f38708fd · ac6e4cb6 · 45bd31b4 · a077c705 · 755a5004 · a7ab63b8
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
-jobs:
-  fedora-25/build:
-    requires: []
-    priority: 100
-    job:
-      class: Build
-      args:
-        git_repo: '{git_repo}'
-        git_refspec: '{git_refspec}'
-        template: &ci-master-f25
-          name: freeipa/ci-master-f25
-          version: 0.2.11
-        timeout: 1800
-
-  fedora-25/simple_replication:
-    requires: [fedora-25/build]
-    priority: 50
-    job:
-      class: RunPytest
-      args:
-        build_url: '{fedora-25/build_url}'
-        test_suite: test_integration/test_simple_replication.py
-        template: *ci-master-f25
-        timeout: 3600
-
-  fedora-25/caless:
-    requires: [fedora-25/build]
-    priority: 50
-    job:
-      class: RunPytest
-      args:
-        build_url: '{fedora-25/build_url}'
-        test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull
-        template: *ci-master-f25
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
+ipatests/prci_definitions/gating.yaml
\ No newline at end of file
--- a/.gitignore
+++ b/.gitignore
@@ -96,6 +96,12 @@ freeipa2-dev-doc
 /init/tmpfilesd/ipa.conf

 !/install/ui/doc/Makefile.in
+/install/ui/node_modules/
+/install/ui/package-lock.json 
+# package-lock file can be commited, but it makes sense for npm packages.
+# It stores informations about changes in node_modules. For now it is not
+# very useful
+# More info: https://docs.npmjs.com/files/package-lock.json
 /install/ui/release
 /install/ui/css/ipa.css
 /install/ui/src/dojo
@@ -108,11 +114,61 @@ freeipa2-dev-doc
 /client/ipa-join
 /client/ipa-rmkeytab

+/ipaplatform/override.py
 /ipapython/version.py
 /ipapython/.DEFAULT_PLUGINS

-/ipaplatform/__init__.py
-/ipaplatform/constants.py
-/ipaplatform/paths.py
-/ipaplatform/services.py
-/ipaplatform/tasks.py
+/ipatests/.cache/
+
+# Python scripts with auto-generated shebang
+ipa
+makeaci
+makeapi
+client/ipa-certupdate
+client/ipa-client-automount
+client/ipa-client-install
+daemons/dnssec/ipa-dnskeysyncd
+daemons/dnssec/ipa-dnskeysync-replica
+daemons/dnssec/ipa-ods-exporter
+install/certmonger/dogtag-ipa-ca-renew-agent-submit
+install/certmonger/ipa-server-guard
+install/oddjob/com.redhat.idm.trust-fetch-domains
+install/restart_scripts/renew_ca_cert
+install/restart_scripts/renew_kdc_cert
+install/restart_scripts/renew_ra_cert
+install/restart_scripts/renew_ra_cert_pre
+install/restart_scripts/restart_dirsrv
+install/restart_scripts/restart_httpd
+install/restart_scripts/stop_pkicad
+install/tools/ipa-adtrust-install
+install/tools/ipa-advise
+install/tools/ipa-backup
+install/tools/ipa-cacert-manage
+install/tools/ipa-ca-install
+install/tools/ipa-compat-manage
+install/tools/ipa-csreplica-manage
+install/tools/ipactl
+install/tools/ipa-custodia
+install/tools/ipa-custodia-check
+install/tools/ipa-dns-install
+install/tools/ipa-httpd-kdcproxy
+install/tools/ipa-kra-install
+install/tools/ipa-ldap-updater
+install/tools/ipa-managed-entries
+install/tools/ipa-nis-manage
+install/tools/ipa-otptoken-import
+install/tools/ipa-pkinit-manage
+install/tools/ipa-pki-retrieve-key
+install/tools/ipa-replica-conncheck
+install/tools/ipa-replica-install
+install/tools/ipa-replica-manage
+install/tools/ipa-replica-prepare
+install/tools/ipa-restore
+install/tools/ipa-server-certinstall
+install/tools/ipa-server-install
+install/tools/ipa-server-upgrade
+install/tools/ipa-winsync-migrate
+ipatests/i18n.py
+ipatests/ipa-run-tests
+ipatests/ipa-test-config
+ipatests/ipa-test-task
--- a/.test_runner_config.yaml
+++ b/.test_runner_config.yaml
@@ -24,11 +24,12 @@ server:
  realm: IPA.TEST
 steps:
  build:
-  - make V=0 ${make_target}
+  - make V=0 ${make_target} LOG_COMPILE='gdb -return-child-result -ex run -ex "thread apply all bt" -ex "quit" --args'
  builddep:
  - rm -rf /var/cache/dnf/*
-  - "dnf makecache fast || :"
-  - dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing
+  - "dnf makecache || :"
+  - dnf builddep -y ${builddep_opts} -D "with_wheels 1" --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
+  - dnf install -y gdb
  cleanup:
  - chown -R ${uid}:${gid} ${container_working_dir}
  - journalctl -b --no-pager > systemd_journal.log
@@ -40,10 +41,13 @@ steps:
      /var/log/krb5kdc.log
      /var/log/pki
      systemd_journal.log
+      `find daemons -name '*.log' -print`
  - chown ${uid}:${gid} ${container_working_dir}/var_log.tar
+  - ls -laZ /etc/dirsrv/slapd-*/ /etc/httpd/alias/ /etc/pki/pki-tomcat/alias/ || true
  configure:
  - ./autogen.sh
  install_packages:
+  - sed -i 's/%_install_langs \(.*\)/\0:fr/g' /etc/rpm/macros.image-language-conf
  - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing
  install_server:
  - ipa-server-install -U --domain ${server_domain} --realm ${server_realm} -p ${server_password}
@@ -53,6 +57,14 @@ steps:
  lint:
  - make PYTHON=/usr/bin/python2 V=0 lint
  - make PYTHON=/usr/bin/python3 V=0 pylint
+  webui_unit:
+  - dnf install -y npm
+  - cd ${container_working_dir}/install/ui/js/libs && make
+  - cd ${container_working_dir}/install/ui && npm install
+  - cd ${container_working_dir}/install/ui && node_modules/grunt/bin/grunt --verbose test
+  tox:
+  # just run one pylint and one Python 3 target (time/coverage trade-off)
+  - tox -e py27,py36,pypi,pylint3
  prepare_tests:
  - echo ${server_password} | kinit admin && ipa ping
  - cp -r /etc/ipa/* ~/.ipa/
@@ -64,6 +76,8 @@ steps:
  - ipa-run-tests ${tests_ignore} -k-test_dns_soa ${tests_verbose} ${path}
  - '! grep -n -C5 BytesWarning /var/log/httpd/error_log'
  - ipa-server-install --uninstall -U
+  # second uninstall to verify that --uninstall without installation works
+  - ipa-server-install --uninstall -U
 tests:
  ignore:
  - test_integration

