: [PATCH] No need to call rhel-specific domainname service
-
-It was moved upstream into hostname package which named it
-nis-domainname. When it was in the initscripts package there were
-separate fedora-domainname and rhel-domainname services.
-
-From F29+ it will be nis-domainname. We can use that as well in
-RHEL 8.
---
- ipaplatform/rhel/services.py | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/ipaplatform/rhel/services.py b/ipaplatform/rhel/services.py
-index 1403d08..06fa633 100644
--- a/ipaplatform/rhel/services.py
-+++ b/ipaplatform/rhel/services.py
-@@ -30,9 +30,6 @@ from ipaplatform.redhat import services as redhat_services
- # to their actual systemd service names
- rhel_system_units = redhat_services.redhat_system_units
- 
-# Service that sets domainname on RHEL is called rhel-domainname.service
-rhel_system_units['domainname'] = 'rhel-domainname.service'
-
- 
- # Service classes that implement RHEL-specific behaviour
- 
-- 
-2.13.6
-
--- a/SOURCES/0001-revert-minssf-defaults.patch
+++ b/SOURCES/0001-revert-minssf-defaults.patch
@ -1,136 +0,0 @@
-From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Wed, 1 May 2019 21:25:31 +0300
-Subject: [PATCH] Revert "Require a minimum SASL security factor of 56"
-
-This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
---
- install/share/Makefile.am       |  1 -
- install/share/min-ssf.ldif      | 14 --------------
- ipalib/constants.py             |  3 ---
- ipapython/ipaldap.py            | 17 ++---------------
- ipaserver/install/dsinstance.py |  5 -----
- 5 files changed, 2 insertions(+), 38 deletions(-)
- delete mode 100644 install/share/min-ssf.ldif
-
-diff --git a/install/share/Makefile.am b/install/share/Makefile.am
-index be83bdf75..8d039d95c 100644
--- a/install/share/Makefile.am
-+++ b/install/share/Makefile.am
-@@ -94,7 +94,6 @@ dist_app_DATA =				\
- 	ipa-kdc-proxy.conf.template	\
- 	ipa-pki-proxy.conf.template	\
- 	ipa-rewrite.conf.template	\
-	min-ssf.ldif			\
- 	ipaca_default.ini		\
- 	ipaca_customize.ini		\
- 	ipaca_softhsm2.ini		\
-diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif
-deleted file mode 100644
-index 1c2566f84..000000000
--- a/install/share/min-ssf.ldif
-+++ /dev/null
-@@ -1,14 +0,0 @@
-# config
-# pretend SSF for LDAPI connections
-# nsslapd-localssf must be equal to or greater than nsslapd-minssf
-dn: cn=config
-changetype: modify
-replace: nsslapd-localssf
-nsslapd-localssf: 256
-
-# minimum security strength factor for SASL and TLS
-# 56 is considered weak, but some old clients announce wrong SSF.
-dn: cn=config
-changetype: modify
-replace: nsslapd-minssf
-nsslapd-minssf: 56
-diff --git a/ipalib/constants.py b/ipalib/constants.py
-index bcf6f3373..c22dd26ae 100644
--- a/ipalib/constants.py
-+++ b/ipalib/constants.py
-@@ -311,9 +311,6 @@ TLS_VERSIONS = [
- ]
- TLS_VERSION_MINIMAL = "tls1.0"
- 
-# minimum SASL secure strength factor for LDAP connections
-# 56 provides backwards compatibility with old libraries.
-LDAP_SSF_MIN_THRESHOLD = 56
- 
- # Use cache path
- USER_CACHE_PATH = (
-diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
-index d9d67be1d..9ff443fe4 100644
--- a/ipapython/ipaldap.py
-+++ b/ipapython/ipaldap.py
-@@ -43,9 +43,7 @@ import six
- 
- # pylint: disable=ipa-forbidden-import
- from ipalib import errors, x509, _
-from ipalib.constants import (
-    LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
-)
-+from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
- # pylint: enable=ipa-forbidden-import
- from ipaplatform.paths import paths
- from ipapython.ipautil import format_netloc, CIDict
-@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):
-     return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
- 
- 
-def ldap_initialize(uri, cacertfile=None,
-                    ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
-+def ldap_initialize(uri, cacertfile=None):
-     """Wrapper around ldap.initialize()
- 
-     The function undoes global and local ldap.conf settings that may cause
-@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,
-       locations, also known as system-wide trust store.
-     * Cert validation is enforced.
-     * SSLv2 and SSLv3 are disabled.
-    * Require a minimum SASL security factor of 56. That level ensures
-      data integrity and confidentiality. Although at least AES128 is
-      enforced pretty much everywhere, 56 is required for backwards
-      compatibility with systems that announce wrong SSF.
-     """
-     conn = ldap.initialize(uri)
- 
-@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,
-     conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
- 
-     if not uri.startswith('ldapi://'):
-        # require a minimum SSF for TCP connections, but don't lower SSF_MIN
-        # if the current value is already larger.
-        cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
-        if cur_min_ssf < ssf_min_threshold:
-            conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
-
-         if cacertfile:
-             if not os.path.isfile(cacertfile):
-                 raise IOError(errno.ENOENT, cacertfile)
-diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
-index 8240e3043..9f05db1db 100644
--- a/ipaserver/install/dsinstance.py
-+++ b/ipaserver/install/dsinstance.py
-@@ -324,8 +324,6 @@ class DsInstance(service.Service):
-         else:
-             self.step("importing CA certificates from LDAP",
-                       self.__import_ca_certs)
-        # set min SSF after DS is configured for TLS
-        self.step("require minimal SSF", self.__min_ssf)
-         self.step("restarting directory server", self.__restart_instance)
- 
-         self.start_creation()
-@@ -1243,9 +1241,6 @@ class DsInstance(service.Service):
-             dm_password=self.dm_password
-         )
- 
-    def __min_ssf(self):
-        self._ldap_mod("min-ssf.ldif")
-
-     def __add_sudo_binduser(self):
-         self._ldap_mod("sudobind.ldif", self.sub_dict)
- 
-- 
-2.21.0
-
--- a/SOURCES/0002-upgrade-adtrust-when-no-trusts.patch
+++ b/SOURCES/0002-upgrade-adtrust-when-no-trusts.patch
@ -1,44 +0,0 @@
-From 528a21996734467be193673e4f987e7e3acc3ad9 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sat, 11 May 2019 11:54:40 +0300
-Subject: [PATCH] upgrade: adtrust - catch empty result when retrieving list of
- trusts
-
-Upgrade failure when ipa-server-upgrade is being run on a system with no
-trust established but trust configured
-
-Fixes: https://pagure.io/freeipa/issue/7939
---
- ipaserver/install/plugins/adtrust.py | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
-index 6b4e2caa2..cdc3a8b04 100644
--- a/ipaserver/install/plugins/adtrust.py
-+++ b/ipaserver/install/plugins/adtrust.py
-@@ -609,11 +609,17 @@ class update_tdo_to_new_layout(Updater):
- 
-         trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
- 
-        trusts = ldap.get_entries(
-            base_dn=trusts_dn,
-            scope=ldap.SCOPE_ONELEVEL,
-            filter=self.trust_filter,
-            attrs_list=self.trust_attrs)
-+        # We might be in a situation when no trusts exist yet
-+        # In such case there is nothing to upgrade but we have to catch
-+        # an exception or it will abort the whole upgrade process
-+        try:
-+            trusts = ldap.get_entries(
-+                base_dn=trusts_dn,
-+                scope=ldap.SCOPE_ONELEVEL,
-+                filter=self.trust_filter,
-+                attrs_list=self.trust_attrs)
-+        except errors.EmptyResult:
-+            trusts = []
- 
-         # For every trust, retrieve its principals and convert
-         for t_entry in trusts:
-- 
-2.21.0
-
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
--- a/SOURCES/1002-4.7.90pre1-Remove-csrgen.patch
+++ b/SOURCES/1002-4.7.90pre1-Remove-csrgen.patch
@ -1,3 +1,12 @@
+Addtional patches that need to be partly reverted that are touching csrgen
+related files:
+
+7b8a2af2197381058ca532d1ae206defb16fac88
+ac6568dcf58ec8d06df5493d14a28aa41845d4ef
+9c86d35a3f0af4a793fada7dfe726e9cc66782ea
+9836511a2b6d7cf48b1a54cb3158e5eac674081a
+b431e9b684df11c811892bd9d2a5711355f0076e
+
 This is a collection of an existing patch to remove csrgen for 4.7.1 and
 additional patches that have been added for 4.7.90 pre1.

