- 
    Tue Aug 30 2016 Jan Cholasta <jcholast@redhat.com> - 3.0.0-50.el6.3
    - Resolves: #1369470 IPA Replica-Install from RHEL6 to RHEL7 Fails
  - Modififed NSSConnection not to shutdown existing database.
  - Do not erroneously reinit NSS in Dogtag interface
  - Make sure replication works after DM password is changed 
- 
    Mon Aug 22 2016 Jan Cholasta <jcholast@redhat.com> - 3.0.0-50.el6.2
    - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in
  certificate revocation
  - cert-revoke: fix permission check bypass (CVE-2016-5404) 
- 
    Tue Apr 12 2016 Alexander Bokovoy <abokovoy@redhat.com> - 3.0.0-50.el6.1
    - Update IPA code to support Samba 4.2
- Related: #1322689 
- 
    Thu Jan 07 2016 Jan Cholasta <mbasti@redhat.com> - 3.0.0-50.el6
    - Resolves: #1225868 display browser config options that apply to the browser -
  Chrome
  - Remove ico files from Makefile
- Resolves: #1232843 ipa-client-install errors out if client and server time
  are not in sync or unreachable
  - Skip time sync during client install when using --no-ntp
- Resolves: #1288495 Add userCertificate index used in Smart Card
  authentication
  - add DS index for userCertificate attribute
- Resolves: #1293588 JavaScript error in ssbrowser.html - TypeError: Cannot
  read property 'mozilla' of undefined
  - webui: fix browser detection in browserconfig.html and ssbrowser.html
- Resolves: #1296124 Adjust Firefox configuration to new extension signing
  policy
  - webui: use manual Firefox configuration for Firefox >= 40
- Remove binary patching from patch 0140 
- 
    Tue Dec 22 2015 Martin Basti <mbasti@redhat.com> - 3.0.0-49.el6
    - Resolves: #1127211 ipa-server-install --uninstall produces avc
  - sysrestore: copy files instead of moving them to avoind SELinux issues
  - Use 'mv -Z' in specfile to restore SELinux context
- Resolves: #1222999 ipa aci plugin is not parsing aci's correctly.
  - ACI plugin: correctly parse bind rules enclosed in parentheses
- Resolves: #1225868 display browser config options that apply to the browser -
  Chrome
  - webui: add Kerberos configuration instructions for Chrome
  - Remove ico files from Makefile
  - WebUI: fix ipa_error.css
- Resolves: #1232468 The Domain option is not correctly set in idmapd.conf when
  ipa-client-automount is executed.
  - Simplify adding options in ipachangeconf
  - ipachangeconf: Add ability to preserve section case
  - ipa-client-automount: Leverage IPAChangeConf to configure the domain for
    idmapd
- Resolves: #1232899 ipa-client-install does not respect --realm option
  - Allow user to force Kerberos realm during installation.
- Resolves: #1276358 Remove /usr/share/ipa/updates/50-lockout-policy.update
  file from IPA 3.0 releases
  - Remove 50-lockout-policy.update file
- 
    Thu Nov 12 2015 Jan Cholasta <jcholast@redhat.com> - 3.0.0-48.el6
    - Resolves: #1263703 ipa-server-install with externally signed CA fails with
  NSS error (SEC_ERROR_BUSY)
  - Free NSS objects in --external-ca scenario
- Resolves: #1263262 Unable to resolve group memberships for AD users when
  using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with
  ipa-server-3.0.0-42.el6.x86_64 with AD Trust
  - Do not lookup up the domain too early if only the SID is known
  - Do not store SID string in a local buffer
  - Allow ID-to-SID mappings in the extdom plugin 
- 
    Wed May 13 2015 Petr Vobornik <pvoborni@redhat.com> - 3.0.0-47.el6
    - Resolves: #1220788 - Some IPA schema files are not RFC 4512 compliant 
- 
    Tue Apr 07 2015 Petr Vobornik <pvoborni@redhat.com> - 3.0.0-46.el6
    - Use tls version range in NSSHTTPS initialization
- Resolves: #1154687 - POODLE: force using safe ciphers (non-SSLv3) in IPA
                       client and server
- Resolves: #1012224 - host certificate not issued to client during
                       ipa-client-install
- 
    Wed Mar 25 2015 Petr Vobornik <pvoborni@redhat.com> - 3.0.0-45.el6
    - Resolves: #1205660 -  ipa-client rpm should require keyutils 
- 
    Tue Mar 24 2015 Petr Vobornik <pvoborni@redhat.com> - 3.0.0-44.el6
    - Release 3.0.0-44
- Resolves: #1201454 - ipa breaks sshd config 
- 
    Fri Feb 27 2015 Petr Vobornik <pvoborni@redhat.com> - 3.0.0-43.el6
    - Release 3.0.0-43
- Resolves: #1191040 - ipa-client-automount: failing with error LDAP server
                       returned UNWILLING_TO_PERFORM. This likely means that
                       minssf is enabled.
