On 09/11/2014 04:22 PM, Nathaniel McCallum wrote: > On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote: >> On 09/11/2014 04:17 PM, Nathaniel McCallum wrote: >>> On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote: >>>> On 09/11/2014 04:04 PM, Martin Kosek wrote: >>>>> On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: >>>>>> On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: >>>>>>> On 09/11/2014 01:37 PM, Martin Kosek wrote: >>>>>>>> Hi team, >>>>>>>> >>>>>>>> It seems we have pretty serious bug in our FreeIPA 4.0.2 release, >>>>>>>> breaking >>>>>>>> upgrade from older releases: >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/4529 >>>>>>>> >>>>>>>> We also have packaging fix requested by Fedora Server roles group: >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/4430 >>>>>>>> >>>>>>>> It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 >>>>>>>> release... >>>>>>>> Makes sense? Any other tickets or patches we would like to get in? >>>>>>> Looks like it's just those two. I'll start releasing shortly. >>>>>> I'd like to get a fix in for the missing ciphers in the new NSS. I can >>>>>> have a patch on the list shortly. >>>>>> >>>>>> Nathaniel >>>>> Isn't this related to >>>>> https://fedorahosted.org/freeipa/ticket/4395 >>>>> ? I think we do not work with the newest DS which fixed the default >>>>> ciphers. >>>> yes >>>>> Don't we need to set our SSL ciphers setting to >>>>> >>>>> https://fedorahosted.org/389/ticket/47838#comment:29 >>>> yes >>>> tjhe attached patch tries this, but at the moment I failed to build and >>>> also to upgrade to F21 >>> NACKallowweakcipher >>> >>> >>> LDAP error: OBJECT_CLASS_VIOLATION >>> attribute "allowweakcipher" not allowed >>> >>> I suspect we are missing a spec file requirement on a newer version of >>> 389... >> yes, you need the latest build of DS, Noriko added the allowweakcipher >> only yesterday. >> That's the problem, I wanted to wait with the ipa side patch until >> allowweakcipher was implemented and then on F21 ipa and 389 no longer >> played well and now there is a rush
Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade to the newest FreeIPA. Are there any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it? If yes, we may need to include the patch in Fedora 21 downstream only after all... Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel