[Freeipa-devel] FreeIPA 4.0.3?

Nathaniel McCallum npmccallum at redhat.com
Thu Sep 11 14:28:59 UTC 2014 

On Thu, 2014-09-11 at 16:25 +0200, Ludwig Krispenz wrote:
> On 09/11/2014 04:22 PM, Nathaniel McCallum wrote:
> > On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote:
> >> On 09/11/2014 04:17 PM, Nathaniel McCallum wrote:
> >>> On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote:
> >>>> On 09/11/2014 04:04 PM, Martin Kosek wrote:
> >>>>> On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:
> >>>>>> On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:
> >>>>>>> On 09/11/2014 01:37 PM, Martin Kosek wrote:
> >>>>>>>> Hi team,
> >>>>>>>>
> >>>>>>>> It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking
> >>>>>>>> upgrade from older releases:
> >>>>>>>>
> >>>>>>>> https://fedorahosted.org/freeipa/ticket/4529
> >>>>>>>>
> >>>>>>>> We also have packaging fix requested by Fedora Server roles group:
> >>>>>>>>
> >>>>>>>> https://fedorahosted.org/freeipa/ticket/4430
> >>>>>>>>
> >>>>>>>> It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release...
> >>>>>>>> Makes sense? Any other tickets or patches we would like to get in?
> >>>>>>> Looks like it's just those two. I'll start releasing shortly.
> >>>>>> I'd like to get a fix in for the missing ciphers in the new NSS. I can
> >>>>>> have a patch on the list shortly.
> >>>>>>
> >>>>>> Nathaniel
> >>>>> Isn't this related to
> >>>>> https://fedorahosted.org/freeipa/ticket/4395
> >>>>> ? I think we do not work with the newest DS which fixed the default ciphers.
> >>>> yes
> >>>>> Don't we need to set our SSL ciphers setting to
> >>>>>
> >>>>> https://fedorahosted.org/389/ticket/47838#comment:29
> >>>> yes
> >>>> tjhe attached patch tries this, but at the moment I failed to build and
> >>>> also to upgrade to F21
> >>> NACKallowweakcipher
> >>>
> >>>
> >>> LDAP error: OBJECT_CLASS_VIOLATION
> >>> attribute "allowweakcipher" not allowed
> >>>
> >>> I suspect we are missing a spec file requirement on a newer version of 389...
> >> yes, you need the latest build of DS, Noriko added the allowweakcipher
> >> only yesterday.
> >> That's the problem, I wanted to wait with the ipa side patch until
> >> allowweakcipher was implemented and then on F21 ipa and 389 no longer
> >> played well and now there is a rush
> > What is the status on the new 389 patch/build?
> a build is here: 
> http://copr-be.cloud.fedoraproject.org/results/nhosoi/389-ds-f21/fedora-21-x86_64/389-ds-base-1.3.3.2-a1.fc21/

The upstream patch is not merged yet. We need 389 to merge the patch, do
a release and get an official Fedora 20/21 build.

Just to be clear, Fedora 21 IPA doesn't work *at all*. So this is an
urgent fix.

Martin, can you coordinate with 389 to prioritize a release with this
fix?

Nathaniel

More information about the Freeipa-devel mailing list