Enables  support  for  trusted  domains  users  for old clients through Schema
Compatibility plugin.  SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs  to  use  this  option.  When  enabled, slapi-nis  package  needs  to
be  installed  and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under  cn=users,cn=compat,$SUFFIX  and
cn=groups,cn=compat,$SUFFIX trees.  SSSD will normalize names of users and
groups to lower case.

In  addition  to  providing  these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.

This authentication  is related to  PAM  stack  using  'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is  not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.

https://fedorahosted.org/freeipa/ticket/3567

Provides a pluggable framework for generating configuration
scriptlets and instructions for various machine setups and use
cases.

Creates a new ipa-advise command, available to root user
on the IPA server.

Also provides an example configuration plugin,
config-fedora-authconfig.

https://fedorahosted.org/freeipa/ticket/3670

Entitlements code was not tested nor supported upstream since
version 3.0. Remove the associated code.

https://fedorahosted.org/freeipa/ticket/3739

In ipa-replica-manage commands, we enforce that hostnames we work
with are resolvable. However, this caused errors while deleting
or disconnecting a ipa / winsync replica, if that replica was down
and authoritative server for itself.

Also adds an --no-lookup flag to disable host existence checks.

https://fedorahosted.org/freeipa/ticket/3524

Part of the work for https://fedorahosted.org/freeipa/ticket/3494

The options take PEM certificates, not PKCS#10.
This corrects both the --help output and the man page.

https://fedorahosted.org/freeipa/ticket/3523

This will allow one to backup and restore the IPA files and data. This
does not cover individual entry restoration.

http://freeipa.org/page/V3/Backup_and_Restore

https://fedorahosted.org/freeipa/ticket/3128

Instead, certificates in pkcs12 files can be given to set up
IPA with no CA at all.
Use a flag, setup_ca, to signal if a CA is being installed.

Design: http://freeipa.org/page/V3/Drop_selfsign
Part of the work for: https://fedorahosted.org/freeipa/ticket/3494

Add the option to create home directories for users on their
first login to ipa-server-install and ipa-replica-install.

https://fedorahosted.org/freeipa/ticket/3515

Attempt to automatically save DNA ranges when a master is removed.
This is done by trying to find a master that does not yet define
a DNA on-deck range. If one can be found then the range on the deleted
master is added.

If one cannot be found then it is reported as an error.

Some validation of the ranges are done to ensure that they do overlap
an IPA local range and do not overlap existing DNA ranges configured
on other masters.

http://freeipa.org/page/V3/Recover_DNA_Ranges

https://fedorahosted.org/freeipa/ticket/3321