- Resolves: #1185207 - ipa-client dont end new line character in
                       /etc/nsswitch.conf
- Resolves: #1166241 - CVE-2010-5312 CVE-2012-6662 ipa: various flaws
- Resolves: #1161722 - IDM client registration failure in a high load
                       environment
- Resolves: #1154687 - POODLE: force using safe ciphers (non-SSLv3) in IPA
                       client and server
- Resolves: #1146870 - ipa-client-install fails with "KerbTransport instance
                       has no attribute '__conn'" traceback
- Resolves: #1132261 - ipa-client-install failing produces a traceback
                       instead of useful error message
- Resolves: #1131571 - Do not allow IdM server/replica/client installation
                       in a FIPS-140 mode
- Resolves: #1198160 - /usr/sbin/ipa-server-install --uninstall does not
                       clean /var/lib/ipa/pki-ca
- Resolves: #1198339 - ipa-client-install adds extra sss to sudoers in
                       nsswitch.conf
- Require: 389-ds-base >= 1.2.11.15-51
- Require: mod_nss >= 1.0.10
- Require: pki-ca >= 9.0.3-40
- Require: python-nss >= 0.16
- 
    Fri Jul 04 2014 Martin Kosek <mkosek@redhat.com> - 3.0.0-42.el6
    - Require 389-ds-base >= 1.2.11.15-38 to fix roken dereference control with
  the FreeIPA 4.0 ACIs (#1112698) 
- 
    Tue Jun 24 2014 Martin Kosek <mkosek@redhat.com> - 3.0.0-41.el6
    - ipasam does not support deleting multiple child trusted domains due
  to LDAP delete operation (#1110664)
- Excessive LDAP calls by ipa-sam during file operations to samba file
  share on freeipa master cause high CPU and slow performance (#1074314) 
- 
    Thu Jun 19 2014 Martin Kosek <mkosek@redhat.com> - 3.0.0-40.el6
    - Explicitly specify auth mechanism when calling ldapmodify in
  the installers (#1108661)
- Add support for DNS classless reverse domains (#1095250)
- Multiple nsDS5ReplicaId attributes created in
  cn=replication,cn=etc (#1109050)
- ipa-client-install should configure sudo automatically (#1111121) 
- 
    Fri Jun 13 2014 Martin Kosek <mkosek@redhat.com> - 3.0.0-39.el6
    - Rebuild package to fix a brew tag 
- 
    Fri Jun 13 2014 Martin Kosek <mkosek@redhat.com> - 3.0.0-38.el6
    - ipa-server-install intermittently crashed with "Unable to find
  preop.pin" (#905064)
- Disabled sudo rules were still active in the sudoers tree (#1022199)
- Replica installation fails if forward zone is not present (#1034478)
- Administrative password change did not respect user password
  policy (#1029921)
- Re-initializing a winsync connection exits with "Can't contact
  LDAP server" (#1016042)
- Server checked for unknown attributes before "ipa" tool version
  check (#1015481)
- CA subsystem certificate renewal was broken on CA clones (#1040009)
- Lockout plugin worked inconsistently compared to KDC lockout
  mechanism. Also, default user policy may not have been applied if
  krbPwdPolicyReference was missing (#1088772)
- ipa-client-automount was not backwards compatible (#1082590)
- Increase service timeout from 120s to 300s as some services are
  known to start for more than 120s (#1060639)
- Proxy calls to /ca/ee/ca/profileSubmit to PKI to enable installation
  of replicas with Dogtag 10 PKI (#1083878) 
- 
    Mon Sep 30 2013 Martin Kosek <mkosek@redhat.com> - 3.0.0-37.el6
    - group-add-member command reported wrong error on duplicates (#970541)
- ipa-client installation succeeding in ipa server instance (#1011044) 
- 
    Tue Sep 17 2013 Martin Kosek <mkosek@redhat.com> - 3.0.0-36.el6
    - ipa-join failed when doing a forced host re-enrollment (#924009) 
- 
    Mon Sep 09 2013 Martin Kosek <mkosek@redhat.com> - 3.0.0-35.el6
    - ipa-replica-manage del always exits with error (#1005448) 
- 
    Thu Sep 05 2013 Martin Kosek <mkosek@redhat.com> - 3.0.0-34.el6
    - Host and Hostgroup commands were broken after upgrade (#1001810) 
- 
    Mon Aug 05 2013 Martin Kosek <mkosek@redhat.com> - 3.0.0-33.el6
    - Fix coverity issue in AD 2012 stabilization patch fixing
  memleaks (#980409) 
- 
    Mon Aug 05 2013 Martin Kosek <mkosek@redhat.com> - 3.0.0-32.el6
    - Fix coverity issue in AD 2012 support patch and add 2 related
  stabilization patches (#980409) 
- 
    Fri Aug 02 2013 Martin Kosek <mkosek@redhat.com> - 3.0.0-31.el6
    - Require 389-ds-base >= 1.2.11.15-14 to pick up fix for CVE-2013-1897
  (#928162)
- Password policy lockout plugin does not work as expected (#907881
- Remove deprecated support of the HBAC source host (#924542)
- ipa-client-install may not obtain CA certificate (#924004)
- Allow client to re-enroll without first unenrolling (#924009)
- Enrolling a host into may take two attempts (#950014)
- Add userClass attribute for host objects (#955698)
- Inconsistent replies from FreeIPA to Netlogon ping queries (#967870)
- Performance improvement for IPA CLI and UI user and group related
  plugins (#970541)
- Do not create /var/lib/ipa/pki-ca/publish, retain reference as
  ghost (#975431)
- Add support for AD 2012 trusted domains (#980409)
- XML-RPC server may return a wrong Content-Type (#976716)
- Add missing openssh-clients Requires to ipa-server package (#983463)
- Add an option to edit "Gecos" field from Web UI (#986211) 
- 
    Fri May 17 2013 Martin Kosek <mkosek@redhat.com> - 3.0.0-30.el6
    - LDAP upload CA cert sometimes double-encodes the value (#948928)
- wrong trust argument assigned to renewed certs in ipa cert automatic
  renew (#952241) 
- 
    Tue Mar 19 2013 Martin Kosek <mkosek@redhat.com> - 3.0.0-29.el6
    - ipa-client-install fails to autodiscover on LDAP servers with disabled
  anonymous access (#922843) 
- 
    Wed Feb 27 2013 Martin Kosek <mkosek@redhat.com> - 3.0.0-28.el6
    - ipa-adtrust-install and ipa-replica-conncheck may not parse krb5.conf
  correctly and crash (#916209) 
- 
    Wed Feb 27 2013 Martin Kosek <mkosek@redhat.com> - 3.0.0-27.el6
    - Missing LDAP schema attributeType and objectClass after upgrade (#915745) 
- 
    Thu Feb 07 2013 Rob Crittenden <rcritten@redhat.com> - 3.0.0-26.el6
    - Significant decrease in migration performance. (#904119)
- ipa-client-install failed to fall over to replica with master down (#905626)
- During Migration - If Schema is unavailable migration fails (#906846) 
- 
    Tue Jan 29 2013 Rob Crittenden <rcritten@redhat.com> - 3.0.0-25.el6
    - Filter generated winbind dependencies so the right version of samba
  can be installed. (#905594) 
- 
    Thu Jan 24 2013 Rob Crittenden <rcritten@redhat.com> - 3.0.0-24.el6
    - Add certmonger condrestart to server post scriptlet (#903758)
- Make certmonger a (pre) Requires (#903758)
- Add selinux-policy to Requires(pre) to avoid post scriptlet AVCs
  (#903758)
- Set minimum version of pki-ca to 9.0.3-30 and add to Requires(pre)
  to pick up certmonger upgrade fix (#902474)
- Update anonymous access ACI to protect secret attributes (#902481) 
- 
    Mon Jan 21 2013 Rob Crittenden <rcritten@redhat.com> - 3.0.0-23.el6
    - Installer should not connect to 127.0.0.1. (#895561)
- Don't initialize NSS if we don't have to. (#878220) 
- 
    Tue Jan 15 2013 Martin Kosek <mkosek@redhat.com> - 3.0.0-22.el6
    - Set minimum version of bind-dyndb-ldap to 2.3-2 to pick up missing DNS
  zone SOA serial fix (#894131)
- Stopped named service crashed ipa-upgradeconfig program (#895298)
- ipa-replica-prepare crashed when manipulating DNS zone without SOA
  serial (#894143)
- Use new certmonger locking to prevent NSS database corruption during
  CA subsystem renewal (#883484)
- Set minimum selinux-policy to 3.7.19-193 to allow certmonger to talk
  to dbus in an rpm scriptlet. (related #883484)
- Set minimum vresion of certmonger to 0.61-3 for new locking scheme
  (related #883484) 
- 
    Fri Jan 11 2013 Rob Crittenden <rcritten@redhat.com> - 3.0.0-21.el6
    - Properly handle migrated uniqueMember attributes (#894090)
- ipa permission-find using valid targetgroup throws internal error (#893827)
- Fix migration of CRLs to new directory location (#893722)
- Installing IPA with a single realm component sometimes fails (#893187) 
- 
    Tue Jan 08 2013 Rob Crittenden <rcritten@redhat.com> - 3.0.0-20.el6
    - Set maxbersize to a large value to accomondate large CRLs during replica
  installation. (#888956)
- Set minimum version of pki-ca, pki-slient and pki-setup to 9.0.3-29 to
  pick up default CA validity period of 20 years. (#891980) 
- 
    Wed Jan 02 2013 Martin Kosek <mkosek@redhat.com> - 3.0.0-19.el6
    - Client installation crashes when Kerberos SRV record is not found (#889583)
- Fix typo in patch 0048 for CVE-2012-5484 (#878220) 
- 
    Thu Dec 20 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-18.el6
    - Cookie Expires date should be locale insensitive to avoid CLI errors (#888915) 
- 
    Wed Dec 19 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-17.el6
    - ipa delegation-find --group option returns internal error (#888524)
- Add missing Requires for python-crypto replacement (#878969) 
- 
    Tue Dec 18 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-16.el6
    - sssd is not enabled on client/server install (#888124) 
- 
    Fri Dec 14 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-15.el6
    - ipa-server-install --uninstall doesn't clear certmonger dirs, which leads
  to install failing (#817080) 
- 
    Thu Dec 13 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-14.el6
    - Compliant client side session cookie behavior. CVE-2012-5631.