@ -91,10 +100,10 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1432630
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
 delete mode 100644 ipatests/test_ipaclient/test_csrgen.py

-diff -urN freeipa-4.7.90.pre1.orig/freeipa.spec.in freeipa-4.7.90.pre1/freeipa.spec.in
--- freeipa-4.7.90.pre1.orig/freeipa.spec.in	2019-04-29 08:28:24.722860593 +0200
-+++ freeipa-4.7.90.pre1/freeipa.spec.in	2019-05-06 18:31:26.443792711 +0200
-@@ -1225,13 +1225,6 @@
+diff -urN freeipa-4.8.0/freeipa.spec.in freeipa-4.8.0.removed_csrgen/freeipa.spec.in
+--- freeipa-4.8.0/freeipa.spec.in	2019-06-29 10:01:30.458735813 +0200
+++ freeipa-4.8.0.removed_csrgen/freeipa.spec.in	2019-07-03 13:24:38.471222723 +0200
+@@ -1247,13 +1247,6 @@
 %dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
 %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
 %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
@ -108,9 +117,9 @@ diff -urN freeipa-4.7.90.pre1.orig/freeipa.spec.in freeipa-4.7.90.pre1/freeipa.s
 %{python3_sitelib}/ipaclient-*.egg-info
 
 
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/caIPAserviceCert.json freeipa-4.7.90.pre1/ipaclient/csrgen/profiles/caIPAserviceCert.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/caIPAserviceCert.json	2019-04-29 17:06:41.408224320 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/profiles/caIPAserviceCert.json	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipaclient/csrgen/profiles/caIPAserviceCert.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/caIPAserviceCert.json
+--- freeipa-4.8.0/ipaclient/csrgen/profiles/caIPAserviceCert.json	2019-07-03 08:42:41.844539797 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/caIPAserviceCert.json	1970-01-01 01:00:00.000000000 +0100
@@ -1,15 +0,0 @@
 -[
 -    {
@ -127,9 +136,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/caIPAserviceCert.js
 -        ]
 -    }
 -]
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/userCert.json freeipa-4.7.90.pre1/ipaclient/csrgen/profiles/userCert.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/userCert.json	2019-04-29 17:06:41.417224194 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/profiles/userCert.json	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipaclient/csrgen/profiles/userCert.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/userCert.json
+--- freeipa-4.8.0/ipaclient/csrgen/profiles/userCert.json	2019-07-03 08:42:41.848539737 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/userCert.json	1970-01-01 01:00:00.000000000 +0100
@@ -1,15 +0,0 @@
 -[
 -    {
@ -146,9 +155,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/userCert.json freei
 -        ]
 -    }
 -]
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataDNS.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataDNS.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataDNS.json	2019-04-29 17:06:41.422224125 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataDNS.json	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataDNS.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataDNS.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/dataDNS.json	2019-07-03 08:42:41.853539663 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataDNS.json	1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
 -{
 -  "rule": {
@ -158,9 +167,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataDNS.json freeipa-4
 -    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
 -  }
 -}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataEmail.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataEmail.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataEmail.json	2019-04-29 17:06:41.426224069 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataEmail.json	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataEmail.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataEmail.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/dataEmail.json	2019-07-03 08:42:41.857539603 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataEmail.json	1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
 -{
 -  "rule": {
@ -170,9 +179,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataEmail.json freeipa
 -    "data_source": "subject.mail.0"
 -  }
 -}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataHostCN.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataHostCN.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataHostCN.json	2019-04-29 17:06:41.430224013 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataHostCN.json	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataHostCN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataHostCN.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/dataHostCN.json	2019-07-03 08:42:41.861539544 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataHostCN.json	1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
 -{
 -  "rule": {
@ -182,9 +191,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataHostCN.json freeip
 -    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
 -  }
 -}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataSubjectBase.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataSubjectBase.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataSubjectBase.json	2019-04-29 17:06:41.437223916 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataSubjectBase.json	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataSubjectBase.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataSubjectBase.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/dataSubjectBase.json	2019-07-03 08:42:41.865539484 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataSubjectBase.json	1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
