[Freeipa-devel] FreeIPA 4.0.3?

Fri Sep 12 11:17:40 UTC 2014

On 09/12/2014 10:25 AM, Martin Kosek wrote:
> On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:
>>
>> On 09/12/2014 09:37 AM, Martin Kosek wrote:
>>> On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:
>>>> On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
>>>>> On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
>>>>>> On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
>>>>>>> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
>>>>>>>>
>>>>>>>> On 09/11/2014 04:31 PM, Petr Viktorin wrote:
>>>>>>>>> On 09/11/2014 04:26 PM, Martin Kosek wrote:
>>>>>>> ...
>>>>>>>>>> Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
>>>>>>>>>> http://copr.fedoraproject.org/coprs/mkosek/freeipa/
>>>>>>>>>> so that F20 users can upgrade to the newest FreeIPA. Are there any
>>>>>>>>>> known issues
>>>>>>>>>> in the F21 389-ds-base build that would prevent upstream FreeIPA
>>>>>>>>>> 4.0.x to be
>>>>>>>>>> based on it?
>>>>>>>>>>
>>>>>>>>>> If yes, we may need to include the patch in Fedora 21 downstream only
>>>>>>>>>> after all..
>>>>>>>>>
>>>>>>>>> We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
>>>>>>>>> couldn't include the patch even there.
>>>>>>>>> There better be no such issues.
>>>>>>>> what do you mean by "no such issues" ? I don't think that 389/F21 will
>>>>>>>> be the first bug free software. At the moment Thierry is investigating a
>>>>>>>> crash in dna-plugin and Noriko a memory leak, which could be in F21 -
>>>>>>>>
>>>>>>>
>>>>>>> any known issues in the F21 389-ds-base build that would prevent
>>>>>>> upstream FreeIPA 4.0.x to be based on it
>>>>>>
>>>>>> Yes. 389 will not start if weak ciphers are specified. Currently,
>>>>>> FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
>>>>>> work at all because the DS will never start.
>>>>>>
>>>>>> We need this patch merged: https://fedorahosted.org/389/ticket/47838
>>>>
>>>> Done: thanks everyone on the DS side!
>>>>
>>>>>> Then, we need an F21 build of 389-ds-base.
>>>>
>>>> Done: thanks nhosoi!
>>>>
>>>>>> Then we need to merge Ludwig's IPA patch from this thread with a
>>>>>> versioned dependency on the new 389-ds-base build.
>>>>
>>>> New patch attached which includes a versioned dep on the new DS.
>>>
>>> ipa-server-install still fails for me, even when I use
>>> 389-ds-base-1.3.3.2-1.fc20.x86_64:
>>>
>>> # ipa-server-install
>>> ...
>>>   [12/13]: restarting httpd
>>>   [13/13]: configuring httpd to start on boot
>>> Done configuring the web interface (httpd).
>>> Applying LDAP updates
>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>> ObjectclassViolation: attribute "allowweakciphers" not allowed
>>>
>>>
>>> I think you simply use a wrong config name - have extra "s" in the end. It is
>>> defined as
>> that typo was already in my first draft of the patch, sorry
>>>
>>> allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | off]
>>>
>>>
>>> Also, do we really need to put it to "off" in the updates? AFAIU, it is off
>>> by default in our config and with current setting, users could not put it to
>>> "on" (for whatever reason) without the value being overwritten with every run
>>> of FreeIPA upgrade.
>> could there be an upgrade from a install not yet using that params. should
>> "only:allowWeakCipher" be replaced by "addifnew" ?
>
> You can try "default:allowWeakCiphers: off" - it would set the attribute to off
> if it was not there before.
>
> Given you are probably working on updated version, I would also recommend
> following
>
> http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2
>
> as I saw couple nitpicks with your patch
> - ticket number in patch description and not in it's body
> - bad "From" field - I would rather expect it to be "Ludwig Krispenz
> <lkrispen at redhat.com>" than "lkrispen <lkrispen at redhat.com>"
>
> Thanks,
> Martin

Hello, any update on this front? Are you or Nathaniel updating the patch?