--- a/.test_runner_config_py3_temp.yaml
+++ b/.test_runner_config_py3_temp.yaml
@@ -26,16 +26,28 @@ server:
  realm: IPA.TEST
 steps:
  build:
-  - make V=0 ${make_target}
+  - make V=0 ${make_target} LOG_COMPILE='gdb -return-child-result -ex run -ex "thread apply all bt" -ex "quit" --args'
  builddep:
  - rm -rf /var/cache/dnf/*
-  - "dnf makecache fast || :"
-  - dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing
+  - "dnf makecache || :"
+  - dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
+  - dnf install -y gdb
  cleanup:
  - chown -R ${uid}:${gid} ${container_working_dir}
+  - >
+      tar --ignore-failed-read -cvf ${container_working_dir}/var_log.tar
+      /var/log/dirsrv
+      /var/log/httpd
+      /var/log/ipa*
+      /var/log/krb5kdc.log
+      /var/log/pki
+      systemd_journal.log
+      `find daemons -name '*.log' -print`
+  - chown ${uid}:${gid} ${container_working_dir}/var_log.tar
  configure:
  - ./autogen.sh
  install_packages:
+  - sed -i 's/%_install_langs \(.*\)/\0:fr/g' /etc/rpm/macros.image-language-conf
  - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing
  - dnf install -y python3-mod_wsgi --best --allowerasing  # Py3 temporary
  install_server:

--- a/.travis.yml
+++ b/.travis.yml
+# workaround for missing IPv6 address support
+# https://github.com/travis-ci/travis-ci/issues/8891
+sudo: required
+dist: trusty
+group: deprecated-2017Q4
+
 language: python
+
 services:
    - docker
-
 python:
-    - "2.7"
+    - "3.6"
 cache: pip
 env:
    global:
-        - TEST_RUNNER_IMAGE="martbab/freeipa-fedora-test-runner:master-latest"
-          PEP8_ERROR_LOG="pep8_errors.log"
+        - TEST_RUNNER_IMAGE="freeipa/freeipa-test-runner:master-latest"
+          PEP8_ERROR_LOG="pycodestyle_errors.log"
          CI_RESULTS_LOG="ci_results_${TRAVIS_BRANCH}.log"
          CI_BACKLOG_SIZE=5000
          CI_RUNNER_LOGS_DIR="/tmp/test-runner-logs"
@@ -16,6 +22,8 @@ env:
    matrix:
        - TASK_TO_RUN="lint"
          TEST_RUNNER_CONFIG=".test_runner_config.yaml"
+        - TASK_TO_RUN="webui-unit"
+          TEST_RUNNER_CONFIG=".test_runner_config.yaml"
        - TASK_TO_RUN="run-tests"
          PYTHON=/usr/bin/python2
          TEST_RUNNER_CONFIG=".test_runner_config.yaml"
@@ -27,85 +35,45 @@ env:
            test_install
            test_ipaclient
            test_ipalib
+            test_ipaplatform
            test_ipapython
            test_ipaserver
-            test_pkcs10
            test_xmlrpc/test_[l-z]*.py"
        - TASK_TO_RUN="run-tests"
          PYTHON=/usr/bin/python3
          TEST_RUNNER_CONFIG=".test_runner_config_py3_temp.yaml"
-          TESTS_TO_RUN="test_xmlrpc/test_add_remove_cert_cmd.py
-            test_xmlrpc/test_attr.py
-            test_xmlrpc/test_automember_plugin.py
-            test_xmlrpc/test_automount_plugin.py
-            test_xmlrpc/test_baseldap_plugin.py
-            test_xmlrpc/test_batch_plugin.py
-            test_xmlrpc/test_cert_plugin.py
-            test_xmlrpc/test_certprofile_plugin.py
-            test_xmlrpc/test_config_plugin.py
-            test_xmlrpc/test_delegation_plugin.py
-            test_xmlrpc/test_group_plugin.py
-            test_xmlrpc/test_hbac_plugin.py
-            test_xmlrpc/test_hbacsvcgroup_plugin.py
-            test_xmlrpc/test_hbactest_plugin.py
-            test_xmlrpc/test_host_plugin.py
-            test_xmlrpc/test_hostgroup_plugin.py
-            test_xmlrpc/test_krbtpolicy.py
-            test_xmlrpc/test_kerberos_principal_aliases.py"
-            ### Tests which haven't been ported to py3 yet ###
-            ## test_xmlrpc/test_[a-k]*.py
-            # test_xmlrpc/test_ca_plugin.py
-            # test_xmlrpc/test_caacl_plugin.py
-            # test_xmlrpc/test_caacl_profile_enforcement.py
-            # test_xmlrpc/test_dns_plugin.py
-            # test_xmlrpc/test_dns_realmdomains_integration.py
-            # test_xmlrpc/test_external_members.py
-            # test_xmlrpc/test_idviews_plugin.py
+          TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py"
        - TASK_TO_RUN="run-tests"
          PYTHON=/usr/bin/python3
          TEST_RUNNER_CONFIG=".test_runner_config_py3_temp.yaml"
          TESTS_TO_RUN="test_cmdline
+                test_install
+                test_ipaclient
                test_ipalib
+                test_ipaplatform
                test_ipapython
                test_ipaserver
-                test_pkcs10
-                test_xmlrpc/test_location_plugin.py
-                test_xmlrpc/test_nesting.py
-                test_xmlrpc/test_netgroup_plugin.py
-                test_xmlrpc/test_old_permission_plugin.py
-                test_xmlrpc/test_passwd_plugin.py
-                test_xmlrpc/test_permission_plugin.py
-                test_xmlrpc/test_ping_plugin.py
-                test_xmlrpc/test_privilege_plugin.py
-                test_xmlrpc/test_pwpolicy_plugin.py
-                test_xmlrpc/test_radiusproxy_plugin.py
-                test_xmlrpc/test_realmdomains_plugin.py
-                test_xmlrpc/test_replace.py
-                test_xmlrpc/test_role_plugin.py
-                test_xmlrpc/test_selfservice_plugin.py
-                test_xmlrpc/test_selinuxusermap_plugin.py
-                test_xmlrpc/test_service_plugin.py
-                test_xmlrpc/test_servicedelegation_plugin.py
-                test_xmlrpc/test_stageuser_plugin.py
-                test_xmlrpc/test_sudocmd_plugin.py
-                test_xmlrpc/test_sudocmdgroup_plugin.py
-                test_xmlrpc/test_sudorule_plugin.py"
-            ### Tests which haven't been ported to py3 yet ###
-            ## test_xmlrpc/test_[l-z]*.py
-            # test_xmlrpc/test_range_plugin.py
-            # test_xmlrpc/test_trust_plugin.py
-            # test_xmlrpc/test_vault_plugin.py
+                test_xmlrpc/test_[l-z]*.py"
+        - TASK_TO_RUN="tox"
+          TEST_RUNNER_CONFIG=".test_runner_config.yaml"
+
+before_install:
+    - ip addr show
+    - ls /proc/net
+    - cat /proc/net/if_inet6
+#    - ip addr show dev lo | grep -q inet6 || (echo "No IPv6 address found"; exit 1)
+
 install:
-    - pip install --upgrade pip
    - pip3 install --upgrade pip
-    - pip install pep8
+    - pip3 install pycodestyle
    - >
      pip3 install
-      git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-1
+      git+https://github.com/freeipa/ipa-docker-test-runner@release-0-3-1