 -{
 -  "rule": {
@ -194,9 +203,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataSubjectBase.json f
 -    "data_source": "config.ipacertificatesubjectbase.0"
 -  }
 -}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataUsernameCN.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataUsernameCN.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataUsernameCN.json	2019-04-29 17:06:41.449223748 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataUsernameCN.json	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataUsernameCN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataUsernameCN.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/dataUsernameCN.json	2019-07-03 08:42:41.869539424 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataUsernameCN.json	1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
 -{
 -  "rule": {
@ -206,9 +215,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataUsernameCN.json fr
 -    "data_source": "subject.uid.0"
 -  }
 -}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSAN.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/syntaxSAN.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSAN.json	2019-04-29 17:06:41.456223650 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/syntaxSAN.json	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSAN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSAN.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSAN.json	2019-07-03 08:42:41.874539350 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSAN.json	1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
 -{
 -  "rule": {
@ -218,9 +227,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSAN.json freeipa
 -    "extension": true
 -  }
 -}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSubject.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/syntaxSubject.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSubject.json	2019-04-29 17:06:41.461223581 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/syntaxSubject.json	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSubject.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSubject.json
+--- freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSubject.json	2019-07-03 08:42:41.878539290 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSubject.json	1970-01-01 01:00:00.000000000 +0100
@@ -1,9 +0,0 @@
 -{
 -  "rule": {
@ -231,9 +240,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSubject.json fre
 -    "data_source_combinator": "and"
 -  }
 -}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_base.tmpl freeipa-4.7.90.pre1/ipaclient/csrgen/templates/openssl_base.tmpl
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_base.tmpl	2019-04-29 17:06:41.469223469 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/templates/openssl_base.tmpl	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipaclient/csrgen/templates/openssl_base.tmpl freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_base.tmpl
+--- freeipa-4.8.0/ipaclient/csrgen/templates/openssl_base.tmpl	2019-07-03 08:42:41.882539231 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_base.tmpl	1970-01-01 01:00:00.000000000 +0100
@@ -1,17 +0,0 @@
 -{% raw -%}
 -{% import "openssl_macros.tmpl" as openssl -%}
@ -252,9 +261,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_base.tmpl
 -{% endif %}
 -{{ openssl.openssl_sections|join('\n\n') }}
 -{%- endraw %}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_macros.tmpl freeipa-4.7.90.pre1/ipaclient/csrgen/templates/openssl_macros.tmpl
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_macros.tmpl	2019-04-29 17:06:41.475223385 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen/templates/openssl_macros.tmpl	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipaclient/csrgen/templates/openssl_macros.tmpl freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_macros.tmpl
+--- freeipa-4.8.0/ipaclient/csrgen/templates/openssl_macros.tmpl	2019-07-03 08:42:41.886539171 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_macros.tmpl	1970-01-01 01:00:00.000000000 +0100
@@ -1,29 +0,0 @@
 -{# List containing rendered sections to be included at end #}
 -{% set openssl_sections = [] %}
@ -285,10 +294,10 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_macros.tmp
 -[ {{ name }} ]
 -{{ contents -}}
 -{% endmacro %}
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/ipaclient/csrgen_ffi.py
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py	2019-04-29 17:06:41.367224892 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen_ffi.py	1970-01-01 01:00:00.000000000 +0100
-@@ -1,331 +0,0 @@
+diff -urN freeipa-4.8.0/ipaclient/csrgen_ffi.py freeipa-4.8.0.removed_csrgen/ipaclient/csrgen_ffi.py
+--- freeipa-4.8.0/ipaclient/csrgen_ffi.py	2019-07-03 08:42:41.816540214 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen_ffi.py	1970-01-01 01:00:00.000000000 +0100
+@@ -1,387 +0,0 @@
 -from cffi import FFI
 -import ctypes.util
 -
@ -297,6 +306,48 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/i
 -_ffi = FFI()
 -
 -_ffi.cdef('''
+-/* libcrypto/crypto.h */
+-unsigned long OpenSSL_version_num(void);
+-unsigned long SSLeay(void);
+-const char * OpenSSL_version(int t);
