[Freeipa-devel] FreeIPA 4.0.3?

Ludwig Krispenz lkrispen at redhat.com
Fri Sep 12 08:13:09 UTC 2014 

On 09/12/2014 09:37 AM, Martin Kosek wrote:
> On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:
>> On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
>>> On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
>>>> On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
>>>>> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
>>>>>>
>>>>>> On 09/11/2014 04:31 PM, Petr Viktorin wrote:
>>>>>>> On 09/11/2014 04:26 PM, Martin Kosek wrote:
>>>>> ...
>>>>>>>> Also, we will need to add the F21 389-ds-base build to FreeIPA 
>>>>>>>> Copr:
>>>>>>>> http://copr.fedoraproject.org/coprs/mkosek/freeipa/
>>>>>>>> so that F20 users can upgrade to the newest FreeIPA. Are there any
>>>>>>>> known issues
>>>>>>>> in the F21 389-ds-base build that would prevent upstream FreeIPA
>>>>>>>> 4.0.x to be
>>>>>>>> based on it?
>>>>>>>>
>>>>>>>> If yes, we may need to include the patch in Fedora 21 
>>>>>>>> downstream only
>>>>>>>> after all..
>>>>>>>
>>>>>>> We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
>>>>>>> couldn't include the patch even there.
>>>>>>> There better be no such issues.
>>>>>> what do you mean by "no such issues" ? I don't think that 389/F21 
>>>>>> will
>>>>>> be the first bug free software. At the moment Thierry is 
>>>>>> investigating a
>>>>>> crash in dna-plugin and Noriko a memory leak, which could be in 
>>>>>> F21 -
>>>>>>
>>>>>
>>>>> any known issues in the F21 389-ds-base build that would prevent
>>>>> upstream FreeIPA 4.0.x to be based on it
>>>>
>>>> Yes. 389 will not start if weak ciphers are specified. Currently,
>>>> FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
>>>> work at all because the DS will never start.
>>>>
>>>> We need this patch merged: https://fedorahosted.org/389/ticket/47838
>>
>> Done: thanks everyone on the DS side!
>>
>>>> Then, we need an F21 build of 389-ds-base.
>>
>> Done: thanks nhosoi!
>>
>>>> Then we need to merge Ludwig's IPA patch from this thread with a
>>>> versioned dependency on the new 389-ds-base build.
>>
>> New patch attached which includes a versioned dep on the new DS.
>
> ipa-server-install still fails for me, even when I use 
> 389-ds-base-1.3.3.2-1.fc20.x86_64:
>
> # ipa-server-install
> ...
>   [12/13]: restarting httpd
>   [13/13]: configuring httpd to start on boot
> Done configuring the web interface (httpd).
> Applying LDAP updates
> Unexpected error - see /var/log/ipaserver-install.log for details:
> ObjectclassViolation: attribute "allowweakciphers" not allowed
>
>
> I think you simply use a wrong config name - have extra "s" in the 
> end. It is defined as
that typo was already in my first draft of the patch, sorry
>
> allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | off]
>
>
> Also, do we really need to put it to "off" in the updates? AFAIU, it 
> is off by default in our config and with current setting, users could 
> not put it to "on" (for whatever reason) without the value being 
> overwritten with every run of FreeIPA upgrade.
could there be an upgrade from a install not yet using that params. 
should "only:allowWeakCipher" be replaced by "addifnew" ?

>
> Martin

More information about the Freeipa-devel mailing list