[Freeipa-devel] FreeIPA 4.0.3?
Nathaniel McCallum
npmccallum at redhat.com
Fri Sep 12 14:08:32 UTC 2014
On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote:
> On 09/12/2014 10:25 AM, Martin Kosek wrote:
> > On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:
> >>
> >> On 09/12/2014 09:37 AM, Martin Kosek wrote:
> >>> On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:
> >>>> On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
> >>>>> On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
> >>>>>> On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
> >>>>>>> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
> >>>>>>>>
> >>>>>>>> On 09/11/2014 04:31 PM, Petr Viktorin wrote:
> >>>>>>>>> On 09/11/2014 04:26 PM, Martin Kosek wrote:
> >>>>>>> ...
> >>>>>>>>>> Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
> >>>>>>>>>> http://copr.fedoraproject.org/coprs/mkosek/freeipa/
> >>>>>>>>>> so that F20 users can upgrade to the newest FreeIPA. Are there any
> >>>>>>>>>> known issues
> >>>>>>>>>> in the F21 389-ds-base build that would prevent upstream FreeIPA
> >>>>>>>>>> 4.0.x to be
> >>>>>>>>>> based on it?
> >>>>>>>>>>
> >>>>>>>>>> If yes, we may need to include the patch in Fedora 21 downstream only
> >>>>>>>>>> after all..
> >>>>>>>>>
> >>>>>>>>> We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
> >>>>>>>>> couldn't include the patch even there.
> >>>>>>>>> There better be no such issues.
> >>>>>>>> what do you mean by "no such issues" ? I don't think that 389/F21 will
> >>>>>>>> be the first bug free software. At the moment Thierry is investigating a
> >>>>>>>> crash in dna-plugin and Noriko a memory leak, which could be in F21 -
> >>>>>>>>
> >>>>>>>
> >>>>>>> any known issues in the F21 389-ds-base build that would prevent
> >>>>>>> upstream FreeIPA 4.0.x to be based on it
> >>>>>>
> >>>>>> Yes. 389 will not start if weak ciphers are specified. Currently,
> >>>>>> FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
> >>>>>> work at all because the DS will never start.
> >>>>>>
> >>>>>> We need this patch merged: https://fedorahosted.org/389/ticket/47838
> >>>>
> >>>> Done: thanks everyone on the DS side!
> >>>>
> >>>>>> Then, we need an F21 build of 389-ds-base.
> >>>>
> >>>> Done: thanks nhosoi!
> >>>>
> >>>>>> Then we need to merge Ludwig's IPA patch from this thread with a
> >>>>>> versioned dependency on the new 389-ds-base build.
> >>>>
> >>>> New patch attached which includes a versioned dep on the new DS.
> >>>
> >>> ipa-server-install still fails for me, even when I use
> >>> 389-ds-base-1.3.3.2-1.fc20.x86_64:
> >>>
> >>> # ipa-server-install
> >>> ...
> >>> [12/13]: restarting httpd
> >>> [13/13]: configuring httpd to start on boot
> >>> Done configuring the web interface (httpd).
> >>> Applying LDAP updates
> >>> Unexpected error - see /var/log/ipaserver-install.log for details:
> >>> ObjectclassViolation: attribute "allowweakciphers" not allowed
> >>>
> >>>
> >>> I think you simply use a wrong config name - have extra "s" in the end. It is
> >>> defined as
> >> that typo was already in my first draft of the patch, sorry
> >>>
> >>> allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | off]
> >>>
> >>>
> >>> Also, do we really need to put it to "off" in the updates? AFAIU, it is off
> >>> by default in our config and with current setting, users could not put it to
> >>> "on" (for whatever reason) without the value being overwritten with every run
> >>> of FreeIPA upgrade.
> >> could there be an upgrade from a install not yet using that params. should
> >> "only:allowWeakCipher" be replaced by "addifnew" ?
> >
> > You can try "default:allowWeakCiphers: off" - it would set the attribute to off
> > if it was not there before.
> >
> > Given you are probably working on updated version, I would also recommend
> > following
> >
> > http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2
> >
> > as I saw couple nitpicks with your patch
> > - ticket number in patch description and not in it's body
> > - bad "From" field - I would rather expect it to be "Ludwig Krispenz
> > <lkrispen at redhat.com>" than "lkrispen <lkrispen at redhat.com>"
> >
> > Thanks,
> > Martin
>
> Hello, any update on this front? Are you or Nathaniel updating the patch?
Attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Update-389-SSL-cipher-config.patch
Type: text/x-patch
Size: 4040 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140912/6eca36c8/attachment.bin>
More information about the Freeipa-devel
mailing list