+-const char * SSLeay_version(int t);
+-
+-#define OPENSSL_VERSION 0
+-''')
+-
+-_libcrypto = _ffi.dlopen(ctypes.util.find_library('crypto'))
+-
+-# SSLeay_version has been renamed with OpenSSL_version in OpenSSL 1.1.0
+-# LibreSSL has OpenSSL_version since 2.7.0
+-try:
+-    OpenSSL_version = _libcrypto.OpenSSL_version
+-except AttributeError:
+-    OpenSSL_version = _libcrypto.SSLeay_version
+-
+-_version = OpenSSL_version(_libcrypto.OPENSSL_VERSION)
+-_version = _ffi.string(_version).decode('utf-8')
+-LIBRESSL = _version.startswith('LibreSSL')
+-if not _version.startswith("OpenSSL") and not LIBRESSL:
+-    raise ImportError("Only LibreSSL and OpenSSL are supported")
+-
+-# SSLeay has been renamed with OpenSSL_version_num in OpenSSL 1.1.0
+-# LibreSSL has OpenSSL_version_num since 2.7.0
+-try:
+-    OpenSSL_version_num = _libcrypto.OpenSSL_version_num
+-except AttributeError:
+-    OpenSSL_version_num = _libcrypto.SSLeay
+-
+-# OpenSSL_version_num()/SSLeay() returns the value of OPENSSL_VERSION_NUMBER
+-#
+-# OPENSSL_VERSION_NUMBER is a numeric release version identifier:
+-# MNNFFPPS: major minor fix patch status
+-# For example,
+-# 0x000906000 == 0.9.6 dev
+-# 0x000906023 == 0.9.6b beta 3
+-# 0x00090605f == 0.9.6e release
+-_openssl_version = OpenSSL_version_num()
+-
+-_ffi.cdef('''
 -typedef ... CONF;
 -typedef ... CONF_METHOD;
 -typedef ... BIO;
@ -350,7 +401,6 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/i
 -typedef ... ASN1_BIT_STRING;
 -typedef ... ASN1_OBJECT;
 -typedef ... X509;
-typedef ... X509_ALGOR;
 -typedef ... X509_CRL;
 -typedef ... X509_NAME;
 -typedef ... X509_PUBKEY;
@ -364,14 +414,23 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/i
 -    /*  d=2 hl=2 l=  0 cons: cont: 00 */
 -    ipa_STACK_OF_X509_ATTRIBUTE *attributes; /* [ 0 ] */
 -} X509_REQ_INFO;
+-''')
 -
-typedef struct X509_req_st {
-    X509_REQ_INFO *req_info;
-    X509_ALGOR *sig_alg;
-    ASN1_BIT_STRING *signature;
-    int references;
-} X509_REQ;
+-# since OpenSSL 1.1.0 req_info field is no longer pointer to X509_REQ_INFO
+-if _openssl_version >= 0x10100000 and not LIBRESSL:
+-    _ffi.cdef('''
+-    typedef struct X509_req_st {
+-        X509_REQ_INFO req_info;
+-    } X509_REQ;
+-    ''')
+-else:
+-    _ffi.cdef('''
+-    typedef struct X509_req_st {
+-        X509_REQ_INFO *req_info;
+-    } X509_REQ;
+-    ''')
 -
+-_ffi.cdef('''
 -X509_REQ *X509_REQ_new(void);
 -void X509_REQ_free(X509_REQ *);
 -EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
@ -409,10 +468,7 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/i
 -char *ERR_error_string(unsigned long e, char *buf);
 -''')  # noqa: E501
 -
-_libcrypto = _ffi.dlopen(ctypes.util.find_library('crypto'))
-
 -NULL = _ffi.NULL
-
 -# openssl/conf.h
 -NCONF_new = _libcrypto.NCONF_new
 -NCONF_free = _libcrypto.NCONF_free
@ -597,13 +653,22 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/i
 -                    reqdata, ext_ctx, extn_section, req):
 -                _raise_openssl_errors()
 -
-        der_len = i2d_X509_REQ_INFO(req.req_info, NULL)
+-        if _openssl_version < 0x10100000 or LIBRESSL:
+-            der_len = i2d_X509_REQ_INFO(req.req_info, NULL)
+-        else:
+-            req_info = _ffi.new("X509_REQ_INFO *", req.req_info)
+-            der_len = i2d_X509_REQ_INFO(req_info, NULL)
+-            req.req_info = req_info[0]
 -        if der_len < 0:
 -            _raise_openssl_errors()
 -
 -        der_buf = _ffi.new("unsigned char[%d]" % der_len)
 -        der_out = _ffi.new("unsigned char **", der_buf)
-        der_len = i2d_X509_REQ_INFO(req.req_info, der_out)
+-        if _openssl_version < 0x10100000 or LIBRESSL:
+-            der_len = i2d_X509_REQ_INFO(req.req_info, der_out)
+-        else:
+-            der_len = i2d_X509_REQ_INFO(req_info, der_out)
+-            req.req_info = req_info[0]
 -        if der_len < 0:
 -            _raise_openssl_errors()
 -
@ -620,9 +685,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/i
 -            BIO_free(pubkey_bio)
 -        if pubkey != NULL:
 -            EVP_PKEY_free(pubkey)
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen.py freeipa-4.7.90.pre1/ipaclient/csrgen.py
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen.py	2019-04-29 17:06:41.360224990 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/csrgen.py	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipaclient/csrgen.py freeipa-4.8.0.removed_csrgen/ipaclient/csrgen.py
+--- freeipa-4.8.0/ipaclient/csrgen.py	2019-07-03 08:42:41.811540288 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen.py	1970-01-01 01:00:00.000000000 +0100
@@ -1,488 +0,0 @@
 -#
 -# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
@ -1112,9 +1177,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen.py freeipa-4.7.90.pre1/ipacl
 -
 -    def sign_csr(self, certification_request_info):
 -        raise NotImplementedError('NSS is not yet supported')
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py freeipa-4.7.90.pre1/ipaclient/plugins/cert.py
--- freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py	2019-04-29 17:06:41.645221012 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/plugins/cert.py	2019-05-06 18:31:28.384751096 +0200
+diff -urN freeipa-4.8.0/ipaclient/plugins/cert.py freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py
+--- freeipa-4.8.0/ipaclient/plugins/cert.py	2019-07-03 08:42:41.978537802 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py	2019-07-03 13:24:38.477222594 +0200
@@ -21,8 +21,6 @@
 