 script:
    - mkdir -p $CI_RUNNER_LOGS_DIR
    - travis_wait 50 ./.travis_run_task.sh
+    - test -z "`cat $PEP8_ERROR_LOG`"
 after_failure:
    - echo "Test runner output:"; tail -n $CI_BACKLOG_SIZE $CI_RESULTS_LOG
    - echo "PEP-8 errors:"; cat $PEP8_ERROR_LOG

--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -5,7 +5,6 @@
 # NOTE: this script is intended to run in Travis CI only

 test_set=""
-developer_mode_opt="--developer-mode"

 if [[ $PYTHON == "/usr/bin/python2" ]]
 then
@@ -14,6 +13,15 @@ else
 env_opt=""
 fi

+case "$TASK_TO_RUN" in
+    lint|tox)
+        # disable developer mode for lint and tox tasks.
+        developer_mode_opt=""
+        ;;
+    *)
+        developer_mode_opt="--developer-mode"
+        ;;
+esac

 function truncate_log_to_test_failures() {
    # chop off everything in the CI_RESULTS_LOG preceding pytest error output
@@ -30,11 +38,9 @@ if [[ "$TASK_TO_RUN" == "lint" ]]
 then
    if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]
    then
-        git diff origin/$TRAVIS_BRANCH -U0 | pep8 --diff &> $PEP8_ERROR_LOG ||:
+        git diff origin/$TRAVIS_BRANCH -U0 | \
+            pycodestyle --ignore=W504 --diff &> $PEP8_ERROR_LOG ||:
    fi
-
-    # disable developer mode for lint task, otherwise we get an error
-    developer_mode_opt=""
 fi

 if [[ -n "$TESTS_TO_RUN" ]]

--- a/.wheelconstraints.in
+++ b/.wheelconstraints.in
@@ -9,5 +9,5 @@ ipapython == @VERSION@
 ipaserver == @VERSION@
 ipatests == @VERSION@

-# see https://pagure.io/freeipa/issue/6874
-pylint < 1.7
+# upstream pylint 1.7.5 fixed bad python3 import of stat module
+pylint >= 1.7.5
--- a/ACI.txt
+++ b/ACI.txt
@@ -361,7 +361,7 @@ aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(obje
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homedirectory || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example

