[Freeipa-devel] FreeIPA 4.0.3?
Nathaniel McCallum
npmccallum at redhat.com
Thu Sep 11 14:32:46 UTC 2014
On Thu, 2014-09-11 at 16:31 +0200, Petr Viktorin wrote:
> On 09/11/2014 04:26 PM, Martin Kosek wrote:
> > On 09/11/2014 04:22 PM, Nathaniel McCallum wrote:
> >> On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote:
> >>> On 09/11/2014 04:17 PM, Nathaniel McCallum wrote:
> >>>> On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote:
> >>>>> On 09/11/2014 04:04 PM, Martin Kosek wrote:
> >>>>>> On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:
> >>>>>>> On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:
> >>>>>>>> On 09/11/2014 01:37 PM, Martin Kosek wrote:
> >>>>>>>>> Hi team,
> >>>>>>>>>
> >>>>>>>>> It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking
> >>>>>>>>> upgrade from older releases:
> >>>>>>>>>
> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/4529
> >>>>>>>>>
> >>>>>>>>> We also have packaging fix requested by Fedora Server roles group:
> >>>>>>>>>
> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/4430
> >>>>>>>>>
> >>>>>>>>> It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release...
> >>>>>>>>> Makes sense? Any other tickets or patches we would like to get in?
> >>>>>>>> Looks like it's just those two. I'll start releasing shortly.
> >>>>>>> I'd like to get a fix in for the missing ciphers in the new NSS. I can
> >>>>>>> have a patch on the list shortly.
> >>>>>>>
> >>>>>>> Nathaniel
> >>>>>> Isn't this related to
> >>>>>> https://fedorahosted.org/freeipa/ticket/4395
> >>>>>> ? I think we do not work with the newest DS which fixed the default ciphers.
> >>>>> yes
> >>>>>> Don't we need to set our SSL ciphers setting to
> >>>>>>
> >>>>>> https://fedorahosted.org/389/ticket/47838#comment:29
> >>>>> yes
> >>>>> tjhe attached patch tries this, but at the moment I failed to build and
> >>>>> also to upgrade to F21
> >>>> NACKallowweakcipher
> >>>>
> >>>>
> >>>> LDAP error: OBJECT_CLASS_VIOLATION
> >>>> attribute "allowweakcipher" not allowed
> >>>>
> >>>> I suspect we are missing a spec file requirement on a newer version of 389...
> >>> yes, you need the latest build of DS, Noriko added the allowweakcipher
> >>> only yesterday.
> >>> That's the problem, I wanted to wait with the ipa side patch until
> >>> allowweakcipher was implemented and then on F21 ipa and 389 no longer
> >>> played well and now there is a rush
> >
> > Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
> > http://copr.fedoraproject.org/coprs/mkosek/freeipa/
> > so that F20 users can upgrade to the newest FreeIPA. Are there any known issues
> > in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be
> > based on it?
> >
> > If yes, we may need to include the patch in Fedora 21 downstream only after all..
>
> We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
> couldn't include the patch even there.
> There better be no such issues.
Right now FreeIPA in Fedora 21 is completely broken.
More information about the Freeipa-devel
mailing list