  (#886371) 
- 
    Wed Dec 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-13.el6
    - Use secure method to retrieve IPA CA during client enrollment.
  CVE-2012-5484 (#878220)
- Reformat patch 0044 so it works with git-am 
- 
    Tue Dec 11 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-12.el6
    - Include /var/lib/sss/pubconf/krb5.include.d/ for domain-realm mappings
  in krb5.conf (#883166)
- Set minimum selinux-policy >= 3.7.19-184 to allow domains that can read
  sssd_public_t files to also list the directory (#881413)
- Remove dist label from changelog entries.
- Fix timestamp on patched files to avoid multilib warnings 
- 
    Thu Dec 06 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-11.el6
    - Set Requires on httpd 2.2.15-24, mod_nss to 1.0.8-18 and patch to
  check for existing mod_ssl configuration. These versions allow mod_proxy
  to simultaneously support SSL servers using mod_ssl and mod_proxy (#761574)
- IPA WebUI login for AD Trusted User fails (#875261)
- Add 'disable_last_success' and 'disable_lockout' to the ipa_lockout
  plugin (#824488) 
- 
    Tue Dec 04 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-10.el6
    - Make default group type POSIX in ui (#880655)
- Write replacement for python-crypto (#878969)
- ipa trust-add prints misleading information about required DNS setting
  (#878485)
- Lookup user SIDs in external groups (#878480)
- Special case NFS related ticket to avoid attaching MS-PACs (#878462)
- IPA users are not available after ipa-server-install because sssd not running
  (#878288)
- Incorrect error message when time difference between AD and IPA is too great
  (#877434)
- Missing option to add SSH Public Key in Web UI after upgrade (#877324) 
- 
    Mon Nov 26 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-9.el6
    - Update minimum BR and Requires of sssd to 1.9.2-25 (related #870278,
  related #871160, related #878262)
- Replication agreement tools report errors with new single instance CA database
  (#878491)
- If time is moved back on the IPA server, ipasam does not invalidate the
  existing ticket (#866576) 
- 
    Fri Nov 09 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-8.el6
    - Server installation fails to find A/AAAA record for IPA hostname (#874935)
- Out of range error when listing RUV on host with no agreements (#873726)
- Tighten dependency on krb5-server to limit to 1.10 (#872707)
- Default SELinuxusermaporder needs to mapped with default selinux users list
  (#870053)
- Clarify trust-add help regarding multiple runs against the same domain
  (#869741)
- Improve reliabilityof RA renewal script (#869663)
- Add option to disable DNS forwarding by zone (#869658)
- Update minimum version of bind-dyndb-ldap to 2.3-1 (#869658)
- Improve information on passsync user in man page, command help (#869656)
- Resolve external members from trusted domain via Global Catalog (#869616)
- Process relative nameserver DNS record correctly (#868956)
- ipa-adtrust-install does not reset all information when re-run (#867447)
- Fix potential memory leak in KDB backend (#811989) 
- 
    Mon Oct 29 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-7.el6
    - Fix type conversion of integers when doing modifications (#870446)
- Set SECURE_NFS to lowercase yes rather than uppercase (#869654)
- Add autofs service to sssd.conf before enabling it (#869649)
- Add strict Requires for policycoreutils to avoid user removing them
  during package lifetime (#869281)
- Make internal rename_s() call compatible with python-ldap-2.3.10 (#867902)
- Update minimum version of bind-dyndb-ldap to 2.2-1.el6 (related #871583)
- Restart httpd after running ipa-adtrust-install (#866966) 
- 
    Wed Oct 24 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-6.el6
    - Add patch to override xmlrpc request method for session (#786199)
- Bad link to Web UI config page after session is expired (#869279)
- extdom plugin does not handle Posix UID and GID request (#867676)
- ipa-server-install --setup-dns always installs reverse zone (#866978)
- Inform user when ipa-upgradeconfig reports errors (#866977)
- Certificate request fails when CSR has subjectAltnames (#866955)
- ipa-adtrust-install checks for /usr/bin/smbpasswd, which is not
  required (#866572)
- Instructions to uninstall are unclear (#856294)
- Inconsistent service naming in ipa-server-install (#856292)
- Improve instructions to generate certificate in Web UI (#856282)
- /etc/ipa/default.conf is out of date (#855855)
- Time synchronization is disabled in ipa-client-install (#854325)
- ipa-replica-install httpd restart sometimes fails (#845405)
- Improve error messages during ipa-replica-manage del (#835632)
- Always log errors from dogtag (#813401) 
- 
    Mon Oct 15 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-5.el6
    - Update to upstream 3.0.0 GA release (#827602)
- Add zip dependency, needed for creating unsigned Firefox extensions
- Filter generated winbind dependencies so the right version of samba
  can be installed.