--- a/API.txt
+++ b/API.txt
@@ -783,7 +783,7 @@ option: Str('version?')
 output: Output('result')
 command: cert_request/1
 args: 1,9,3
-arg: Str('csr', cli_name='csr_file')
+arg: CertificateSigningRequest('csr', cli_name='csr_file')
 option: Flag('add', autofill=True, default=False)
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('cacn?', autofill=True, cli_name='ca', default=u'ipa')
@@ -1944,13 +1944,14 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: group_add_member/1
-args: 1,7,3
+args: 1,8,3
 arg: Str('cn', cli_name='group_name')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('group*', alwaysask=True, cli_name='groups')
 option: Str('ipaexternalmember*', cli_name='external')
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('service*', alwaysask=True, cli_name='services')
 option: Str('user*', alwaysask=True, cli_name='users')
 option: Str('version?')
 output: Output('completed', type=[<type 'int'>])
@@ -1972,7 +1973,7 @@ output: Output('result', type=[<type 'bool'>])
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: group_find/1
-args: 1,28,4
+args: 1,30,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('cn?', autofill=False, cli_name='group_name')
@@ -1987,6 +1988,7 @@ option: Str('in_role*', cli_name='in_roles')
 option: Str('in_sudorule*', cli_name='in_sudorules')
 option: Str('no_group*', cli_name='no_groups')
 option: Flag('no_members', autofill=True, default=True)
+option: Principal('no_service*', cli_name='no_services')
 option: Str('no_user*', cli_name='no_users')
 option: Flag('nonposix', autofill=True, cli_name='nonposix', default=False)
 option: Str('not_in_group*', cli_name='not_in_groups')
@@ -1998,6 +2000,7 @@ option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('posix', autofill=True, cli_name='posix', default=False)
 option: Flag('private', autofill=True, cli_name='private', default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Principal('service*', cli_name='services')
 option: Int('sizelimit?', autofill=False)
 option: Int('timelimit?', autofill=False)
 option: Str('user*', cli_name='users')
@@ -2026,13 +2029,14 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: group_remove_member/1
-args: 1,7,3
+args: 1,8,3
 arg: Str('cn', cli_name='group_name')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('group*', alwaysask=True, cli_name='groups')
 option: Str('ipaexternalmember*', cli_name='external')
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('service*', alwaysask=True, cli_name='services')
 option: Str('user*', alwaysask=True, cli_name='users')
 option: Str('version?')
 output: Output('completed', type=[<type 'int'>])
@@ -2973,7 +2977,7 @@ option: Int('ipabaserid?', cli_name='rid_base')
 option: Int('ipaidrangesize', cli_name='range_size')
 option: Str('ipanttrusteddomainname?', cli_name='dom_name')
 option: Str('ipanttrusteddomainsid?', cli_name='dom_sid')
-option: StrEnum('iparangetype?', cli_name='type', values=[u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local'])
+option: StrEnum('iparangetype?', cli_name='type', values=[u'ipa-ad-trust', u'ipa-ad-trust-posix', u'ipa-local'])
 option: Int('ipasecondarybaserid?', cli_name='secondary_rid_base')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('setattr*', cli_name='setattr')
@@ -2998,7 +3002,7 @@ option: Int('ipabaseid?', autofill=False, cli_name='base_id')
 option: Int('ipabaserid?', autofill=False, cli_name='rid_base')
 option: Int('ipaidrangesize?', autofill=False, cli_name='range_size')
 option: Str('ipanttrusteddomainsid?', autofill=False, cli_name='dom_sid')
-option: StrEnum('iparangetype?', autofill=False, cli_name='type', values=[u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local'])
+option: StrEnum('iparangetype?', autofill=False, cli_name='type', values=[u'ipa-ad-trust', u'ipa-ad-trust-posix', u'ipa-local'])
 option: Int('ipasecondarybaserid?', autofill=False, cli_name='secondary_rid_base')
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -3255,7 +3259,7 @@ option: Str('groupignoreobjectclass*', autofill=True, cli_name='group_ignore_obj
 option: Str('groupobjectclass+', autofill=True, cli_name='group_objectclass', default=[u'groupOfUniqueNames', u'groupOfNames'])
 option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False)
 option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=[u'RFC2307bis', u'RFC2307'])
-option: StrEnum('scope', autofill=True, cli_name='scope', default=u'onelevel', values=[u'base', u'subtree', u'onelevel'])
+option: StrEnum('scope', autofill=True, cli_name='scope', default=u'onelevel', values=[u'base', u'onelevel', u'subtree'])
 option: Bool('use_def_group?', autofill=True, cli_name='use_default_group', default=True)
 option: DNParam('usercontainer', autofill=True, cli_name='user_container', default=ipapython.dn.DN('ou=people'))
 option: Str('userignoreattribute*', autofill=True, cli_name='user_ignore_attribute', default=[])
@@ -3958,7 +3962,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('description?', cli_name='desc')
 option: Int('ipatokenradiusretries?', cli_name='retries')
 option: Password('ipatokenradiussecret', cli_name='secret', confirm=True)
-option: Str('ipatokenradiusserver+', cli_name='server')
+option: Str('ipatokenradiusserver', cli_name='server')
 option: Int('ipatokenradiustimeout?', cli_name='timeout')
 option: Str('ipatokenusermapattribute?', cli_name='userattr')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -3983,7 +3987,7 @@ option: Str('cn?', autofill=False, cli_name='name')
 option: Str('description?', autofill=False, cli_name='desc')
 option: Int('ipatokenradiusretries?', autofill=False, cli_name='retries')
 option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True)
-option: Str('ipatokenradiusserver*', autofill=False, cli_name='server')
+option: Str('ipatokenradiusserver?', autofill=False, cli_name='server')
 option: Int('ipatokenradiustimeout?', autofill=False, cli_name='timeout')
 option: Str('ipatokenusermapattribute?', autofill=False, cli_name='userattr')
 option: Flag('pkey_only?', autofill=True, default=False)
@@ -4004,7 +4008,7 @@ option: Str('delattr*', cli_name='delattr')
 option: Str('description?', autofill=False, cli_name='desc')
 option: Int('ipatokenradiusretries?', autofill=False, cli_name='retries')
 option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True)
-option: Str('ipatokenradiusserver*', autofill=False, cli_name='server')
+option: Str('ipatokenradiusserver?', autofill=False, cli_name='server')
 option: Int('ipatokenradiustimeout?', autofill=False, cli_name='timeout')
 option: Str('ipatokenusermapattribute?', autofill=False, cli_name='userattr')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -4421,9 +4425,10 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: server_role_find/1
-args: 1,8,4
+args: 1,9,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('include_master', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('role_servrole?', autofill=False, cli_name='role')
 option: Str('server_server?', autofill=False, cli_name='server')
@@ -4457,7 +4462,7 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: service_add/1
-args: 1,13,3
+args: 1,14,3
 arg: Principal('krbcanonicalname', cli_name='canonical_principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -4470,6 +4475,7 @@ option: Str('krbprincipalauthind*', cli_name='auth_ind')
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('setattr*', cli_name='setattr')
+option: Flag('skip_host_check', autofill=True, default=False)
 option: Certificate('usercertificate*', cli_name='certificate')
 option: Str('version?')
 output: Entry('result')
@@ -5721,7 +5727,7 @@ option: Int('base_id?', cli_name='base_id')
 option: Bool('bidirectional?', cli_name='two_way', default=False)
 option: Bool('external?', cli_name='external', default=False)
 option: Int('range_size?', cli_name='range_size')
-option: StrEnum('range_type?', cli_name='range_type', values=[u'ipa-ad-trust-posix', u'ipa-ad-trust'])
+option: StrEnum('range_type?', cli_name='range_type', values=[u'ipa-ad-trust', u'ipa-ad-trust-posix'])
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('realm_admin?', cli_name='admin')
 option: Password('realm_passwd?', cli_name='password', confirm=False)

--- a/BUILD.txt
+++ b/BUILD.txt
@@ -7,7 +7,7 @@ For more information, see http://www.freeipa.org/page/Build

 The quickest way to get the dependencies needed for building is:

-# dnf builddep -b -D "with_lint 1" --spec freeipa.spec.in
+# dnf builddep -b -D "with_wheels 1" -D "with_lint 1" --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False

 TIP: For building with latest dependencies for freeipa master enable copr repo:

@@ -66,9 +66,9 @@ changes are required.
 Testing
 -------

-For more information, see http://www.freeipa.org/page/Testing
+For more information, see https://www.freeipa.org/page/Testing

-We use python nosetests to test for regressions in the management framework
+We use python pytest to test for regressions in the management framework
 and plugins. All test dependencies are required by the freeipa-tests package.

 To run all of the tests you will need 2 sessions, one to run the lite-server
@@ -82,6 +82,14 @@ Some tests may be skipped. For example, all the XML-RPC tests will be skipped
 if you haven't started the lite-server. The DNS tests will be skipped if
 the underlying IPA installation doesn't configure DNS, etc.

+To just execute fast unittest and code linters, use the fastcheck target.
+Fast tests only execute a subset of the test suite that does not depend on
+an initialized API and server instance. Fast linting just verifies modified
+files / lines.
+
+% make fastcheck
+
+
 API.txt
 -------
 The purpose of the file API.txt is to prevent accidental API changes. The

--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
+# FreeIPA Code of Conduct
+
+Our community is made up of a mixture of contributors from all over the world.
+We are diverse in our background, expertise or opinions and it is our strength,
+but diversity can also lead to communication issues and unhappiness. To that
+end, we have a few ground rules that we ask people to adhere to when operating
+in our space.
+
+If you believe someone is violating the code of conduct, we ask that you report
+it by emailing conduct@mg.freeipa.org.
+
+This isn’t an exhaustive list of things that you can’t do. Rather, take it in
+the spirit in which it’s intended - a guide to make it easier to be excellent to
+each other:
+
+### Be friendly and patient.
+
+### Be welcoming.
+We strive to be a community that welcomes and supports people of all backgrounds
+and identities. This includes, but is not limited to members of any race,
+ethnicity, culture, national origin, colour, immigration status, social and
+economic class, educational level, sex, sexual orientation, gender identity and
+expression, age, size, family status, political belief, religion, and mental and
+physical ability.
+
+### Be considerate. 
+Your work will be used by other people, and you in turn will depend on the work
+of others. Any decision you take will affect users and colleagues, and you
+should take those consequences into account when making decisions. Remember that
+we're a world-wide community, so you might not be communicating in someone
+else's primary language.
+
+### Be respectful.
+Not all of us will agree all the time, but disagreement is no excuse for poor
+behavior and poor manners. We might all experience some frustration now and
+then, but we cannot allow that frustration to turn into a personal attack. It’s
+important to remember that a community where people feel uncomfortable or
+threatened is not a productive one. Members of the community should be
+respectful when dealing with other members as well as with people outside the
+community. Success comes from the team and the ability of team members to work
+together. Members have differents skills, talents and roles but each of them is
+important to the team and the final success. Think of the team first.
+
+### Be careful in the words that you choose. 
+We are a community of professionals, and we conduct ourselves professionally. Be
+kind to others. Do not insult or put down other participants. Harassment and
+other exclusionary behavior aren't acceptable. This includes, but is not limited
+to:
+* Violent threats or language directed against another person.
+* Discriminatory jokes and language.
+* Posting sexually explicit or violent material.
+* Posting (or threatening to post) other people's personally identifying
+  information ("doxing").
+* Personal insults, especially those using racist or sexist terms.
+* Unwelcome sexual attention.
+* Advocating for, or encouraging, any of the above behavior.
+* Repeated harassment of others. In general, if someone asks you to stop,
+  then stop.
+
+### When we disagree, try to understand why. 
+Disagreements, both social and technical, happen all the time and our community
+is no exception. It is important that we resolve disagreements and differing
+views constructively. Remember that we’re different. The strength of community
+comes from its diversity, people from a wide range of backgrounds. Different
+people have different perspectives on issues. Being unable to understand why
+someone holds a viewpoint doesn’t mean that they’re wrong. Don’t forget that it
+is human to err and blaming each other doesn’t get us anywhere. Give people the
+benefit of the doubt, instead of blaming someone and pointing fingers. Speak
+with them and try to understand what happened. Focus on helping to resolve
+issues and learning from mistakes.
+
+### Drive your emotions and create a safe place for others.
+We aren’t robots, we are people with feelings. Feelings are a great
+gift. Unfortunately that gift can betray us sometimes and let our common sense
+to be driven by assumptions, expectations, anger, … To prevent and get away from
+this situation is always better to start with facts, then mention the personal
+story - your story - what are the concerns, objections, experience, and maybe
+observations.
+
+### Listen and hear, ask and don’t assume.
+There is always something behind. If you are not sure, feel free to ask for more
+information like “I don’t fully understand this…, could you help me to
+understand that part please?”
+* “So you are saying ..., is that right?”
+* “I have different opinion here but I would like to know more about the
+  solution you’re proposing.”
+* “I have concerns about this solution because of A, B, C risks. What could be
+  the prevention in your solution if we get into that situation?”
+
+### You will never be wrong when saying “please” and “thank you”
+
+## Scope
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is engaging with the project or its community.  Examples of
+engagement includes communication on IRC, bugtrackers, social media, and the
+like, or official presence as a project representative at an online or offline
+event. Representation of a project may be further defined and clarified by
+project maintainers.
+
+## Enforcement
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at conduct@mg.freeipa.org. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an
+incident.  Further details of specific enforcement policies may be posted
+separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+The idea behind the "enforcement" is not throwing it to each other publicly. If
+the violation is not severe, it is expected that the people involved in the
+situation could have a private and mature talk about the violation itself. Since
+it may happen that people violate the Code of Conduct without realizing they are
+violating it.
+
+A strategy for such talk could be:
+1. Call people up, instead of calling them out. (Shame rarely helps.)
+2. Demonstrate good behavior.
+3. Provide a positive intention.
+4. Focus on the problem, not the person,
+5. Point to guidelines or the impact, rather than individual.
+
+Original text courtesy of the [Django project](djangoproject.com/conduct/).
+"Scope" and "Enforcement" section courtesy of the [Contributor Covenant](https://www.contributor-covenant.org/).
+A strategy for a talk about a violation is based on Rebecca Fernandez DevConf.cz 2018 talk: "Power of One".
--- a/Contributors.txt
+++ b/Contributors.txt
@@ -10,6 +10,7 @@ Developers:
 	Tomáš Babej
 	Martin Babinsky
 	Kyle Baker
+	Felipe Barreto
 	Jan Barta
 	Martin Bašti
 	Sylvain Baubeau
@@ -26,7 +27,9 @@ Developers:
 	Rob Crittenden
 	Frank Cusack
 	Nalin Dahyabhai
+	Rishabh Dave
 	Don Davis
+	Nikhil Dehadrai
 	John Dennis
 	Jason Gerard DeRose
 	Günther Deschner
@@ -35,12 +38,17 @@ Developers:
 	Benjamin Drung
 	Patrice Duc-Jacquet
 	Tibor Dudlák
+	Lewis Eason
 	Drew Erny
 	Oleg Fayans
 	Jérôme Fenal
+	Fabiano Fidêncio
 	Stephen Gallagher
+	René Genz
 	James Groffen
+	Oliver Gutierrez
 	Ondřej Hamada
+	Robbie Harwood
 	Nick Hatch
 	Christian Heimes
 	Jakub Hrozek
@@ -48,18 +56,23 @@ Developers:
 	Abhijeet Kasurde
 	Nathan Kinder
 	Krzysztof Klimonda
+	Alexander Koksharov
 	Nikolai Kondrashov
 	Martin Košek
+	David Kreitschmann
 	Ludwig Krispenz
 	Ana Krivokapić
 	Tomáš Křížek
 	Milan Kubík
+	Amit Kumar
 	Ian Kumlien
 	David Kupka
 	Robert Kuska
+	John L
 	Peter Lacko
 	Stanislav Laznicka
 	Ade Lee
+	Stanislav Levin
 	Ben Lipton
 	Karl MacMillan
 	Niranjan Mallapadi
@@ -70,39 +83,59 @@ Developers:
 	Kevin McCarthy
 	Mark McLoughlin
 	Rich Megginson
+	Sudhir Menon
 	Jim Meyering
 	Adam Misnyovszki
+	Takeshi MIZUTA
+	Anuja More
+	John Morris
 	Niranjan MR
+	Brian J. Murrell
+	Varun Mylaraiah
 	Marko Myllynen
 	Martin Nagy
+	Armando Neto
 	David O'Brien
 	Dmitri Pal
 	Jan Pazdziora
 	W. Michael Petullo
+	Pavel Picka
+	Orion Poplawski
 	Gowrishankar Rajaiyan
+	realsobek
+	Michal Reznik
 	Lubomír Rintel
 	Matt Rogers
 	Lynn Root
 	Pete Rowley
 	Lenka Ryznarova
+	Alexander Scheel
 	Thorsten Scherf
 	shanyin
+	Kaleemullah Siddiqui
 	Michael Simacek
 	Lars Sjostrom
 	Filip Skola
+	Aleksei Slaikovskii
 	Lukáš Slebodník
 	Simo Sorce
 	Petr Špaček
 	David Spångberg
+	Justin Stephenson
 	Diane Trout
+	Serhii Tsymbaliuk
 	Fraser Tweedale
 	Petr Viktorin
 	Petr Voborník
+	Felipe Volpone
 	Pavel Vomáčka
 	Andrew Wnuk
+	Thomas Woerner
 	Jason Woods
 	Adam Young
+	Mohammad Rizwan Yusuf
 	Jan Zelený
+	Alex Zeleznikov
 	Michal Židek
 	Pavel Zůna

