Hi,

I alread had sent a patch for review, It is exactly like yours with one exception:
65c61
< +default:allowWeakCipher: off
---
> +addifnew:allowWeakCipher: off

I tested with default, but it was ignored - is default only used for new entries ?

On 09/12/2014 04:08 PM, Nathaniel McCallum wrote:
On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote:
On 09/12/2014 10:25 AM, Martin Kosek wrote:
On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:
On 09/12/2014 09:37 AM, Martin Kosek wrote:
On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:
On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
On 09/11/2014 04:31 PM, Petr Viktorin wrote:
On 09/11/2014 04:26 PM, Martin Kosek wrote:
...
Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only
after all..
We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.
what do you mean by "no such issues" ? I don't think that 389/F21 will
be the first bug free software. At the moment Thierry is investigating a
crash in dna-plugin and Noriko a memory leak, which could be in F21 -

any known issues in the F21 389-ds-base build that would prevent
upstream FreeIPA 4.0.x to be based on it
Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838
Done: thanks everyone on the DS side!

Then, we need an F21 build of 389-ds-base.
Done: thanks nhosoi!

Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.
New patch attached which includes a versioned dep on the new DS.
ipa-server-install still fails for me, even when I use
389-ds-base-1.3.3.2-1.fc20.x86_64:

# ipa-server-install
...
   [12/13]: restarting httpd
   [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Unexpected error - see /var/log/ipaserver-install.log for details:
ObjectclassViolation: attribute "allowweakciphers" not allowed


I think you simply use a wrong config name - have extra "s" in the end. It is
defined as
that typo was already in my first draft of the patch, sorry
allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | off]


Also, do we really need to put it to "off" in the updates? AFAIU, it is off
by default in our config and with current setting, users could not put it to
"on" (for whatever reason) without the value being overwritten with every run
of FreeIPA upgrade.
could there be an upgrade from a install not yet using that params. should
"only:allowWeakCipher" be replaced by "addifnew" ?
You can try "default:allowWeakCiphers: off" - it would set the attribute to off
if it was not there before.

Given you are probably working on updated version, I would also recommend
following

http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2

as I saw couple nitpicks with your patch
- ticket number in patch description and not in it's body
- bad "From" field - I would rather expect it to be "Ludwig Krispenz
<lkris...@redhat.com>" than "lkrispen <lkris...@redhat.com>"

Thanks,
Martin
Hello, any update on this front? Are you or Nathaniel updating the patch?
Attached.

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to