 import base64
@ -1222,9 +1287,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py freeipa-4.7.90.pre1
 
 @register(override=True, no_fail=True)
 class cert_show(CertRetrieveOverride):
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py.orig freeipa-4.7.90.pre1/ipaclient/plugins/cert.py.orig
--- freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py.orig	1970-01-01 01:00:00.000000000 +0100
-+++ freeipa-4.7.90.pre1/ipaclient/plugins/cert.py.orig	2019-04-29 17:06:41.645221012 +0200
+diff -urN freeipa-4.8.0/ipaclient/plugins/cert.py.orig freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py.orig
+--- freeipa-4.8.0/ipaclient/plugins/cert.py.orig	1970-01-01 01:00:00.000000000 +0100
+++ freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py.orig	2019-07-03 13:24:38.478222573 +0200
@@ -0,0 +1,215 @@
 +# Authors:
 +#   Andrew Wnuk <awnuk@redhat.com>
@ -1441,9 +1506,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py.orig freeipa-4.7.90
 +                                            options.pop('file'))
 +
 +        return super(cert_find, self).forward(*args, **options)
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/csrgen.py freeipa-4.7.90.pre1/ipaclient/plugins/csrgen.py
--- freeipa-4.7.90.pre1.orig/ipaclient/plugins/csrgen.py	2019-04-29 17:06:41.669220677 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/plugins/csrgen.py	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipaclient/plugins/csrgen.py freeipa-4.8.0.removed_csrgen/ipaclient/plugins/csrgen.py
+--- freeipa-4.8.0/ipaclient/plugins/csrgen.py	2019-07-03 08:42:41.990537623 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/plugins/csrgen.py	1970-01-01 01:00:00.000000000 +0100
@@ -1,128 +0,0 @@
 -#
 -# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
@ -1573,9 +1638,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/csrgen.py freeipa-4.7.90.pr
 -        return dict(
 -            result=result
 -        )
-diff -urN freeipa-4.7.90.pre1.orig/ipaclient/setup.py freeipa-4.7.90.pre1/ipaclient/setup.py
--- freeipa-4.7.90.pre1.orig/ipaclient/setup.py	2019-04-29 17:06:41.393224529 +0200
-+++ freeipa-4.7.90.pre1/ipaclient/setup.py	2019-05-06 18:33:16.002443738 +0200
+diff -urN freeipa-4.8.0/ipaclient/setup.py freeipa-4.8.0.removed_csrgen/ipaclient/setup.py
+--- freeipa-4.8.0/ipaclient/setup.py	2019-07-03 08:42:41.836539916 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/setup.py	2019-07-03 13:24:38.479222551 +0200
@@ -41,13 +41,6 @@
             "ipaclient.remote_plugins.2_156",
             "ipaclient.remote_plugins.2_164",
@ -1598,9 +1663,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/setup.py freeipa-4.7.90.pre1/ipacli
             "ldap": ["python-ldap"],  # ipapython.ipaldap
         },
         zip_safe=False,
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf	2019-04-29 17:06:49.265114643 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
+--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf	2019-07-03 08:42:45.972478335 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf	1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
 -[ req ]
 -prompt = no
@ -1618,9 +1683,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/conf
 -
 -[ sec2 ]
 -subjectAltName = @sec1
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf	2019-04-29 17:06:49.277114475 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
+--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf	2019-07-03 08:42:45.976478276 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf	1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
 -[ req ]
 -prompt = no
@ -1638,9 +1703,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/conf
 -
 -[ sec2 ]
 -subjectAltName = @sec1
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json	2019-04-29 17:06:49.283114391 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json
+--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json	2019-07-03 08:42:45.980478216 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json	1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
 -[
 -    {
@ -1650,18 +1715,18 @@ diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/prof
 -        ]
 -    }
 -]
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json	2019-04-29 17:06:49.294114238 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json
+--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json	2019-07-03 08:42:45.984478157 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json	1970-01-01 01:00:00.000000000 +0100
@@ -1,5 +0,0 @@
 -{
 -  "rule": {
 -    "template": "openssl_rule"
 -  }
 -}
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rules/options.json freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/rules/options.json