@@ -128,15 +161,26 @@ Testing:
 	Yi Zhang

 Translators:
-	Héctor Daniel Cabrera
-	Yuri Chornoivan
-	Teguh DC
-	Piotr Drąg
-	Jérôme Fenal
+	Abhijeet Kasurde
+	Andi Chandler
+	Andrew Martynov
+	A S Alam
+	Emilio Herrera
 	Gundachandru
+	Héctor Daniel Cabrera
 	Jake Li
-	Andrew Martynov
+	Jérôme Fenal
+	Marco Aurélio Krause
+	Martin Bašti
+	Olesya Gerasimenko
+	Paul Ritter
+	Pavel Vomacka
+	Piotr Drąg
+	Robert Antoni Buj Gelonch
 	Sankarshan Mukhopadhyay
+	Teguh DC
+	Yuri Chornoivan
+	Zdenek

 Wiki, Solution and Idea Contributors:
 	James Hogarth

--- a/Makefile.am
+++ b/Makefile.am
+NULL =
+
 ACLOCAL_AMFLAGS = -I m4

 if ENABLE_SERVER
-    SERVER_SUBDIRS = daemons init install ipaserver
+    IPASERVER_SUBDIRS = ipaserver
+    SERVER_SUBDIRS = daemons init install
 endif

 if WITH_IPATESTS
    IPATESTS_SUBDIRS = ipatests
 endif

-IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-IPA_PLACEHOLDERS = freeipa ipa ipaplatform ipaserver ipatests
-SUBDIRS = asn1 util client contrib po pypi \
-	$(IPACLIENT_SUBDIRS) ipaplatform $(IPATESTS_SUBDIRS) $(SERVER_SUBDIRS)
+IPACLIENT_SUBDIRS = ipaclient ipalib ipaplatform ipapython
+PYTHON_SUBDIRS = $(IPACLIENT_SUBDIRS) $(IPATESTS_SUBDIRS) $(IPASERVER_SUBDIRS)
+IPA_PLACEHOLDERS = freeipa ipa ipaserver ipatests
+SUBDIRS = asn1 util client contrib po pypi $(PYTHON_SUBDIRS) $(SERVER_SUBDIRS)
+
+GENERATED_PYTHON_FILES = \
+	$(top_builddir)/ipaplatform/override.py \
+	$(top_builddir)/ipapython/version.py \
+	$(top_builddir)/makeaci \
+	$(top_builddir)/makeapi \
+	$(NULL)

 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
-		   ignore_import_errors.pyc ignore_import_errors.pyo \
-		   ipasetup.pyc ipasetup.pyo \
 		   pylint_plugins.pyc pylint_plugins.pyo

 # user-facing scripts
-dist_bin_SCRIPTS = ipa
+nodist_bin_SCRIPTS = ipa

 # files required for build but not installed
-dist_noinst_SCRIPTS = ignore_import_errors.py \
+nodist_noinst_SCRIPTS = \
 	makeapi \
 	makeaci \
+	$(NULL)
+
+dist_noinst_SCRIPTS = \
 	make-doc \
 	make-test \
-		      pylint_plugins.py
+	pylint_plugins.py \
+	$(NULL)
+
+# templates
+dist_noinst_DATA = \
+	ipa.in		\
+	makeaci.in	\
+	makeapi.in	\
+	$(NULL)

 ipasetup.py: ipasetup.py.in $(CONFIG_STATUS)
 	$(AM_V_GEN)sed						\
@@ -61,7 +80,6 @@ clean-local:
 	rm -rf "$(top_srcdir)/__pycache__"
 	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz

-
 # convenience targets for RPM build
 .PHONY: rpmroot rpmdistdir version-update _dist-version-bakein _rpms-prep \
 	rpms _rpms-body srpms _srpms-body
@@ -136,7 +154,7 @@ _srpms-body: _rpms-prep
 	rm -f rm -f $(top_builddir)/.version

 .PHONY: lite-server
-lite-server: $(top_builddir)/ipapython/version.py
+lite-server: $(GENERATED_PYTHON_FILES)
 	+$(MAKE) -C $(top_builddir)/install/ui
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -bb \
 	    contrib/lite-server.py $(LITESERVER_ARGS)
@@ -168,35 +186,85 @@ if ! WITH_PYTHON2
 	@echo "ERROR: python2 not available"; exit 1
 endif
 	@ # run all linters, tests, and check with Python 2
-	PYTHONPATH=$(top_srcdir) $(PYTHON2) ipatests/ipa-run-tests \
+	PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON2) ipatests/ipa-run-tests \
 	    --ipaclient-unittests
 	$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check
 	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint
 if WITH_PYTHON3
-	@ # just tests and pylint on Python 3
-	PYTHONPATH=$(top_srcdir) $(PYTHON3) ipatests/ipa-run-tests \
+	@ # just tests, aci, api and pylint on Python 3
+	PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON3) ipatests/ipa-run-tests \
 	    --ipaclient-unittests
-	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) pylint
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) acilint apilint polint pylint jslint check
 else
 	@echo "WARNING: python3 not available"
 endif
 	@echo "All tests passed."