- Remove patch to support python-ldap 2.3.10. Fixed upstream.
- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca (#864533)
- Add zip dependency, needed for creating unsigned Firefox extensions 
- 
    Wed Oct 10 2012 Alexander Bokovoy <abokovoy@redhat.com> - 3.0.0-4.el6
    - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so
  plugin to /dev/null since they cannot be used when trusts are configured
  (related #864889)
- Update BR and Requires of samba4 to 4.0.0-31 to pick up winbind_krb5_locator
  alternatives change. (related #864889) 
- 
    Fri Oct 05 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-3.el6
    - Update to upstream 3.0.0.rc2 release (#827602)
- Provide new Firefox extension.
- Own /etc/ipa/ca.crt 
- 
    Tue Sep 25 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-2.el6
    - Remove Requires on krb5-pkinit-openssl as part of disabling pkinit code.
- Add missing subdirectories in site-packages/ipaserver discovered by
  rpmdiff. (#827602) 
- 
    Mon Sep 24 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-1.el6
    - Update to upstream 3.0.0.rc1 release (#827602)
- Update BR and Requires of 389-ds-base to 1.2.11.14
- Update BR and Requires of krb5 to 1.10
- Update BR and Requires of samba4 to 4.0.0-24
- Update BR and Requires of sssd to 1.9.0
- Update Requires on policycoreutils to 2.0.83-19.24
- Update Requires on httpd to httpd-2.2.15-17 to pick up #787247
- Update minimum version of bind-dyndb-ldap to 1.1.0-0.9.b1.el6_3.1
- Update minimum version of bind to 9.8.2-0.10.rc1.el6_3.2
- Sync upstream spec file Requires
- Add patch to support python-ldap 2.3.10 
- 
    Fri May 25 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-16.el6
    - SSH Tech Preview feature enabled by default (#825321) 
- 
    Tue May 22 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-15.el6
    - Test for locked users before incrementing failed login counter (#822429) 
- 
    Tue May 15 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-14.el6
    - Fix host page to display all data when DNS is not configured (#818868) 
- 
    Tue May 08 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-13.el6
    - Make ipa 2.2 client capable of joining an older server (#817867) 
- 
    Mon Apr 30 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-12.el6
    - Remove patch 0042 and add revert patch for handling which attributes are
  allowed in a permission. (#783502)
- ipa-client-install sets "KerberosAuthenticate yes" in sshd.conf, breaking
  SSSD auth (#817030)
- pwpolicy_find does not sort by priority in UI (#815799)
- Improve zonemgr validation (#745705) 
- 
    Mon Apr 23 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-11.el6
    - Make new DNS permission mixed-case (#807361)
- hbactest returns failure when hostgroups are chained (#801769)
- Man Page : Document client IP addressing / FQDN requirements (#768257)
- Login failed attempts counter or locked out status are not displayed (#759501)
- Wrong title and icon in login and logout pages (#814752) 
- 
    Wed Apr 18 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-10.el6
    - Don't interactively prompt for dnsrecord options provided on the
  command-line options (#790295)
- Validate external hosts added to netgroups (#797256)
- Handle invalid RDN for container in migration (#804807)
- Unable to use permission-mod to rename permission object (#805478)
- Migration: don't append basedn to container if it is included (#807371)
- Raise correct exception when LDAP limits are exceeded (#808042)
- Notify user that password needs to be reset in forms-based login (#811296)
- DNS Resource records: add & delete A & AAAA record does not work in root
  (#811744)
- user-mod --rename with an empty string fails (#811748)
- DNS CNAME record: delete sometimes does not work (#811758)
- Delegation UI does not allow to specify permission (#812110)
- IPA uninstall after upgrade returns some sysrestore.state errors (#812391)
- Improve migration plugin error when 2 groups have identical GID (#813389) 
- 
    Tue Apr 10 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-9.el6
    - Fix password policy history enforcement (#810900)
- Privilege page should not have choice to list permissions by "indirect
  membership" (#810350)
- ipa-server-install fails when domain name is not resolvable (#809190)
- Identity->DNS->Settings:Forward policy: change check box to radio buttons
  (#808620)
- When adding permissions for a type, attributes that are not allowed are
  listed (#807755)
- user-mod --rename is successful for more than max login characters
  (#807417)
- Can't specify netgroup host, user category to all in Web UI (#807366)
- Permission names cannot contains '<' or '>' (#807304)
- ipa-server-install --uninstall errors out when trying to start dirsrv.
  (#801376)
- Should not be allowed to run host-disable on an IPA Server or
  service-disable on an IPA Server service  (#800119)
- permission with filter or subtree does not allow attr to be specified
  (#783536)
- Netgroups compat plugin not reporting users correctly (#767372)
- certmonger renews server certificates ok but those services need a restart
  (related #766167)
- Set minimum vresion of certmonger to 0.56 (related #766167)
- Set minimum version of slapi-nis to 0.40 (#767372)
- Unable to disable or enable hbacrule with --setattr (#810948)
- When adding a user with --noprivate option gidNumber should be required
  (#805546)
- Fix error when no value is given in --revocation-reason optional argument
  with "ipa cert-revoke" (#808099)
- Set minimum version of bind-dyndb-ldap to 1.1.0-0.5.b1 (related #805814) 
- 
    Wed Apr 04 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-8.el6
    - Fix ambiguous error msg in automount indirect map creation (#790131)
- Invalid error message attempting to delete config attributes (#791373)
- Enforce single-value attributes (#794746)
- config-mod allowed to add additional certificate subjects bases (#794750)
- Embedded carriage returns in a CSV not handled (#797569)
- WebUI displays "Insufficient access: invalid credentials" when a password
  doesn't meet policy requirements (#802786)
- Tech Preview: SELinux User Mapping (#803821)
- Tech Preview: Add support for central management of the SSH keys (#803822)
- Password Policy Failure Interval Reset is not working. (#804096)
- Set SELinux booleans properly (#806330)
- DNS records in LDAP are publicly accessible (#807361)
- Upgrading replication agreements without nsDS5ReplicatedAttributeList fails
  (#808201)
- IPA Upgrade Web UI failure with internal server error (#809262)
- Do not create private groups for migrated users (#809560) 
- 
    Wed Mar 28 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-7.el6
    - Remove version requirement from BuildRequires on sssd. (related #736865) 
- 
    Wed Mar 28 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-6.el6
    - Set minimum version of 389-ds-base to 1.2.10.2-4 (related #803930)
- Only split CSV on client (#797565)
- Search allowed attributes in superior objectclasses (#783502)
- Fix precallback validators in DNS plugin (#804562)
- Fix memleak in KDB backend (#800363)
- Harden raw record processing in DNS plugin (#804572)
- Fix attributes that contain DNs when migrating (#804609)
- Wait for child process to terminate after receiving SIGINT (#754635)
- Avoid deleting DNS zone when a context is reused (#801380)
- Fix default SOA serial format (#805427)
- Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available.