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rules/options.json	2019-04-29 17:06:49.300114154 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/rules/options.json	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/options.json freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/options.json
+--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/options.json	2019-07-03 08:42:45.988478097 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/options.json	1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
 -{
 -  "rule": {
@ -1671,14 +1736,14 @@ diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rule
 -    "rule_option": true
 -  }
 -}
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl	2019-04-29 17:06:49.313113973 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
+--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl	2019-07-03 08:42:45.993478023 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl	1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
 -{{ options|join(";") }}
-diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/test_csrgen.py freeipa-4.7.90.pre1/ipatests/test_ipaclient/test_csrgen.py
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/test_csrgen.py	2019-04-29 17:06:49.251114838 +0200
-+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/test_csrgen.py	1970-01-01 01:00:00.000000000 +0100
+diff -urN freeipa-4.8.0/ipatests/test_ipaclient/test_csrgen.py freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/test_csrgen.py
+--- freeipa-4.8.0/ipatests/test_ipaclient/test_csrgen.py	2019-07-03 08:42:45.963478469 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/test_csrgen.py	1970-01-01 01:00:00.000000000 +0100
@@ -1,304 +0,0 @@
 -#
 -# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
@ -1941,7 +2006,7 @@ diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/test_csrgen.py freeip
 -
 -        with pytest.raises(
 -                errors.CSRTemplateError,
-                message='unrecognised attribute type: X'):
+-                match=r'^unrecognised attribute type: X$'):
 -            csrgen_ffi.build_requestinfo(
 -                config.encode('utf-8'), adaptor.get_subject_public_key_info())
 -
--- a/SOURCES/freeipa-4.7.90.pre1.tar.gz.asc
+++ b/SOURCES/freeipa-4.7.90.pre1.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAlzHE98ACgkQRxniuKu/
-YhrICw/8DE6jyt3bnUmzGiXdsV7q1KZUGSIC7GLpvbmewwpUVcXnplHiVCTjrNGI
-jw/jc6y9bIlvqfYNWjAmXNGXyB3AbXweaYRAEzntOHlAmFDlwMXv/D6JL0849/9/
-uRWEefIpHlw/P++WOxm+us7T9h/d6xEe1xY7vaaXVVPjRBewJqddG6ISJgWZ0DSR
-41b/kgOXEvBMOU+gsKCm1fCgKU6KcfwsFq39uSxmTfhKE/578eOUkSAracOwrP2Z
-RePKA4JKqw/Tttl26bgKAkAD8hxJhv6J1MYOSPKp7zssSKw1s1qiPbR6DdJGF/E0
-gqiJwLynZdkkMOsWqHvUK0NDT5LmDdluHBFDle+zupBy1CAE4y1fchsUh910wbRm
-LnrdtkXKUHtE+WGZianMSc1gHCB6EjipHx9iLTrcsGbjz9ziWRb6P6BLgbw2doPG
-mYQVMWBNLQi3gcAjN7IX1+dRWoam+ON/M0GMi5jSplqONBFUj5xwB8LFNV5VfIAu
-zJa0F5V0Qu5XbO7YFoihDcD1OF8fUyKtK+lGa0O/QazR37tl8m5mgYVjDErBx3F+
-ipiB40w+qA1MsJXqdOljoldTvJZCzN+kEJu8aMdQpKcIfkJjKQsrbrh0Ck3cmRHW
-vE3sApyx1p9XvoVtb6lz69B1XJu+Q+Gljlm7JSRLQ3p7GZTT7/Q=
-=5N4+
-----END PGP SIGNATURE-----
--- a/SOURCES/freeipa-4.8.4.tar.gz.asc
+++ b/SOURCES/freeipa-4.8.4.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl302dsACgkQRxniuKu/
+Yhrd0RAAvUv30O5rSlww30kxqV3oQb5CIJYSGb/jpWMAhj1Nr+1Ye1P3rCyJLP4R
+fVu23bgIywv8qkWPZdQxohkYCuiTZa8ogl3gXWJDRCp5f5oKWALzwU+Zlu8HlVj
+z8UAOFXEO1fYwvwpOPdr+gGiTS5pLq39EIBZSVjvuviXR0adwVcVvw0R2YXYmiLE
+x5uaM289YQ4hKY/V0rgqNn0nYiogFcFvSlhkM9oi4+JiKypocPqKTjM4n8EcdXv4
+rSJ6Zv6FgnyoREBITCZjKaTn8OTkhqhhzMOgMzWr8QSmNl44UKA9aq5ZIEJgEnMR
+N3vW6Br1f4TDJ3JyWeMoizQcNeTFyuoxN9HhGpvDotx+6g+j2yNfAK7ZZAtjULhm
+m13zb1svCbGtvRxB8QfIQe62l3drooimWRf5o9fgPVU0MIxgL7x7AulxrZekik6J
+NdwXiz75SKfbFZZWVdf9FjJkaBZ3CpJMJnDQiQyCs+xBWOpXYGYkz9a1NRoFgCdC
+y8bY9ErfzhLdcgjbZ3EE24FkWMBeUdW+BC4AYSChZlqUZ9CMTQIdyqPVSG/u5sc9
+2Rn1YasAfu0P3DJgRCI0BUcxkxFet5M8hfB0iuLE4OJTKnyhmmOUKmO2wUSw0QIr
+ogzzN9DF84wwXD1P4X6WFEzOOthCdLPUHyDo3u5fVIy4QWZZDlQ=
+=TTzs
+-----END PGP SIGNATURE-----
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@ -55,26 +55,28 @@
 %if 0%{?rhel}
 %global package_name ipa
 %global alt_name freeipa
-%global krb5_version 1.16.1
+%global krb5_version 1.17-12
 %global krb5_kdb_version 7.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
-%global python_netaddr_version 0.7.16
+%global python_netaddr_version 0.7.19
 # Require 4.7.0 which brings Python 3 bindings
-%global samba_version 4.7.0
-%global selinux_policy_version 3.14.1-14
+%global samba_version 4.10.4-9
+# Require 3.14.3-24 - Allow ipa_ods_exporter_t domain to read krb5_keytab files
+%global selinux_policy_version 3.14.3-24
 %global slapi_nis_version 0.56.1-4
 %global python_ldap_version 3.1.0-1
 # python3-lib389
 # Fix for "Installation fails: Replica Busy"
 # https://pagure.io/389-ds-base/issue/49818
-%global ds_version 1.4.0.16
+# currently set to 1.4.1.3 until 389-ds rebases to 1.4.2
+%global ds_version 1.4.1.3