+.PHONY: fastcheck fasttest fastlint
+fastcheck:
+if WITH_PYTHON2
+	@$(MAKE) -j1 $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) \
+	    fastlint fasttest apilint acilint
+endif
+if WITH_PYTHON3
+	@$(MAKE) -j1 $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) \
+	     fastlint fasttest apilint acilint
+endif
+
+fasttest: $(GENERATED_PYTHON_FILES) ipasetup.py
+	@ # --ignore doubles speed of total test run compared to pytest.skip()
+	@ # on module.
+	PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON3) ipatests/ipa-run-tests \
+	    --skip-ipaapi \
+	    --ignore $(abspath $(top_srcdir))/ipatests/test_integration \
+	    --ignore $(abspath $(top_srcdir))/ipatests/test_xmlrpc
+
+fastlint: $(GENERATED_PYTHON_FILES) ipasetup.py
+if ! WITH_PYLINT
+	@echo "ERROR: pylint not available"; exit 1
+endif
+	@echo "Fast linting with $(PYTHON) from branch '$(GIT_BRANCH)'"
+
+	@MERGEBASE=$$(git merge-base --fork-point $(GIT_BRANCH)); \
+	FILES=$$(git diff --name-only --diff-filter=d $${MERGEBASE} \
+	    | grep -E '\.py$$'); \
+	if [ -n "$${FILES}" ]; then \
+	    echo -e "Fast linting files:\n$${FILES}\n"; \
+	    echo "pycodestyle"; \
+	    echo "-----------"; \
+	    git diff -U0 $${MERGEBASE} | \
+	        $(PYTHON) -m pycodestyle --diff || exit $$?; \
+	    echo -e "\npylint"; \
+	    echo "------"; \
+	    PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON) -m pylint \
+	        --rcfile=$(top_srcdir)/pylintrc \
+	        --load-plugins pylint_plugins \
+	        $${FILES} || exit $$?; \
+	else \
+	    echo "No modified Python files found"; \
+	fi
+
+
+.PHONY: $(top_builddir)/ipaplatform/override.py
+$(top_builddir)/ipaplatform/override.py:
+	(cd $(top_builddir)/ipaplatform && make override.py)
+
 .PHONY: $(top_builddir)/ipapython/version.py
 $(top_builddir)/ipapython/version.py:
 	(cd $(top_builddir)/ipapython && make version.py)

 .PHONY: acilint
-acilint: $(top_builddir)/ipapython/version.py
-	cd $(srcdir); ./makeaci --validate
+acilint: $(GENERATED_PYTHON_FILES)
+	cd $(srcdir); $(PYTHON) ./makeaci --validate

 .PHONY: apilint
-apilint: $(top_builddir)/ipapython/version.py
-	cd $(srcdir); ./makeapi --validate
+apilint: $(GENERATED_PYTHON_FILES)
+	cd $(srcdir); $(PYTHON) ./makeapi --validate

 .PHONY: polint
 polint:
-	$(MAKE) -C $(srcdir)/po validate-src-strings validate-po test-gettext
+	$(MAKE) -C $(srcdir)/po PYTHON=$(PYTHON) \
+	    validate-src-strings validate-po test-gettext

 # Run pylint for all python files. Finds all python files/packages, skips
 # folders rpmbuild, freeipa-* and dist. Skip (match, but don't print) .*,
@@ -206,7 +274,7 @@ polint:
 .PHONY: pylint

 if WITH_PYLINT
-pylint: $(top_builddir)/ipapython/version.py ipasetup.py
+pylint: $(GENERATED_PYTHON_FILES) ipasetup.py
 	FILES=`find $(top_srcdir) \
 		-type d -exec test -e '{}/__init__.py' \; -print -prune -o \
 		-path './rpmbuild' -prune -o \
@@ -307,6 +375,22 @@ pypi_packages: $(WHEELPYPIDIR) .wheelconstraints
 	@echo -e "\n\nTo upload packages to PyPI, run:\n"
 	@echo -e "    twine upload $(WHEELPYPIDIR)/*-$(VERSION)-py2.py3-none-any.whl\n"

+.PHONY: python_install
+python_install:
+	for dir in $(PYTHON_SUBDIRS); do \
+	    $(MAKE) $(AM_MAKEFLAGS) -C $${dir} install || exit 1; \
+	done
+
 .PHONY:
 strip-po:
 	$(MAKE) -C po strip-po
+
+PYTHON_SHEBANG = 					\
+	ipa	\
+	makeaci	\
+	makeapi	\
+	$(NULL)
+
+CLEANFILES = $(PYTHON_SHEBANG)
+
+include $(top_srcdir)/Makefile.pythonscripts.am
--- a/Makefile.pythonscripts.am
+++ b/Makefile.pythonscripts.am
+# special handling of Python scripts with auto-generated shebang line
+$(PYTHON_SHEBANG):%: %.in Makefile
+	$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
+	$(AM_V_GEN)chmod +x $@
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 FreeIPA allows Linux administrators to centrally manage identity,
 authentication and access control aspects of Linux and UNIX systems
 by providing simple to install and use command line and web based
-managment tools.
+management tools.

 FreeIPA is built on top of well known Open Source components and standard
 protocols with a very strong focus on ease of management and automation

--- a/VERSION.m4
+++ b/VERSION.m4
@@ -20,8 +20,8 @@
 #  ->  "1.0.0"                                         #
 ########################################################
 define(IPA_VERSION_MAJOR, 4)
-define(IPA_VERSION_MINOR, 5)
-define(IPA_VERSION_RELEASE, 90)
+define(IPA_VERSION_MINOR, 7)
+define(IPA_VERSION_RELEASE, 1)

 ########################################################
 # For 'pre' releases the version will be               #
@@ -46,7 +46,17 @@ define(IPA_VERSION_PRE_RELEASE, )
 # This option works only with GNU m4:                  #
 # it requires esyscmd m4 macro.                        #
 ########################################################
-define(IPA_VERSION_IS_GIT_SNAPSHOT, yes)
+define(IPA_VERSION_IS_GIT_SNAPSHOT, no)
+
+########################################################
+# git development branch:                              #
+#                                                      #
+# - master: define(IPA_GIT_BRANCH, master)             #
+# - ipa-X-X: define(IPA_GIT_BRANCH,                    #
+#       ipa-IPA_VERSION_MAJOR-IPA_VERSION_MINOR)       #
+########################################################
+define(IPA_GIT_BRANCH, master)
+dnl define(IPA_GIT_BRANCH, ipa-IPA_VERSION_MAJOR-IPA_VERSION_MINOR)