  (#803836)
- Amend permissions for new DNS attributes (related #766073)
- Improve user awareness about dnsconfig (#802864)
- Fix uses of O=REALM instead of the configured certificate subject base.
  (#802912)
- Fix dnsrecord-del interactive mode (#807230)
- Add requires on python-krbV to client subpackage (#807362)
- Tolerate UDP port failures in conncheck (#802860)
- Netgroup nisdomain and hosts validation (#797256)
- Remove Conflicts on mod_ssl (#804605)
- Set minimum version of pki-ca, pki-slient and pki-setup to 9.0.3-24.
  Change location of TOMCAT_LOG to match tomcat6 changes (related #802396)
- Add python-lxml, python-pyasn1 and sssd to BuildRequires
- Set minimum selinux-policy >= 3.7.19-142 to pick up certmonger_t type
  (related #790967)
- netgroup-add and netgroup-mod --nisdomain should not allow commas (#797237) 
- 
    Wed Mar 21 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-5.el6
    - Set minimum version of pki-ca, pki-silent and pki-setup to 9.0.3-23.
  Either we shell escape or dogtag does, we can't both do it. (#802832)
- Set dbdir in request context after a connection is created (#804128)
- Don't overwrite content by an error message (#803050)
- Don't allow IPA master hosts/services to be disabled (#800119)
- Don't error out on empty option (#798792)
- Populate gidnumber in entries added via winsync (#798352)
- Set subjectKeyIdentifier in SSL certs that IPA issues (#797274)
- Fix escaping and comma-separated value handling (#769491)
- Display certificate serial numbers in both hex and deciaml (#746060)
- Use attribute name/option name when returning errors (#718015)
- DNS forwarder's value can consist of IP address and part (#766073)
- Store DNS global options in LDAP (#766073)
- Move extension.js to subdirectory to suppress rpm warning 
- 
    Wed Mar 14 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-4.el6
    - Allow removing sudo commands with special characters (#800537)
- Ignore case in yes/no prompts when deleting DNS records (#800483)
- Refresh resolvers after DNS server configuration (#799335)
- Fix nsslapd-anonlimitsdn in cn=config (#798361)
- Handle more exceptions gracefully in ipa-client-install (#797567)
- Fixed checkbox value in table without pkey (#791324)
- Fix exception when removing all values from configuration (#782974)
- Set httpd_manage_ipa SELinux boolean
- Fix mask validator in network validator (#802848)
- Don't shell escape arguments sent to pkisilent (#802832)
- Reorder patches so those that disable unsupported features are applied last
- Rebase disable persistent search patch 
- 
    Mon Mar 05 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-3.el6
    - Rebase to upstream 2.1.90.rc1 release (#736865)
- Remove dependency on krb5-server-ldap, we use our own backend now (#797564)
- Set minimum mod_auth_kerb to 5.4-8 for S4U2Proxy support (related #767741)
- Set minimum selinux-policy >= 3.7.19-137 to pick up ipa_memcache boolean
- Set minimum python-memcached >= 1.43-6 to pick up status check fix
- Set minimum version of 389-ds-base to 1.2.10.1-1
- Set minimum version of krb5-server to 1.9-27
- Set minimum version of sssd to 1.8.0-11 (#766068)
- Add Requires: oddjob-mkhomedir to ipa-client (#786223)
- Remove Requires on krb5-server-ldap (#797564)
- Add Conflicts on mod_ssl (#761574)
- Remove BuildRequires on python-rhsm
- Renumber all patches
- Don't remove dirsrv user on uninstall (#797566)
- Don't allow host-del on active replicas (#797563)
- Fix invalid hostnames when hostname contains trailing dot (#797562)
- encode Bool attributes used in setattr/addattr/delattr (#797561)
- Migration plugin raises Internal Server Error (#796401)
- man page for ipa-replica-manage has typos in examples (#796347)
- Can not add new user objectclass to ipa configuration (#794474)
- Don't require SELinux to be enabled on client (#790513)
- dnsrecord-add does not validate the record names with space in between (#790318)
- Prompt for missing DNS options (#790295)
- Resource Record type options should be more descriptive (#790017)
- Correction in error message while deleting a invalid record (#789987)
- Adding some of the RR type from the "allowed values" results in an error message (#789980)
- IP address with just 3 octets are accepted as valid addresses (#789919)
- Errors not reported correctly when logging into WebUI (#789459)
- Need option for ipa-client-install to not call authconfig (#789413)
- IPA nested netgroups not seen from ypcat (#788625)
- gid number: 0 and negative number accepted (#786240)
- Allow basedn to be passed into migrate-ds (#786185)
- permission with filter or subtree does not allow attr to be specified (#783536)
- ipa permission-add does not fail if using invalid attribute (#783502)
- When migrating warn user if compat is enabled (#783270)
- Make ipausers a non-posix group on new installs (#773488)
- Need tool to update exclusive list in replication agreements (#772359)
- Reverse DNS rec not created upon creation of fwd DNS rec (#772301)
- Adding a netgroup with a "+" causes ns-slapd to crash (#772043)
- Man Page : Document client IP addressing / FQDN requirements (#768257)
- GSS-TSIG DNS updates should update reverse entries as well (#767725)
- UI for SELinux user mapping (tech preview)
- Allow forms based kerberos authentication (#766070)
- Add support for central management of the SSH keys (tech preview)
- Login failed attempts counter or locked out status are not displayed (#759501)
- Better message for error diagnosis while adding an existing winsync agreement (#755450)
- "force-sync, re-initialize and del" options for ipa-replica-manage fail against AD (#754973)
- Connect after del using ipa-replica-manage fails (#754539)
- Unable to delete migrated groups containing spaces (#753966)
- support bind forward zones, aka DNS conditional forwarding (#753483)
- IPA needs a check to ensure hostnames 'underscore' is not allowed when installing a replica (#752874)
- Unable to select dns zone when only one exists in UI (#751529)
- ipa-replica-conncheck does does not properly check UDP ports (#751063)
- Adding loc records to a ipa-dns server breaks name resolution for some other records (#750947)
- Allow specifying query and transfer policy settings for a zone (#701677) 
- 
    Fri Feb 17 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-2.el6
    - Add missing changelog information caught by rpmdiff. 