 %else
 # Fedora
 %global package_name freeipa
 %global alt_name ipa
 # Fix for CVE-2018-20217
-%global krb5_version 1.17
+%global krb5_version 1.17-17
 %global krb5_kdb_version 7.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.16
@ -101,10 +103,10 @@
 # 10.6.7 fixes UpdateNumberRange clone installation issue
 # https://pagure.io/freeipa/issue/7654 and empty token issue
 # and https://pagure.io/dogtagpki/issue/3073
-%global pki_version 10.6.8-3
+%global pki_version 10.8.0

 # https://pagure.io/certmonger/issue/90
-%global certmonger_version 0.79.7-1
+%global certmonger_version 0.79.7-3

 # NSS release with fix for p11-kit-proxy issue, affects F28
 # https://pagure.io/freeipa/issue/7810
@ -114,15 +116,9 @@
 %global nss_version 3.41.0-1
 %endif

-# There are issues currently with the sssd rebase to 2.1.0, therefore this
-# will be set to 2.0.0-43 for now.
-#global sssd_version 2.1.0-2
-%global sssd_version 2.0.0-43
+%global sssd_version 2.2.0-19

-# python3-kdcproxy 0.4.1 is not in the repository, therefore 0.4 will be
-# used for now.
-#global kdcproxy_version 0.4.1
-%global kdcproxy_version 0.4
+%global kdcproxy_version 0.4-3

 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
@ -132,16 +128,16 @@

 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.7.90.pre1
+%define IPA_VERSION 4.8.4
 %define AT_SIGN @
 # redefine IPA_VERSION only if its value matches the Autoconf placeholder
 %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
-     %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
+    %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
 %endif

 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        3%{?dist}
+Release:        2%{?dist}
 Summary:        The Identity, Policy and Audit system

 License:        GPLv3+
@ -156,16 +152,9 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as
 # RHEL spec file only: END: Change branding to IPA and Identity Management

 # RHEL spec file only: START
-Patch0001:      0001-No-need-to-call-rhel-specific-domainname-service.patch
-
-Patch0002:      0001-revert-minssf-defaults.patch
-# https://github.com/freeipa/freeipa/pull/3104
-# Fix an error in the path the webUI uses for fontawesome
-Patch0003:      0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
-Patch0004:      0002-upgrade-adtrust-when-no-trusts.patch
-
+Patch0001:      0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
-Patch1002:      1002-4.7.90pre1-Remove-csrgen.patch
+Patch1002:      1002-4.8.0-Remove-csrgen.patch
 # RHEL spec file only: END

 # For the timestamp trick in patch application
@ -325,6 +314,7 @@ Requires: openldap-clients > 2.4.35-4
 Requires: nss >= %{nss_version}
 Requires: nss-tools >= %{nss_version}
 Requires(post): krb5-server >= %{krb5_version}
+Requires(post): krb5-kdb-version = %{krb5_kdb_version}
 Requires: krb5-pkinit-openssl >= %{krb5_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
@ -454,7 +444,7 @@ If you are installing an IPA server, you need to install this package.
 Summary: IPA integrated DNS server with support for automatic DNSSEC signing
 BuildArch: noarch
 Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 11.0-2
+Requires: bind-dyndb-ldap >= 11.2-2
 Requires: bind >= 9.11.0-6.P2
 Requires: bind-utils >= 9.11.0-6.P2
 Requires: bind-pkcs11 >= 9.11.0-6.P2
@ -558,6 +548,22 @@ If your network uses IPA for authentication, this package should be
 installed on every client machine.
 This package provides command-line tools for IPA administrators.

+%package client-samba
+Summary: Tools to configure Samba on IPA client
+Group: System Environment/Base
+Requires: %{name}-client = %{version}-%{release}
+Requires: python3-samba
+Requires: samba-client
+Requires: samba-winbind
+Requires: samba-common-tools
+Requires: samba
+Requires: sssd-winbind-idmap
+Requires: tdb-tools
+Requires: cifs-utils
+
+%description client-samba
+This package provides command-line tools to deploy Samba domain member
+on the machine enrolled into a FreeIPA environment

 %package -n python3-ipaclient
 Summary: Python libraries used by IPA client
@ -1001,11 +1007,17 @@ if [ $1 -gt 1 ] ; then
            cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
            cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
        fi
+
+        %{python} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
    fi

    if [ $restore -ge 2 ]; then
        %{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
    fi
+
+    if [ $restore -ge 2 ]; then
+        sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config
+    fi
 fi


@ -1072,6 +1084,7 @@ fi
 %{_sbindir}/ipa-winsync-migrate
 %{_sbindir}/ipa-pkinit-manage
 %{_sbindir}/ipa-crlgen-manage
+%{_sbindir}/ipa-cert-fix
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
 %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
@ -1136,6 +1149,7 @@ fi
 %{_mandir}/man1/ipa-winsync-migrate.1*
 %{_mandir}/man1/ipa-pkinit-manage.1*
 %{_mandir}/man1/ipa-crlgen-manage.1*
+%{_mandir}/man1/ipa-cert-fix.1*


