[Freeipa-devel] FreeIPA 4.0.3?
Martin Kosek
mkosek at redhat.com
Fri Sep 12 08:25:37 UTC 2014
On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:
>
> On 09/12/2014 09:37 AM, Martin Kosek wrote:
>> On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:
>>> On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
>>>> On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
>>>>> On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
>>>>>> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
>>>>>>>
>>>>>>> On 09/11/2014 04:31 PM, Petr Viktorin wrote:
>>>>>>>> On 09/11/2014 04:26 PM, Martin Kosek wrote:
>>>>>> ...
>>>>>>>>> Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
>>>>>>>>> http://copr.fedoraproject.org/coprs/mkosek/freeipa/
>>>>>>>>> so that F20 users can upgrade to the newest FreeIPA. Are there any
>>>>>>>>> known issues
>>>>>>>>> in the F21 389-ds-base build that would prevent upstream FreeIPA
>>>>>>>>> 4.0.x to be
>>>>>>>>> based on it?
>>>>>>>>>
>>>>>>>>> If yes, we may need to include the patch in Fedora 21 downstream only
>>>>>>>>> after all..
>>>>>>>>
>>>>>>>> We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
>>>>>>>> couldn't include the patch even there.
>>>>>>>> There better be no such issues.
>>>>>>> what do you mean by "no such issues" ? I don't think that 389/F21 will
>>>>>>> be the first bug free software. At the moment Thierry is investigating a
>>>>>>> crash in dna-plugin and Noriko a memory leak, which could be in F21 -
>>>>>>>
>>>>>>
>>>>>> any known issues in the F21 389-ds-base build that would prevent
>>>>>> upstream FreeIPA 4.0.x to be based on it
>>>>>
>>>>> Yes. 389 will not start if weak ciphers are specified. Currently,
>>>>> FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
>>>>> work at all because the DS will never start.
>>>>>
>>>>> We need this patch merged: https://fedorahosted.org/389/ticket/47838
>>>
>>> Done: thanks everyone on the DS side!
>>>
>>>>> Then, we need an F21 build of 389-ds-base.
>>>
>>> Done: thanks nhosoi!
>>>
>>>>> Then we need to merge Ludwig's IPA patch from this thread with a
>>>>> versioned dependency on the new 389-ds-base build.
>>>
>>> New patch attached which includes a versioned dep on the new DS.
>>
>> ipa-server-install still fails for me, even when I use
>> 389-ds-base-1.3.3.2-1.fc20.x86_64:
>>
>> # ipa-server-install
>> ...
>> [12/13]: restarting httpd
>> [13/13]: configuring httpd to start on boot
>> Done configuring the web interface (httpd).
>> Applying LDAP updates
>> Unexpected error - see /var/log/ipaserver-install.log for details:
>> ObjectclassViolation: attribute "allowweakciphers" not allowed
>>
>>
>> I think you simply use a wrong config name - have extra "s" in the end. It is
>> defined as
> that typo was already in my first draft of the patch, sorry
>>
>> allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | off]
>>
>>
>> Also, do we really need to put it to "off" in the updates? AFAIU, it is off
>> by default in our config and with current setting, users could not put it to
>> "on" (for whatever reason) without the value being overwritten with every run
>> of FreeIPA upgrade.
> could there be an upgrade from a install not yet using that params. should
> "only:allowWeakCipher" be replaced by "addifnew" ?
You can try "default:allowWeakCiphers: off" - it would set the attribute to off
if it was not there before.
Given you are probably working on updated version, I would also recommend following
http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2
as I saw couple nitpicks with your patch
- ticket number in patch description and not in it's body
- bad "From" field - I would rather expect it to be "Ludwig Krispenz
<lkrispen at redhat.com>" than "lkrispen <lkrispen at redhat.com>"
Thanks,
Martin
More information about the Freeipa-devel
mailing list