- 
    Fri Feb 17 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-1.el6
    - Update to upstream 2.1.90.pre2 release (#736865) 
- 
    Mon Nov 07 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-9.el6
    - Add current password prompt when changing own password in web UI (#751179)
- Remove extraneous trailing ' from netgroup patch (#749352) 
- 
    Tue Nov 01 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-8.el6
    - Updated patch for CVE-2011-3636 to include CR in the HTTP headers.
  xmlrpc-c in RHEL-6 doesn't suppose the dont_advertise option so that is
  not set any more. Another fake header, X-Original-User_Agent, is added
  so there is no more trailing junk after the Referer header.  (#749870) 
- 
    Mon Oct 31 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-7.el6
    - Require an HTTP Referer header to address CSRF attackes. CVE-2011-3636.
  (#749870) 
- 
    Fri Oct 28 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-6.el6
    - Users not showing up in nis netgroup triple (#749352) 
- 
    Tue Oct 25 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-5.el6
    - Add update file to remove entitlement roles, privileges and
  permissions (#739060) 
- 
    Tue Oct 25 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-4.el6
    - Quote worker option in krb5kdc (#748754) 
- 
    Fri Oct 21 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-3.el6
    - hbactest fails while you have svcgroup in hbacrule (#746227)
- Add Kerberos domain mapping for system hostname (#747443)
- Format certificates as PEM in browser (#701325) 
- 
    Tue Oct 18 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-2.el6
    - ipa-client-install hangs if the discovered server is unresponsive (#745392)
- Fix minor problems in help system (#747028)
- Remove help fix from Disable automember patch (#746717)
- Update minimum version of sssd to 1.5.1-60 to pick up SELinux fix (#746265) 
- 
    Mon Oct 17 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-1.el6
    - Update to upstream 2.1.3 release (#736170)
- Additional branding (#742264)
- Disable automember cli (#746717)
- ipa-client-install sometimes fails to start sssd properly (#736954)
- ipa-client-install adds duplicate information to krb5.conf (#714597)
- ipa-client-install should configure hostname (#714919)
- inconsistency in enabling "delete" buttons (#730751)
- hbactest does not resolve canonical names during simulation (#740850)
- Default DNS Administration Role - Permissions missing (#742327)
- named fails to start after installing ipa server when short (#742875)
- Duplicate hostgroup and netgroup should not be allowed (#743253)
- named fails to start (#743680)
- Global password policy should not be able to be deleted (#744074)
- Client install fails when anonymous bind is disabled (#744101)
- Internal Server Error adding invalid reverse DNS zone (#744234)
- ipa hbactest does not evaluate indirect members from groups. (#744410)
- Leaks KDC password and master password via command line arguments (#744422)
- Traceback when upgrading from ipa-server-2.1.1-1 (#744798)
- IPA User's Primary GID is not being set to their UPG's GID (#745552)
- --forwarder option of ipa-dns-install allows invalid IP addr (#745698)
- UI does not grant access based on roles (#745957)
- Unable to add external user for RunAs User for Sudo (#746056)
- Typo in error message while adding invalid ptr record. (#746199)
- Don't use python 2.7-only syntax (#746229)
- Error when using ipa-client-install with --no-sssd option (#746276)
- Installation fails if sssd.conf exists and is already config (#746298)
- External hosts are not removed properly from sudorule (#709665)
- Competely remove entitlement support (#739060)
- Add winsync section to ipa-replica-manage man page (#744306) 
- 
    Fri Oct 07 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.2-2.el6
    - Remove python-rhsm as a Requires (#739060) 
- 
    Fri Oct 07 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.2-1.el6
    - Update to upstream 2.1.2 release (#736170)
- More completely disable entitlement support (#739060)
- Drop patch to ignore return value from restorecon (upstreamed)
- Set min version of 389-ds-base to 1.2.9.12-2
- Set min version of dogtag to 9.0.3-20
- Rebased hide-pkinit, ipa-RHEL-index and remove-persistent-search
  patches (#700586) 
- 
    Tue Sep 20 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.1-4.el6
    - Update RHEL patch (#740094) 
- 
    Tue Sep 20 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.1-3.el6
    - Ignore return value from restorecon (#739604)
- Disable entitlement support (#739060, #739061) 
- 
    Fri Sep 16 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.1-2.el6
    - Update minimum xmlrpc-c version (#736787)
- Fix package installation order causing SELinux problems (#737516) 
- 
    Thu Sep 01 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.1-1.el6
    - Update to upstream 2.1.1 release (#732803) 
- 
    Mon Aug 15 2011 John Dennis <jdennis@redhat.com> - 2.1.0-1.el6
    - Resolves: rhbz#708388 - Update to upstream 2.1.0 release 
- 
    Tue May 31 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-25
    - Remove client debug logging patch (#705800) 
- 
    Wed May 25 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-24
    - Wait for 389-ds tasks to complete (#698421)
- Set replica to restart ipa on boot (#705794)
- Improve client debug logging (#705800)
- Managed Entries not configured on replicas (#703869)
- Don't create bogus aRecord when creating new zone (#704012) 
- 
    Wed Apr 20 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-23
    - Update ipa-Fix-traceback-in-nis-manage.patch to fix python error (#697583) 
- 
    Tue Apr 19 2011 Stephen Gallagher <sgallagh@redhat.com> - 2.0.0-22
    - Resolves: rhbz#697583 - Can not enable ipa-nis-manage plugin 
- 
    Thu Apr 14 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-21
    - Default groups are missing ipaUniqueID attribute (#696508) 
- 
    Tue Apr 05 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-20
    - Set min version of 389-ds-base to 1.2.8.0-1 for fix in BZ 693466.
- Fix some problems in IPA schema (#692978)
- postalCode should be a string not an integer (#692945) 
- 
    Wed Mar 30 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-19
    - Port 7390 is managed by selinux-policy-3.7.19-80. Update
  ipa-repl_selinux.patch to not manage it any more. (#691883)
- Patch to fix setting gidnumber when a user is created. (#692168) 
- 
    Mon Mar 28 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-18
    - Fix uninitialized variable in password plugin (#690595) 
- 
    Wed Mar 23 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-17
    - Wait for Directory Service ports to open (#688934)
- Mixed case hostname can cause issues and confusion (#688622)
- Wrong timeout parameter in ipapython (#684273)
- Run ipa-ldap-updater on upgrades (#688931)
- Internal Error and trace back when adding DNS AAAA record (#689452) 
- 
    Tue Mar 15 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-16
    - Use realm provided by installer in LDAP Updater (#684744)
- Use args for domain and server when doing DNS discovery in client (#684780)
- Fix 2 SELinux issues in dogtag replication (#684269) 
- 
    Mon Mar 14 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-15
    - Add Obsoletes so upgrade from ipa-client package is possible (#684931) 
- 
    Thu Mar 10 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-14
    - Update to upstream 2.0.0rc3 (#680993)
- Set minimum version of sssd to 1.5.1-12
- Remove SuitespotGroup patch
- Rebase remove-pkinit patch 
- 
    Thu Feb 24 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-13
    - Set the SuitespotGroup directive in the 389-ds installation template.