 %files -n python3-ipaserver
@ -1162,6 +1176,7 @@ fi
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template
+%{_usr}/share/ipa/bind.ipa-ext.conf
 %dir %{_usr}/share/ipa/advise
 %dir %{_usr}/share/ipa/advise/legacy
 %{_usr}/share/ipa/advise/legacy/*.template
@ -1208,6 +1223,7 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
+%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
@ -1271,6 +1287,7 @@ fi
 %{_sbindir}/ipa-join
 %{_bindir}/ipa
 %config %{_sysconfdir}/bash_completion.d
+%config %{_sysconfdir}/sysconfig/certmonger
 %{_mandir}/man1/ipa.1*
 %{_mandir}/man1/ipa-getkeytab.1*
 %{_mandir}/man1/ipa-rmkeytab.1*
@ -1279,6 +1296,11 @@ fi
 %{_mandir}/man1/ipa-certupdate.1*
 %{_mandir}/man1/ipa-join.1*

+%files client-samba
+%doc README.md Contributors.txt
+%license COPYING
+%{_sbindir}/ipa-client-samba
+%{_mandir}/man1/ipa-client-samba.1*

 %files -n python3-ipaclient
 %doc README.md Contributors.txt
@ -1370,6 +1392,113 @@ fi


 %changelog
+* Mon Dec 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.4-2
+- DNS install check: Fix overlapping DNS zone from the master itself
+  Resolves: RHBZ#1784003
+
+* Sat Dec 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.4-1
+- Rebase to upstream release 4.8.4
+  - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3
+  Resolves: RHBZ#1782658
+  Resolves: RHBZ#1782169
+  Resolves: RHBZ#1783046
+  Related: RHBZ#1748987
+
+* Mon Dec  2 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.3-3
+- Fix otptoken_sync plugin
+  Resolves: RHBZ#1777811
+
+* Mon Dec  2 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.3-2
+- Use default crypto policy for TLS and enable TLS 1.3 support
+  Resolves: RHBZ#1777809
+- Covscan fixes
+  Resolves: RHBZ#1777920
+- Change pki_version to 10.8.0
+  Related: RHBZ#1748987
+
+* Thu Nov 28 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.3-1
+- Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195)
+  Resolves: RHBZ#1767304
+  Resolves: RHBZ#1776939
+- Support KDC ticket policies for authentication indicators
+  Resolves: RHBZ#1777564
+
+* Tue Nov 26 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.2-4
+- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf()
+  Resolves: RHBZ#1767304
+- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
+  Resolves: RHBZ#1776939
+
+* Fri Nov 22 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-3
+- Use default ssh host key algorithms
+  Resolves: RHBZ#1756432
+- Do not run trust upgrade code if master lacks Samba bindings
+  Resolves: RHBZ#1757064
+- Finish group membership management UI
+  Resolves: RHBZ#1773528
+
+* Mon Nov 18 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-2
+- Update dependency for bind-dndb-ldap to 11.2-2
+  Related: RHBZ#1762813
+
+* Thu Nov 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-1
+- Rebase to upstream release 4.8.2
+  - Removed upstream patches 0001 to 0010 that are part of version 4.8.2
+  - Updated branding patch
+  Resolves: RHBZ#1748987
+
+* Thu Aug 29 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-10
+- Fix automount behavior with authselect
+  Resolves: RHBZ#1740167
+
+* Mon Aug 19 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-9
+- extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT
+  Resolves: RHBZ#1741530
+
+* Thu Aug 15 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-8
+- FreeIPA 4.8.0 tarball lacks two update files that are in git
+  Resolves: RHBZ#1741170
+
+* Tue Aug 13 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-7
+- Allow insecure binds for migration
+  Resolves: RHBZ#1731963
+
+* Fri Aug  2 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-6
+- Fix --external-ca-profile not passed to CSR
+  Resolves: RHBZ#1731813
+
+* Tue Jul 30 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-5
+- Remove posixAccount from service_find search filter
+  Resolves: RHBZ#1731437
+- Fix repeated uninstallation of ipa-client-samba crashes
+  Resolves: RHBZ#1732529
+- WebUI: Add PKINIT status field to 'Configuration' page
+  Resolves: RHBZ#1518153
+
+* Tue Jul 16 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.0-4
+- Fix krb5-kdb-server -> krb5-kdb-version
+  Related: RHBZ#1700121
+
+* Mon Jul 15 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.0-3
+- Make sure ipa-server depends on krb5-kdb-version to pick up
+  right MIT Kerberos KDB ABI
+  Related: RHBZ#1700121
+- User field separator uses '$$' within ipaSELInuxUserMapOrder
+  Fixes: RHBZ#1729099
+
+* Wed Jul  3 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-2
+- Fixed kdcproxy_version to 0.4-3
+- Fixed krb5_version to 1.17-7
+  Related: RHBZ#1684528
+
+* Wed Jul  3 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-1
+- New upstream release 4.8.0
+  - New subpackage: freeipa-client-samba
+  - Added command ipa-cert-fix with man page
+  - New sysconfdir sysconfig/certmonger
+- Updated pki_version, certmonger_version, sssd_version and kdcproxy_version
+  Related: RHBZ#1684528
+
 * Tue May 21 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90-3
 - Fix upgrade issue with AD trust when no trust yet established
  Fixes: RHBZ#1708874