[Freeipa-devel] FreeIPA 4.0.3?
Rob Crittenden
rcritten at redhat.com
Fri Sep 12 14:45:39 UTC 2014
Ludwig Krispenz wrote:
> Hi,
>
> I alread had sent a patch for review, It is exactly like yours with one
> exception:
> 65c61
> < +default:allowWeakCipher: off
> ---
>> +addifnew:allowWeakCipher: off
>
> I tested with default, but it was ignored - is default only used for new
> entries ?
Correct. A value for default is only added when creating an entirely new
entry. addifnew adds the value to the entry only if it doesn't already
exist.
rob
>
> On 09/12/2014 04:08 PM, Nathaniel McCallum wrote:
>> On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote:
>>> On 09/12/2014 10:25 AM, Martin Kosek wrote:
>>>> On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:
>>>>> On 09/12/2014 09:37 AM, Martin Kosek wrote:
>>>>>> On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:
>>>>>>> On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
>>>>>>>> On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
>>>>>>>>> On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
>>>>>>>>>> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
>>>>>>>>>>> On 09/11/2014 04:31 PM, Petr Viktorin wrote:
>>>>>>>>>>>> On 09/11/2014 04:26 PM, Martin Kosek wrote:
>>>>>>>>>> ...
>>>>>>>>>>>>> Also, we will need to add the F21 389-ds-base build to
>>>>>>>>>>>>> FreeIPA Copr:
>>>>>>>>>>>>> http://copr.fedoraproject.org/coprs/mkosek/freeipa/
>>>>>>>>>>>>> so that F20 users can upgrade to the newest FreeIPA. Are
>>>>>>>>>>>>> there any
>>>>>>>>>>>>> known issues
>>>>>>>>>>>>> in the F21 389-ds-base build that would prevent upstream
>>>>>>>>>>>>> FreeIPA
>>>>>>>>>>>>> 4.0.x to be
>>>>>>>>>>>>> based on it?
>>>>>>>>>>>>>
>>>>>>>>>>>>> If yes, we may need to include the patch in Fedora 21
>>>>>>>>>>>>> downstream only
>>>>>>>>>>>>> after all..
>>>>>>>>>>>> We're basing the Fedora 21 Alpha downstream on FreeIPA
>>>>>>>>>>>> 4.0.3, so we
>>>>>>>>>>>> couldn't include the patch even there.
>>>>>>>>>>>> There better be no such issues.
>>>>>>>>>>> what do you mean by "no such issues" ? I don't think that
>>>>>>>>>>> 389/F21 will
>>>>>>>>>>> be the first bug free software. At the moment Thierry is
>>>>>>>>>>> investigating a
>>>>>>>>>>> crash in dna-plugin and Noriko a memory leak, which could be
>>>>>>>>>>> in F21 -
>>>>>>>>>>>
>>>>>>>>>> any known issues in the F21 389-ds-base build that would prevent
>>>>>>>>>> upstream FreeIPA 4.0.x to be based on it
>>>>>>>>> Yes. 389 will not start if weak ciphers are specified. Currently,
>>>>>>>>> FreeIPA specifies weak ciphers. This means that FreeIPA in F21
>>>>>>>>> doesn't
>>>>>>>>> work at all because the DS will never start.
>>>>>>>>>
>>>>>>>>> We need this patch merged:
>>>>>>>>> https://fedorahosted.org/389/ticket/47838
>>>>>>> Done: thanks everyone on the DS side!
>>>>>>>
>>>>>>>>> Then, we need an F21 build of 389-ds-base.
>>>>>>> Done: thanks nhosoi!
>>>>>>>
>>>>>>>>> Then we need to merge Ludwig's IPA patch from this thread with a
>>>>>>>>> versioned dependency on the new 389-ds-base build.
>>>>>>> New patch attached which includes a versioned dep on the new DS.
>>>>>> ipa-server-install still fails for me, even when I use
>>>>>> 389-ds-base-1.3.3.2-1.fc20.x86_64:
>>>>>>
>>>>>> # ipa-server-install
>>>>>> ...
>>>>>> [12/13]: restarting httpd
>>>>>> [13/13]: configuring httpd to start on boot
>>>>>> Done configuring the web interface (httpd).
>>>>>> Applying LDAP updates
>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>>> ObjectclassViolation: attribute "allowweakciphers" not allowed
>>>>>>
>>>>>>
>>>>>> I think you simply use a wrong config name - have extra "s" in the
>>>>>> end. It is
>>>>>> defined as
>>>>> that typo was already in my first draft of the patch, sorry
>>>>>> allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on
>>>>>> | off]
>>>>>>
>>>>>>
>>>>>> Also, do we really need to put it to "off" in the updates? AFAIU,
>>>>>> it is off
>>>>>> by default in our config and with current setting, users could not
>>>>>> put it to
>>>>>> "on" (for whatever reason) without the value being overwritten
>>>>>> with every run
>>>>>> of FreeIPA upgrade.
>>>>> could there be an upgrade from a install not yet using that params.
>>>>> should
>>>>> "only:allowWeakCipher" be replaced by "addifnew" ?
>>>> You can try "default:allowWeakCiphers: off" - it would set the
>>>> attribute to off
>>>> if it was not there before.
>>>>
>>>> Given you are probably working on updated version, I would also
>>>> recommend
>>>> following
>>>>
>>>> http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2
>>>>
>>>> as I saw couple nitpicks with your patch
>>>> - ticket number in patch description and not in it's body
>>>> - bad "From" field - I would rather expect it to be "Ludwig Krispenz
>>>> <lkrispen at redhat.com>" than "lkrispen <lkrispen at redhat.com>"
>>>>
>>>> Thanks,
>>>> Martin
>>> Hello, any update on this front? Are you or Nathaniel updating the
>>> patch?
>> Attached.
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list