  This ensures group read/write to /var/run/dirsrv. (#680201)
- Make single line out of python sitelib/sitearch code. 
- 
    Wed Feb 23 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-12
    - Update to upstream 2.0.0rc2 (#675282)
- Set minimum version of sssd to 1.5.1-10
- Set minimum version of python-nss to 0.11
- Set minimum version of 389-ds to 1.2.8
- Add bind-utils as Requires in client subpackage
- Remove unused BuildRequires e2fsprogs-devel and libcap-devel
- Add branding patch
- Add default.conf man page
- Upstream moved some utilites from the admintools subpackage, reflect that
  here as well. 
- 
    Fri Feb 11 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-11
    - Add pyOpenSSL to BuildRequires. (#670954) 
- 
    Mon Feb 07 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-10
    - ExcludeArch doesn't do per-package exclusions, use ifarch to force
  ONLY_CLIENT on non-supported architectures. (#670954)
- Manually install ipa-admintools since the upstream client-install
  target doesn't.
- Move a lot of the BuildRequires out of the ! ONLY_CLIENT conditional
  because the API validator in the upstream code requires them. 
- 
    Mon Feb 07 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-9
    - Exclude building server and server-selinux on ppc, ppc64, s390 and s390x
  platforms. (#670954)
- Add date variable to the release to make daily builds easier. 
- 
    Tue Feb 01 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-8
    - Merge in changes from FreeIPA beta 2 (#670954)
- Add patches to disable pkinit 
- 
    Thu Jan 27 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-7
    - Set minimum version of dogtag to 9.0.0 and add Requires for
  the theme we need. (#658275)
- Remove unnecessary moving of v1 CA serial number file in post script
- Move some man pages into admintools subpackage 
- 
    Mon Jan 24 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-6
    - Drop specific Requires on libcurl and krb5-libs (#658275) 
- 
    Wed Jan 19 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-5
    - Consistent usage of buildroot vs RPM_BUILD_ROOT (#658275) 
- 
    Mon Jan 17 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-4
    - Drop Requires on nss-ldap (#658275) 
- 
    Thu Jan 13 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-3
    - Temporarily disable building on s390 
- 
    Thu Jan 13 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-2
    - Drop optional radius package, the underlying code isn't there
- Re-arrange the doc lines so that defattr is first (#658275) 
- 
    Wed Jan 12 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-1
    - Initial 2.0.0 build (#658275)
- This is IPA v2.0.0 beta 1 plus all patches through git commit
  4da9228fb2ac34adab8eb1884ae414236adb84fa
- Removed some Fedora conditionals 
- 
    Wed Jan 12 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-36
    - Drop BuildRequires on mozldap-devel 
- 
    Mon Dec 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-35
    - Add Requires on krb5-pkinit-openssl 
- 
    Fri Dec 10 2010 Jr Aquino <jr.aquino@citrix.com> - 1.99-34
    - Add ipa-host-net-manage script 
- 
    Tue Dec 07 2010 Simo Sorce <ssorce@redhat.com> - 1.99-33
    - Add ipa init script 
- 
    Fri Nov 19 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-32
    - Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin 
- 
    Wed Nov 03 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-31
    - remove ipa-fix-CVE-2008-3274 
- 
    Wed Oct 06 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-30
    - Remove duplicate %files entries on share/ipa/static
- Add python default encoding shared library 
- 
    Mon Sep 20 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-29
    - Drop requires on python-configobj (not used any more)
- Drop ipa-ldap-updater message, upgrades are done differently now 
- 
    Wed Sep 08 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-28
    - Drop conflicts on mod_nss
- Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847)
- Drop a slew of conditionals on older Fedora releases (< 12)
- Add a few conditionals against RHEL 6
- Add Requires of nss-tools on ipa-client 
- 
    Fri Aug 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-27
    - Set minimum version of certmonger to 0.26 (to pck up #621670)
- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm)
- Set minimum version of pki-ca to 1.3.6
- Set minimum version of sssd to 1.2.1 
- 
    Tue Aug 10 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-26
    - Add BuildRequires for authconfig 
- 
    Mon Jul 19 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-25
    - Bump up minimum version of python-nss to pick up nss_is_initialize() API 
- 
    Thu Jun 24 2010 Adam Young <ayoung@redhat.com> - 1.99-24
    - Removed python-asset based webui 
- 
    Thu Jun 24 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-23
    - Change Requires from fedora-ds-base to 389-ds-base
- Set minimum level of 389-ds-base to 1.2.6 for the replication
  version plugin. 
- 
    Tue Jun 01 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-22
    - Drop Requires of python-krbV on ipa-client 
- 
    Mon May 17 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-21
    - Load ipa_dogtag.pp in post install 
- 
    Mon Apr 26 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-20
    - Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. 
- 
    Thu Mar 04 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-19
    - No need to create /var/log/ipa_error.log since we aren't using
  TurboGears any more. 
- 
    Mon Mar 01 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-18
    - Fixed share/ipa/wsgi.py so .pyc, .pyo files are included 
- 
    Wed Feb 24 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-17
    - Added Require mod_wsgi, added share/ipa/wsgi.py 
- 
    Thu Feb 11 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-16
    - Require python-wehjit >= 0.2.2 
- 
    Wed Feb 03 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-15
    - Add sssd and certmonger as a Requires on ipa-client 
- 
    Wed Jan 27 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-14
    - Require python-wehjit >= 0.2.0 
- 
    Fri Dec 04 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-13
    - Add ipa-rmkeytab tool 
- 
    Tue Dec 01 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-12
    - Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1
  Any type 
- 
    Wed Nov 25 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-11
    - Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf 
- 
    Fri Nov 13 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-10
    - Add bash completion script and own /etc/bash_completion.d in case it
  doesn't already exist 
- 
    Tue Nov 03 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-9
    - Remove ipa_webgui, its functions rolled into ipa_httpd 
- 
    Mon Oct 12 2009 Jason Gerard DeRose <jderose@redhat.com> - 1.99-8
    - Removed python-cherrypy from BuildRequires and Requires
- Added Requires python-assets, python-wehjit 
- 
    Mon Aug 24 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-7
    - Added httpd SELinux policy so CRLs can be read 
- 
    Thu May 21 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-6
    - Move ipalib to ipa-python subpackage
- Bump minimum version of slapi-nis to 0.15 
- 
    Wed May 06 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-5
    - Set 0.14 as minimum version for slapi-nis 
- 
    Wed Apr 22 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-4
    - Add Requires: python-nss to ipa-python sub-package 
- 
    Thu Mar 05 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-3
    - Remove the IPA DNA plugin, use the DS one 
- 
    Wed Mar 04 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-2
    - Build radius separately
- Fix a few minor issues 
- 
    Tue Feb 03 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-1
    - Replace TurboGears requirement with python-cherrypy 
- 
    Sat Jan 17 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.1-3
    - rebuild with new openssl 
- 
    Fri Dec 19 2008 Dan Walsh <dwalsh@redhat.com> - 1.2.1-2
    - Fix SELinux code 
- 
    Mon Dec 15 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-1
    - Fix breakage caused by python-kerberos update to 1.1 
- 
    Fri Dec 05 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-0
    - New upstream release 1.2.1 
- 
    Sat Nov 29 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 1.2.0-4
    - Rebuild for Python 2.6 
- 
    Fri Nov 14 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-3
    - Respin after the tarball has been re-released upstream
  New hash is 506c9c92dcaf9f227cba5030e999f177 
- 
    Thu Nov 13 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-2
    - Conditionally restart also dirsrv and httpd when upgrading 
- 
    Wed Oct 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.2.0-1
    - Update to upstream version 1.2.0
- Set fedora-ds-base minimum version to 1.1.3 for winsync header
- Set the minimum version for SELinux policy
- Remove references to Fedora 7 
- 
    Wed Jul 23 2008 Simo Sorce <ssorce@redhat.com> - 1.1.0-3
    - Fix for CVE-2008-3274
- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface
- Add fix for bug #453185
- Rebuild against openldap libraries, mozldap ones do not work properly
- TurboGears is currently broken in rawhide. Added patch to not build
  the UI locales and removed them from the ipa-server files section. 
