[Freeipa-devel] FreeIPA 4.0.3?
Nathaniel McCallum
npmccallum at redhat.com
Fri Sep 12 14:16:53 UTC 2014
Sorry, I missed that. Let's take your patch.
On Fri, 2014-09-12 at 16:16 +0200, Ludwig Krispenz wrote:
> Hi,
>
> I alread had sent a patch for review, It is exactly like yours with one
> exception:
> 65c61
> < +default:allowWeakCipher: off
> ---
> > +addifnew:allowWeakCipher: off
>
> I tested with default, but it was ignored - is default only used for new
> entries ?
>
> On 09/12/2014 04:08 PM, Nathaniel McCallum wrote:
> > On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote:
> >> On 09/12/2014 10:25 AM, Martin Kosek wrote:
> >>> On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:
> >>>> On 09/12/2014 09:37 AM, Martin Kosek wrote:
> >>>>> On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:
> >>>>>> On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
> >>>>>>> On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
> >>>>>>>> On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
> >>>>>>>>> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
> >>>>>>>>>> On 09/11/2014 04:31 PM, Petr Viktorin wrote:
> >>>>>>>>>>> On 09/11/2014 04:26 PM, Martin Kosek wrote:
> >>>>>>>>> ...
> >>>>>>>>>>>> Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
> >>>>>>>>>>>> http://copr.fedoraproject.org/coprs/mkosek/freeipa/
> >>>>>>>>>>>> so that F20 users can upgrade to the newest FreeIPA. Are there any
> >>>>>>>>>>>> known issues
> >>>>>>>>>>>> in the F21 389-ds-base build that would prevent upstream FreeIPA
> >>>>>>>>>>>> 4.0.x to be
> >>>>>>>>>>>> based on it?
> >>>>>>>>>>>>
> >>>>>>>>>>>> If yes, we may need to include the patch in Fedora 21 downstream only
> >>>>>>>>>>>> after all..
> >>>>>>>>>>> We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
> >>>>>>>>>>> couldn't include the patch even there.
> >>>>>>>>>>> There better be no such issues.
> >>>>>>>>>> what do you mean by "no such issues" ? I don't think that 389/F21 will
> >>>>>>>>>> be the first bug free software. At the moment Thierry is investigating a
> >>>>>>>>>> crash in dna-plugin and Noriko a memory leak, which could be in F21 -
> >>>>>>>>>>
> >>>>>>>>> any known issues in the F21 389-ds-base build that would prevent
> >>>>>>>>> upstream FreeIPA 4.0.x to be based on it
> >>>>>>>> Yes. 389 will not start if weak ciphers are specified. Currently,
> >>>>>>>> FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
> >>>>>>>> work at all because the DS will never start.
> >>>>>>>>
> >>>>>>>> We need this patch merged: https://fedorahosted.org/389/ticket/47838
> >>>>>> Done: thanks everyone on the DS side!
> >>>>>>
> >>>>>>>> Then, we need an F21 build of 389-ds-base.
> >>>>>> Done: thanks nhosoi!
> >>>>>>
> >>>>>>>> Then we need to merge Ludwig's IPA patch from this thread with a
> >>>>>>>> versioned dependency on the new 389-ds-base build.
> >>>>>> New patch attached which includes a versioned dep on the new DS.
> >>>>> ipa-server-install still fails for me, even when I use
> >>>>> 389-ds-base-1.3.3.2-1.fc20.x86_64:
> >>>>>
> >>>>> # ipa-server-install
> >>>>> ...
> >>>>> [12/13]: restarting httpd
> >>>>> [13/13]: configuring httpd to start on boot
> >>>>> Done configuring the web interface (httpd).
> >>>>> Applying LDAP updates
> >>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
> >>>>> ObjectclassViolation: attribute "allowweakciphers" not allowed
> >>>>>
> >>>>>
> >>>>> I think you simply use a wrong config name - have extra "s" in the end. It is
> >>>>> defined as
> >>>> that typo was already in my first draft of the patch, sorry
> >>>>> allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | off]
> >>>>>
> >>>>>
> >>>>> Also, do we really need to put it to "off" in the updates? AFAIU, it is off
> >>>>> by default in our config and with current setting, users could not put it to
> >>>>> "on" (for whatever reason) without the value being overwritten with every run
> >>>>> of FreeIPA upgrade.
> >>>> could there be an upgrade from a install not yet using that params. should
> >>>> "only:allowWeakCipher" be replaced by "addifnew" ?
> >>> You can try "default:allowWeakCiphers: off" - it would set the attribute to off
> >>> if it was not there before.
> >>>
> >>> Given you are probably working on updated version, I would also recommend
> >>> following
> >>>
> >>> http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2
> >>>
> >>> as I saw couple nitpicks with your patch
> >>> - ticket number in patch description and not in it's body
> >>> - bad "From" field - I would rather expect it to be "Ludwig Krispenz
> >>> <lkrispen at redhat.com>" than "lkrispen <lkrispen at redhat.com>"
> >>>
> >>> Thanks,
> >>> Martin
> >> Hello, any update on this front? Are you or Nathaniel updating the patch?
> > Attached.
>
More information about the Freeipa-devel
mailing list