 ########################################################
 # The version of IPA data. This is used to identify    #
@@ -128,6 +138,7 @@ NEWLINE)) dnl IPA_VERSION end
 dnl DEBUG: uncomment following lines and run command m4 VERSION.m4
 dnl `IPA_VERSION: ''IPA_VERSION'
 dnl `IPA_GIT_VERSION: ''IPA_GIT_VERSION'
+dnl `IPA_GIT_BRANCH: ''IPA_GIT_BRANCH'
 dnl `IPA_API_VERSION: ''IPA_API_VERSION'
 dnl `IPA_DATA_VERSION: ''IPA_DATA_VERSION'
 dnl `IPA_NUM_VERSION: ''IPA_NUM_VERSION'
--- a/client/Makefile.am
+++ b/client/Makefile.am
@@ -40,9 +40,9 @@ sbin_PROGRAMS =			\
 	$(NULL)

 sbin_SCRIPTS =			\
-	ipa-client-install	\
-	ipa-client-automount	\
 	ipa-certupdate		\
+	ipa-client-automount	\
+	ipa-client-install	\
 	$(NULL)

 ipa_getkeytab_SOURCES =		\
@@ -80,6 +80,7 @@ ipa_join_SOURCES =		\
 	$(NULL)

 ipa_join_LDADD = 		\
+	$(top_builddir)/util/libutil.la	\
 	$(KRB5_LIBS)		\
 	$(LDAP_LIBS)		\
 	$(SASL_LIBS)		\
@@ -89,6 +90,7 @@ ipa_join_LDADD = 		\
 	$(NULL)

 SUBDIRS =			\
+	share		\
 	man			\
 	$(NULL)

@@ -96,10 +98,17 @@ noinst_HEADERS =		\
 	ipa-client-common.h

 EXTRA_DIST =			\
-	$(sbin_SCRIPTS)		\
+	ipa-certupdate.in	\
+	ipa-client-automount.in	\
+	ipa-client-install.in	\
 	$(NULL)

 install-data-hook:
 	$(INSTALL) -d -m 755 $(DESTDIR)$(IPA_SYSCONF_DIR)/nssdb
 	$(INSTALL) -d -m 755 $(DESTDIR)$(localstatedir)/lib/ipa-client/pki
 	$(INSTALL) -d -m 755 $(DESTDIR)$(localstatedir)/lib/ipa-client/sysrestore
+
+
+PYTHON_SHEBANG = $(sbin_SCRIPTS)
+
+include $(top_srcdir)/Makefile.pythonscripts.am
--- a/client/ipa-certupdate
+++ b/client/ipa-certupdate
-#! /usr/bin/python2 -E
+@PYTHONSHEBANG@
 # Authors: Jan Cholasta <jcholast@redhat.com>
 #
 # Copyright (C) 2014  Red Hat

--- a/client/ipa-client-automount
+++ b/client/ipa-client-automount
-#!/usr/bin/python2 -E
+@PYTHONSHEBANG@
 #
 # Authors:
 #   Rob Crittenden <rcritten@redhat.com>
@@ -43,6 +43,8 @@ from six.moves.urllib.parse import urlsplit
 from optparse import OptionParser  # pylint: disable=deprecated-module

 from ipaclient.install import ipachangeconf, ipadiscovery
+from ipaclient.install.client import (CLIENT_NOT_CONFIGURED,
+    CLIENT_ALREADY_CONFIGURED)
 from ipalib import api, errors
 from ipalib.install import sysrestore
 from ipalib.install.kinit import kinit_keytab
@@ -92,7 +94,7 @@ def wait_for_sssd():
    time.sleep(1)
    while n < 10 and not found:
        try:
-            ipautil.run(["getent", "passwd", "admin@%s" % api.env.realm])
+            ipautil.run([paths.GETENT, "passwd", "admin@%s" % api.env.realm])
            found = True
        except Exception:
            time.sleep(1)
@@ -189,7 +191,8 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options):
            domain.add_provider('ipa', 'autofs')
            try:
                domain.get_option('ipa_automount_location')
-                sys.exit('An automount location is already configured')
+                print('An automount location is already configured')
+                sys.exit(CLIENT_ALREADY_CONFIGURED)
            except SSSDConfig.NoOptionError:
                domain.set_option('ipa_automount_location', options.location)
                break
@@ -252,17 +255,31 @@ def configure_autofs_common(fstore, statestore, options):
                     autofs.service_name, str(e))

 def uninstall(fstore, statestore):
+    RESTORE_FILES=[
+       paths.SYSCONFIG_AUTOFS,
+       paths.NSSWITCH_CONF,
+       paths.AUTOFS_LDAP_AUTH_CONF,
+       paths.SYSCONFIG_NFS,
+       paths.IDMAPD_CONF,
+    ]
+    STATES=['autofs', 'rpcidmapd', 'rpcgssd']
+
+    # automount only touches /etc/nsswitch.conf if LDAP is
+    # used. Don't restore it otherwise.
+    if (statestore.get_state('authconfig', 'sssd') or
+            (statestore.get_state('authselect', 'profile') == 'sssd')):
+        RESTORE_FILES.remove(paths.NSSWITCH_CONF)
+
+    if (not any(fstore.has_file(f) for f in RESTORE_FILES) or
+             not any(statestore.has_state(s) for s in STATES)):
+        print("IPA automount is not configured on this system")
+        return CLIENT_NOT_CONFIGURED
+
    print("Restoring configuration")
-    if fstore.has_file(paths.SYSCONFIG_AUTOFS):
-        fstore.restore_file(paths.SYSCONFIG_AUTOFS)
-    if fstore.has_file(paths.NSSWITCH_CONF):
-        fstore.restore_file(paths.NSSWITCH_CONF)
-    if fstore.has_file(paths.AUTOFS_LDAP_AUTH_CONF):
-        fstore.restore_file(paths.AUTOFS_LDAP_AUTH_CONF)
-    if fstore.has_file(paths.SYSCONFIG_NFS):
-        fstore.restore_file(paths.SYSCONFIG_NFS)
-    if fstore.has_file(paths.IDMAPD_CONF):
-        fstore.restore_file(paths.IDMAPD_CONF)
+
+    for filepath in RESTORE_FILES:
+        if fstore.has_file(filepath):
+            fstore.restore_file(filepath)
    if statestore.has_state('autofs'):
        enabled = statestore.restore_state('autofs', 'enabled')
        running = statestore.restore_state('autofs', 'running')
@@ -382,7 +399,8 @@ def main():
    try:
        check_client_configuration()
    except ScriptError as e:
-        sys.exit(e)
+        print(e.msg)
+        sys.exit(e.rval)

    fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
    statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
@@ -412,7 +430,8 @@ def main():
        ca_cert_path = paths.IPA_CA_CRT

    if statestore.has_state('autofs'):
-        sys.exit('automount is already configured on this system.\n')
+        print('An automount location is already configured')
+        sys.exit(CLIENT_ALREADY_CONFIGURED)

    autodiscover = False
    ds = ipadiscovery.IPADiscovery()