- 
    Wed Jun 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-2
    - Add call to /usr/sbin/upgradeconfig to post install 
- 
    Wed Jun 11 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-1
    - Update to upstream version 1.1.0
- Patch for indexing memberof attribute
- Patch for indexing uidnumber and gidnumber
- Patch to change DNA default values for replicas
- Patch to fix uninitialized variable in ipa-getkeytab 
- 
    Fri May 16 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-5
    - Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum
  version to 1.0.7-4 so we pick up the NSS fixes.
- Add selinux-policy-base(post) to Requires (446496) 
- 
    Tue Apr 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-4
    - Add missing entry for /var/cache/ipa/kpasswd (444624)
- Added patch to fix permissions problems with the Apache NSS database.
- Added patch to fix problem with DNS querying where the query could be
  returned as the answer.
- Fix spec error where patch1 was in the wrong section 
- 
    Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-3
    - Added patch to fix problem reported by ldapmodify 
- 
    Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-2
    - Fix Requires for krb5-server that was missing for Fedora versions > 9
- Remove quotes around test for fedora version to package egg-info 
- 
    Fri Apr 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-1
    - Update to upstream version 1.0.0 
- 
    Tue Mar 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-12
    - Pull upstream changelog 722
- Add Conflicts mod_ssl (435360) 
- 
    Fri Feb 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-11
    - Pull upstream changelog 698
- Fix ownership of /var/log/ipa_error.log during install (435119)
- Add pwpolicy command and man page 
- 
    Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-10
    - Pull upstream changelog 678
- Add new subpackage, ipa-server-selinux
- Add Requires: authconfig to ipa-python (bz #433747)
- Package i18n files 
- 
    Mon Feb 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-9
    - Pull upstream changelog 641
- Require minimum version of krb5-server on F-7 and F-8
- Package some new files 
- 
    Thu Jan 31 2008 Rob Crittenden <rcritten@redhat.com> 0.99-8
    - Marked with wrong license. IPA is GPLv2. 
- 
    Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-7
    - Ensure that /etc/ipa exists before moving user-modifiable html files there
- Put html files into /etc/ipa/html instead of /etc/ipa 
- 
    Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-6
    - Pull upstream changelog 608 which renamed several files 
- 
    Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-5
    - package the sessions dir /var/cache/ipa/sessions
- Pull upstream changelog 597 
- 
    Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-4
    - Updated upstream pull (596) to fix bug in ipa_webgui that was causing the
  UI to not start. 
- 
    Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-3
    - Included LICENSE and README in all packages for documentation
- Move user-modifiable content to /etc/ipa and linked back to
  /usr/share/ipa/html
- Changed some references to /usr to the {_usr} macro and /etc
  to {_sysconfdir}
- Added popt-devel to BuildRequires for Fedora 8 and higher and
  popt for Fedora 7
- Package the egg-info for Fedora 9 and higher for ipa-python
- 
    Tue Jan 22 2008 Rob Crittenden <rcritten@redhat.com> 0.99-2
    - Added auto* BuildRequires 
- 
    Mon Jan 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-1
    - Unified spec file 
- 
    Thu Jan 17 2008 Rob Crittenden <rcritten@redhat.com> - 0.6.0-2
    - Fixed License in specfile
- Include files from /usr/lib/python*/site-packages/ipaserver 
- 
    Fri Dec 21 2007 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1
    - Version bump for release 
- 
    Wed Nov 21 2007 Karl MacMillan <kmacmill@mentalrootkit.com> - 0.5.0-1
    - Preverse mode on ipa-keytab-util
- Version bump for relase and rpm name change 
- 
    Thu Nov 15 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.1-2
    - Broke invididual Requires and BuildRequires onto separate lines and
  reordered them
- Added python-tgexpandingformwidget as a dependency
- Require at least fedora-ds-base 1.1 
- 
    Thu Nov 01 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.1-1
    - Version bump for release 
- 
    Wed Oct 31 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-6
    - Add dep for freeipa-admintools and acl 
- 
    Wed Oct 24 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-5
    - Add dependency for python-krbV 
- 
    Fri Oct 19 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-4
    - Require mod_nss-1.0.7-2 for mod_proxy fixes 
- 
    Thu Oct 18 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-3
    - Convert to autotools-based build 
- 
    Tue Sep 25 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-2
    * Fri Sep 7 2007 Karl MacMillan <kmacmill@redhat.com> - 0.3.0-1
- Added support for libipa-dna-plugin 
- 
    Fri Aug 10 2007 Karl MacMillan <kmacmill@redhat.com> - 0.2.0-1
    - Added support for ipa_kpasswd and ipa_pwd_extop 
- 
    Sun Aug 05 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-3
    - Abstracted client class to work directly or over RPC 
- 
    Wed Aug 01 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-2
    - Add mod_auth_kerb and cyrus-sasl-gssapi to Requires
- Remove references to admin server in ipa-server-setupssl
- Generate a client certificate for the XML-RPC server to connect to LDAP with
- Create a keytab for Apache
- Create an ldif with a test user
- Provide a certmap.conf for doing SSL client authentication 
- 
    Fri Jul 27 2007 Karl MacMillan <kmacmill@redhat.com> - 0.1.0-1
    - Initial rpm version