Sorry, I missed that. Let's take your patch. On Fri, 2014-09-12 at 16:16 +0200, Ludwig Krispenz wrote: > Hi, > > I alread had sent a patch for review, It is exactly like yours with one > exception: > 65c61 > < +default:allowWeakCipher: off > --- > > +addifnew:allowWeakCipher: off > > I tested with default, but it was ignored - is default only used for new > entries ? > > On 09/12/2014 04:08 PM, Nathaniel McCallum wrote: > > On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote: > >> On 09/12/2014 10:25 AM, Martin Kosek wrote: > >>> On 09/12/2014 10:13 AM, Ludwig Krispenz wrote: > >>>> On 09/12/2014 09:37 AM, Martin Kosek wrote: > >>>>> On 09/12/2014 03:21 AM, Nathaniel McCallum wrote: > >>>>>> On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: > >>>>>>> On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: > >>>>>>>> On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: > >>>>>>>>> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: > >>>>>>>>>> On 09/11/2014 04:31 PM, Petr Viktorin wrote: > >>>>>>>>>>> On 09/11/2014 04:26 PM, Martin Kosek wrote: > >>>>>>>>> ... > >>>>>>>>>>>> Also, we will need to add the F21 389-ds-base build to FreeIPA > >>>>>>>>>>>> Copr: > >>>>>>>>>>>> http://copr.fedoraproject.org/coprs/mkosek/freeipa/ > >>>>>>>>>>>> so that F20 users can upgrade to the newest FreeIPA. Are there > >>>>>>>>>>>> any > >>>>>>>>>>>> known issues > >>>>>>>>>>>> in the F21 389-ds-base build that would prevent upstream FreeIPA > >>>>>>>>>>>> 4.0.x to be > >>>>>>>>>>>> based on it? > >>>>>>>>>>>> > >>>>>>>>>>>> If yes, we may need to include the patch in Fedora 21 downstream > >>>>>>>>>>>> only > >>>>>>>>>>>> after all.. > >>>>>>>>>>> We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so > >>>>>>>>>>> we > >>>>>>>>>>> couldn't include the patch even there. > >>>>>>>>>>> There better be no such issues. > >>>>>>>>>> what do you mean by "no such issues" ? I don't think that 389/F21 > >>>>>>>>>> will > >>>>>>>>>> be the first bug free software. At the moment Thierry is > >>>>>>>>>> investigating a > >>>>>>>>>> crash in dna-plugin and Noriko a memory leak, which could be in > >>>>>>>>>> F21 - > >>>>>>>>>> > >>>>>>>>> any known issues in the F21 389-ds-base build that would prevent > >>>>>>>>> upstream FreeIPA 4.0.x to be based on it > >>>>>>>> Yes. 389 will not start if weak ciphers are specified. Currently, > >>>>>>>> FreeIPA specifies weak ciphers. This means that FreeIPA in F21 > >>>>>>>> doesn't > >>>>>>>> work at all because the DS will never start. > >>>>>>>> > >>>>>>>> We need this patch merged: https://fedorahosted.org/389/ticket/47838 > >>>>>> Done: thanks everyone on the DS side! > >>>>>> > >>>>>>>> Then, we need an F21 build of 389-ds-base. > >>>>>> Done: thanks nhosoi! > >>>>>> > >>>>>>>> Then we need to merge Ludwig's IPA patch from this thread with a > >>>>>>>> versioned dependency on the new 389-ds-base build. > >>>>>> New patch attached which includes a versioned dep on the new DS. > >>>>> ipa-server-install still fails for me, even when I use > >>>>> 389-ds-base-1.3.3.2-1.fc20.x86_64: > >>>>> > >>>>> # ipa-server-install > >>>>> ... > >>>>> [12/13]: restarting httpd > >>>>> [13/13]: configuring httpd to start on boot > >>>>> Done configuring the web interface (httpd). > >>>>> Applying LDAP updates > >>>>> Unexpected error - see /var/log/ipaserver-install.log for details: > >>>>> ObjectclassViolation: attribute "allowweakciphers" not allowed > >>>>> > >>>>> > >>>>> I think you simply use a wrong config name - have extra "s" in the end. > >>>>> It is > >>>>> defined as > >>>> that typo was already in my first draft of the patch, sorry > >>>>> allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | > >>>>> off] > >>>>> > >>>>> > >>>>> Also, do we really need to put it to "off" in the updates? AFAIU, it is > >>>>> off > >>>>> by default in our config and with current setting, users could not put > >>>>> it to > >>>>> "on" (for whatever reason) without the value being overwritten with > >>>>> every run > >>>>> of FreeIPA upgrade. > >>>> could there be an upgrade from a install not yet using that params. > >>>> should > >>>> "only:allowWeakCipher" be replaced by "addifnew" ? > >>> You can try "default:allowWeakCiphers: off" - it would set the attribute > >>> to off > >>> if it was not there before. > >>> > >>> Given you are probably working on updated version, I would also recommend > >>> following > >>> > >>> http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2 > >>> > >>> as I saw couple nitpicks with your patch > >>> - ticket number in patch description and not in it's body > >>> - bad "From" field - I would rather expect it to be "Ludwig Krispenz > >>> <lkris...@redhat.com>" than "lkrispen <lkris...@redhat.com>" > >>> > >>> Thanks, > >>> Martin > >> Hello, any update on this front? Are you or Nathaniel updating the patch? > > Attached. >
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel