subject:"\[Freeipa\-devel\] FreeIPA 4.0.3\?"


On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:

On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:

On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:


On 09/11/2014 04:31 PM, Petr Viktorin wrote:

On 09/11/2014 04:26 PM, Martin Kosek wrote:

...

Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only
after all..


We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.

what do you mean by no such issues ? I don't think that 389/F21 will
be the first bug free software. At the moment Thierry is investigating a
crash in dna-plugin and Noriko a memory leak, which could be in F21 -



any known issues in the F21 389-ds-base build that would prevent
upstream FreeIPA 4.0.x to be based on it


Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838


Done: thanks everyone on the DS side!


Then, we need an F21 build of 389-ds-base.


Done: thanks nhosoi!


Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.


New patch attached which includes a versioned dep on the new DS.


ipa-server-install still fails for me, even when I use 
389-ds-base-1.3.3.2-1.fc20.x86_64:


# ipa-server-install
...
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Unexpected error - see /var/log/ipaserver-install.log for details:
ObjectclassViolation: attribute allowweakciphers not allowed


I think you simply use a wrong config name - have extra s in the end. It is 
defined as


allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | off]


Also, do we really need to put it to off in the updates? AFAIU, it is off by 
default in our config and with current setting, users could not put it to on 
(for whatever reason) without the value being overwritten with every run of 
FreeIPA upgrade.


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

2014-09-12 Thread Ludwig Krispenz



On 09/12/2014 09:37 AM, Martin Kosek wrote:

On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:

On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:

On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:


On 09/11/2014 04:31 PM, Petr Viktorin wrote:

On 09/11/2014 04:26 PM, Martin Kosek wrote:

...
Also, we will need to add the F21 389-ds-base build to FreeIPA 
Copr:

http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 
downstream only

after all..


We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.
what do you mean by no such issues ? I don't think that 389/F21 
will
be the first bug free software. At the moment Thierry is 
investigating a
crash in dna-plugin and Noriko a memory leak, which could be in 
F21 -




any known issues in the F21 389-ds-base build that would prevent
upstream FreeIPA 4.0.x to be based on it


Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838


Done: thanks everyone on the DS side!


Then, we need an F21 build of 389-ds-base.


Done: thanks nhosoi!


Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.


New patch attached which includes a versioned dep on the new DS.


ipa-server-install still fails for me, even when I use 
389-ds-base-1.3.3.2-1.fc20.x86_64:


# ipa-server-install
...
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Unexpected error - see /var/log/ipaserver-install.log for details:
ObjectclassViolation: attribute allowweakciphers not allowed


I think you simply use a wrong config name - have extra s in the 
end. It is defined as

that typo was already in my first draft of the patch, sorry


allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | off]


Also, do we really need to put it to off in the updates? AFAIU, it 
is off by default in our config and with current setting, users could 
not put it to on (for whatever reason) without the value being 
overwritten with every run of FreeIPA upgrade.
could there be an upgrade from a install not yet using that params. 
should only:allowWeakCipher be replaced by addifnew ?




Martin


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?


On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:


On 09/12/2014 09:37 AM, Martin Kosek wrote:

On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:

On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:

On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:


On 09/11/2014 04:31 PM, Petr Viktorin wrote:

On 09/11/2014 04:26 PM, Martin Kosek wrote:

...

Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only
after all..


We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.

what do you mean by no such issues ? I don't think that 389/F21 will
be the first bug free software. At the moment Thierry is investigating a
crash in dna-plugin and Noriko a memory leak, which could be in F21 -



any known issues in the F21 389-ds-base build that would prevent
upstream FreeIPA 4.0.x to be based on it


Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838


Done: thanks everyone on the DS side!


Then, we need an F21 build of 389-ds-base.


Done: thanks nhosoi!


Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.


New patch attached which includes a versioned dep on the new DS.


ipa-server-install still fails for me, even when I use
389-ds-base-1.3.3.2-1.fc20.x86_64:

# ipa-server-install
...
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Unexpected error - see /var/log/ipaserver-install.log for details:
ObjectclassViolation: attribute allowweakciphers not allowed


I think you simply use a wrong config name - have extra s in the end. It is
defined as

that typo was already in my first draft of the patch, sorry


allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | off]


Also, do we really need to put it to off in the updates? AFAIU, it is off
by default in our config and with current setting, users could not put it to
on (for whatever reason) without the value being overwritten with every run
of FreeIPA upgrade.

could there be an upgrade from a install not yet using that params. should
only:allowWeakCipher be replaced by addifnew ?


You can try default:allowWeakCiphers: off - it would set the attribute to off 
if it was not there before.


Given you are probably working on updated version, I would also recommend 
following

http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2

as I saw couple nitpicks with your patch
- ticket number in patch description and not in it's body
- bad From field - I would rather expect it to be Ludwig Krispenz 
lkris...@redhat.com than lkrispen lkris...@redhat.com


Thanks,
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?


On 09/12/2014 10:25 AM, Martin Kosek wrote:

On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:


On 09/12/2014 09:37 AM, Martin Kosek wrote:

On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:

On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:

On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:


On 09/11/2014 04:31 PM, Petr Viktorin wrote:

On 09/11/2014 04:26 PM, Martin Kosek wrote:

...

Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only
after all..


We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.

what do you mean by no such issues ? I don't think that 389/F21 will
be the first bug free software. At the moment Thierry is investigating a
crash in dna-plugin and Noriko a memory leak, which could be in F21 -



any known issues in the F21 389-ds-base build that would prevent
upstream FreeIPA 4.0.x to be based on it


Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838


Done: thanks everyone on the DS side!


Then, we need an F21 build of 389-ds-base.


Done: thanks nhosoi!


Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.


New patch attached which includes a versioned dep on the new DS.


ipa-server-install still fails for me, even when I use
389-ds-base-1.3.3.2-1.fc20.x86_64:

# ipa-server-install
...
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Unexpected error - see /var/log/ipaserver-install.log for details:
ObjectclassViolation: attribute allowweakciphers not allowed


I think you simply use a wrong config name - have extra s in the end. It is
defined as

that typo was already in my first draft of the patch, sorry


allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | off]


Also, do we really need to put it to off in the updates? AFAIU, it is off
by default in our config and with current setting, users could not put it to
on (for whatever reason) without the value being overwritten with every run
of FreeIPA upgrade.

could there be an upgrade from a install not yet using that params. should
only:allowWeakCipher be replaced by addifnew ?


You can try default:allowWeakCiphers: off - it would set the attribute to off
if it was not there before.

Given you are probably working on updated version, I would also recommend
following

http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2

as I saw couple nitpicks with your patch
- ticket number in patch description and not in it's body
- bad From field - I would rather expect it to be Ludwig Krispenz
lkris...@redhat.com than lkrispen lkris...@redhat.com

Thanks,
Martin


Hello, any update on this front? Are you or Nathaniel updating the patch?

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

2014-09-12 Thread Nathaniel McCallum

On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote:
 On 09/12/2014 10:25 AM, Martin Kosek wrote:
  On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:
 
  On 09/12/2014 09:37 AM, Martin Kosek wrote:
  On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
  On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
  On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
 
  On 09/11/2014 04:31 PM, Petr Viktorin wrote:
  On 09/11/2014 04:26 PM, Martin Kosek wrote:
  ...
  Also, we will need to add the F21 389-ds-base build to FreeIPA 
  Copr:
  http://copr.fedoraproject.org/coprs/mkosek/freeipa/
  so that F20 users can upgrade to the newest FreeIPA. Are there any
  known issues
  in the F21 389-ds-base build that would prevent upstream FreeIPA
  4.0.x to be
  based on it?
 
  If yes, we may need to include the patch in Fedora 21 downstream 
  only
  after all..
 
  We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
  couldn't include the patch even there.
  There better be no such issues.
  what do you mean by no such issues ? I don't think that 389/F21 
  will
  be the first bug free software. At the moment Thierry is 
  investigating a
  crash in dna-plugin and Noriko a memory leak, which could be in F21 -
 
 
  any known issues in the F21 389-ds-base build that would prevent
  upstream FreeIPA 4.0.x to be based on it
 
  Yes. 389 will not start if weak ciphers are specified. Currently,
  FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
  work at all because the DS will never start.
 
  We need this patch merged: https://fedorahosted.org/389/ticket/47838
 
  Done: thanks everyone on the DS side!
 
  Then, we need an F21 build of 389-ds-base.
 
  Done: thanks nhosoi!
 
  Then we need to merge Ludwig's IPA patch from this thread with a
  versioned dependency on the new 389-ds-base build.
 
  New patch attached which includes a versioned dep on the new DS.
 
  ipa-server-install still fails for me, even when I use
  389-ds-base-1.3.3.2-1.fc20.x86_64:
 
  # ipa-server-install
  ...
[12/13]: restarting httpd
[13/13]: configuring httpd to start on boot
  Done configuring the web interface (httpd).
  Applying LDAP updates
  Unexpected error - see /var/log/ipaserver-install.log for details:
  ObjectclassViolation: attribute allowweakciphers not allowed
 
 
  I think you simply use a wrong config name - have extra s in the end. 
  It is
  defined as
  that typo was already in my first draft of the patch, sorry
 
  allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | off]
 
 
  Also, do we really need to put it to off in the updates? AFAIU, it is 
  off
  by default in our config and with current setting, users could not put it 
  to
  on (for whatever reason) without the value being overwritten with every 
  run
  of FreeIPA upgrade.
  could there be an upgrade from a install not yet using that params. should
  only:allowWeakCipher be replaced by addifnew ?
 
  You can try default:allowWeakCiphers: off - it would set the attribute to 
  off
  if it was not there before.
 
  Given you are probably working on updated version, I would also recommend
  following
 
  http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2
 
  as I saw couple nitpicks with your patch
  - ticket number in patch description and not in it's body
  - bad From field - I would rather expect it to be Ludwig Krispenz
  lkris...@redhat.com than lkrispen lkris...@redhat.com
 
  Thanks,
  Martin
 
 Hello, any update on this front? Are you or Nathaniel updating the patch?

Attached.
From d4d24366c6392a1cd0c3d7c8513e20d0f9520766 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Fri, 12 Sep 2014 10:02:00 -0400
Subject: [PATCH] Update 389 SSL cipher config

We allow 389 to choose its own ciphers, but we default to
disabling weak ciphers. This offloads the choice to the
proper place so that we don't have to manage it in FreeIPA
anymore.

Thanks to Ludwig Krispenz lkris...@redhat.com for the
first version of this patch.

https://fedorahosted.org/freeipa/ticket/4395
---
 freeipa.spec.in  | 6 +++---
 install/updates/20-sslciphers.update | 6 ++
 install/updates/Makefile.am  | 1 +
 ipaserver/install/dsinstance.py  | 7 ++-
 4 files changed, 12 insertions(+), 8 deletions(-)
 create mode 100644 install/updates/20-sslciphers.update

diff --git a/freeipa.spec.in b/freeipa.spec.in
index b672ecb03bdd73c1a911a6a982ccd894bebcbce4..685b345fedb9d157c8deedc66f8712da32c5963b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -18,7 +18,7 @@ Source0:freeipa-%{version}.tar.gz
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel = 1.3.2.16
+BuildRequires:  389-ds-base-devel = 1.3.3.2
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils =

Re: [Freeipa-devel] FreeIPA 4.0.3?

2014-09-12 Thread Ludwig Krispenz


Hi,

I alread had sent a patch for review, It is exactly like yours with one 
exception:

65c61
 +default:allowWeakCipher: off
---
 +addifnew:allowWeakCipher: off

I tested with default, but it was ignored - is default only used for new 
entries ?


On 09/12/2014 04:08 PM, Nathaniel McCallum wrote:

On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote:

On 09/12/2014 10:25 AM, Martin Kosek wrote:

On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:

On 09/12/2014 09:37 AM, Martin Kosek wrote:

On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:

On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:

On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:

On 09/11/2014 04:31 PM, Petr Viktorin wrote:

On 09/11/2014 04:26 PM, Martin Kosek wrote:

...

Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only
after all..

We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.

what do you mean by no such issues ? I don't think that 389/F21 will
be the first bug free software. At the moment Thierry is investigating a
crash in dna-plugin and Noriko a memory leak, which could be in F21 -


any known issues in the F21 389-ds-base build that would prevent
upstream FreeIPA 4.0.x to be based on it

Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838

Done: thanks everyone on the DS side!


Then, we need an F21 build of 389-ds-base.

Done: thanks nhosoi!


Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.

New patch attached which includes a versioned dep on the new DS.

ipa-server-install still fails for me, even when I use
389-ds-base-1.3.3.2-1.fc20.x86_64:

# ipa-server-install
...
   [12/13]: restarting httpd
   [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Unexpected error - see /var/log/ipaserver-install.log for details:
ObjectclassViolation: attribute allowweakciphers not allowed


I think you simply use a wrong config name - have extra s in the end. It is
defined as

that typo was already in my first draft of the patch, sorry

allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | off]


Also, do we really need to put it to off in the updates? AFAIU, it is off
by default in our config and with current setting, users could not put it to
on (for whatever reason) without the value being overwritten with every run
of FreeIPA upgrade.

could there be an upgrade from a install not yet using that params. should
only:allowWeakCipher be replaced by addifnew ?

You can try default:allowWeakCiphers: off - it would set the attribute to off
if it was not there before.

Given you are probably working on updated version, I would also recommend
following

http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2

as I saw couple nitpicks with your patch
- ticket number in patch description and not in it's body
- bad From field - I would rather expect it to be Ludwig Krispenz
lkris...@redhat.com than lkrispen lkris...@redhat.com

Thanks,
Martin

Hello, any update on this front? Are you or Nathaniel updating the patch?

Attached.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

2014-09-12 Thread Nathaniel McCallum

Sorry, I missed that. Let's take your patch.

On Fri, 2014-09-12 at 16:16 +0200, Ludwig Krispenz wrote:
 Hi,
 
 I alread had sent a patch for review, It is exactly like yours with one 
 exception:
 65c61
  +default:allowWeakCipher: off
 ---
   +addifnew:allowWeakCipher: off
 
 I tested with default, but it was ignored - is default only used for new 
 entries ?
 
 On 09/12/2014 04:08 PM, Nathaniel McCallum wrote:
  On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote:
  On 09/12/2014 10:25 AM, Martin Kosek wrote:
  On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:
  On 09/12/2014 09:37 AM, Martin Kosek wrote:
  On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
  On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
  On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
  On 09/11/2014 04:31 PM, Petr Viktorin wrote:
  On 09/11/2014 04:26 PM, Martin Kosek wrote:
  ...
  Also, we will need to add the F21 389-ds-base build to FreeIPA 
  Copr:
  http://copr.fedoraproject.org/coprs/mkosek/freeipa/
  so that F20 users can upgrade to the newest FreeIPA. Are there 
  any
  known issues
  in the F21 389-ds-base build that would prevent upstream FreeIPA
  4.0.x to be
  based on it?
 
  If yes, we may need to include the patch in Fedora 21 downstream 
  only
  after all..
  We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so 
  we
  couldn't include the patch even there.
  There better be no such issues.
  what do you mean by no such issues ? I don't think that 389/F21 
  will
  be the first bug free software. At the moment Thierry is 
  investigating a
  crash in dna-plugin and Noriko a memory leak, which could be in 
  F21 -
 
  any known issues in the F21 389-ds-base build that would prevent
  upstream FreeIPA 4.0.x to be based on it
  Yes. 389 will not start if weak ciphers are specified. Currently,
  FreeIPA specifies weak ciphers. This means that FreeIPA in F21 
  doesn't
  work at all because the DS will never start.
 
  We need this patch merged: https://fedorahosted.org/389/ticket/47838
  Done: thanks everyone on the DS side!
 
  Then, we need an F21 build of 389-ds-base.
  Done: thanks nhosoi!
 
  Then we need to merge Ludwig's IPA patch from this thread with a
  versioned dependency on the new 389-ds-base build.
  New patch attached which includes a versioned dep on the new DS.
  ipa-server-install still fails for me, even when I use
  389-ds-base-1.3.3.2-1.fc20.x86_64:
 
  # ipa-server-install
  ...
 [12/13]: restarting httpd
 [13/13]: configuring httpd to start on boot
  Done configuring the web interface (httpd).
  Applying LDAP updates
  Unexpected error - see /var/log/ipaserver-install.log for details:
  ObjectclassViolation: attribute allowweakciphers not allowed
 
 
  I think you simply use a wrong config name - have extra s in the end. 
  It is
  defined as
  that typo was already in my first draft of the patch, sorry
  allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on | 
  off]
 
 
  Also, do we really need to put it to off in the updates? AFAIU, it is 
  off
  by default in our config and with current setting, users could not put 
  it to
  on (for whatever reason) without the value being overwritten with 
  every run
  of FreeIPA upgrade.
  could there be an upgrade from a install not yet using that params. 
  should
  only:allowWeakCipher be replaced by addifnew ?
  You can try default:allowWeakCiphers: off - it would set the attribute 
  to off
  if it was not there before.
 
  Given you are probably working on updated version, I would also recommend
  following
 
  http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2
 
  as I saw couple nitpicks with your patch
  - ticket number in patch description and not in it's body
  - bad From field - I would rather expect it to be Ludwig Krispenz
  lkris...@redhat.com than lkrispen lkris...@redhat.com
 
  Thanks,
  Martin
  Hello, any update on this front? Are you or Nathaniel updating the patch?
  Attached.
 


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

2014-09-12 Thread Rob Crittenden

Ludwig Krispenz wrote:
 Hi,
 
 I alread had sent a patch for review, It is exactly like yours with one
 exception:
 65c61
  +default:allowWeakCipher: off
 ---
 +addifnew:allowWeakCipher: off
 
 I tested with default, but it was ignored - is default only used for new
 entries ?

Correct. A value for default is only added when creating an entirely new
entry. addifnew adds the value to the entry only if it doesn't already
exist.

rob

 
 On 09/12/2014 04:08 PM, Nathaniel McCallum wrote:
 On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote:
 On 09/12/2014 10:25 AM, Martin Kosek wrote:
 On 09/12/2014 10:13 AM, Ludwig Krispenz wrote:
 On 09/12/2014 09:37 AM, Martin Kosek wrote:
 On 09/12/2014 03:21 AM, Nathaniel McCallum wrote:
 On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
 On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
 On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
 On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
 On 09/11/2014 04:31 PM, Petr Viktorin wrote:
 On 09/11/2014 04:26 PM, Martin Kosek wrote:
 ...
 Also, we will need to add the F21 389-ds-base build to
 FreeIPA Copr:
 http://copr.fedoraproject.org/coprs/mkosek/freeipa/
 so that F20 users can upgrade to the newest FreeIPA. Are
 there any
 known issues
 in the F21 389-ds-base build that would prevent upstream
 FreeIPA
 4.0.x to be
 based on it?

 If yes, we may need to include the patch in Fedora 21
 downstream only
 after all..
 We're basing the Fedora 21 Alpha downstream on FreeIPA
 4.0.3, so we
 couldn't include the patch even there.
 There better be no such issues.
 what do you mean by no such issues ? I don't think that
 389/F21 will
 be the first bug free software. At the moment Thierry is
 investigating a
 crash in dna-plugin and Noriko a memory leak, which could be
 in F21 -

 any known issues in the F21 389-ds-base build that would prevent
 upstream FreeIPA 4.0.x to be based on it
 Yes. 389 will not start if weak ciphers are specified. Currently,
 FreeIPA specifies weak ciphers. This means that FreeIPA in F21
 doesn't
 work at all because the DS will never start.

 We need this patch merged:
 https://fedorahosted.org/389/ticket/47838
 Done: thanks everyone on the DS side!

 Then, we need an F21 build of 389-ds-base.
 Done: thanks nhosoi!

 Then we need to merge Ludwig's IPA patch from this thread with a
 versioned dependency on the new 389-ds-base build.
 New patch attached which includes a versioned dep on the new DS.
 ipa-server-install still fails for me, even when I use
 389-ds-base-1.3.3.2-1.fc20.x86_64:

 # ipa-server-install
 ...
[12/13]: restarting httpd
[13/13]: configuring httpd to start on boot
 Done configuring the web interface (httpd).
 Applying LDAP updates
 Unexpected error - see /var/log/ipaserver-install.log for details:
 ObjectclassViolation: attribute allowweakciphers not allowed


 I think you simply use a wrong config name - have extra s in the
 end. It is
 defined as
 that typo was already in my first draft of the patch, sorry
 allowWeakCipher in cn=encryption,cn=config. allowWeakCipher: [on
 | off]


 Also, do we really need to put it to off in the updates? AFAIU,
 it is off
 by default in our config and with current setting, users could not
 put it to
 on (for whatever reason) without the value being overwritten
 with every run
 of FreeIPA upgrade.
 could there be an upgrade from a install not yet using that params.
 should
 only:allowWeakCipher be replaced by addifnew ?
 You can try default:allowWeakCiphers: off - it would set the
 attribute to off
 if it was not there before.

 Given you are probably working on updated version, I would also
 recommend
 following

 http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2

 as I saw couple nitpicks with your patch
 - ticket number in patch description and not in it's body
 - bad From field - I would rather expect it to be Ludwig Krispenz
 lkris...@redhat.com than lkrispen lkris...@redhat.com

 Thanks,
 Martin
 Hello, any update on this front? Are you or Nathaniel updating the
 patch?
 Attached.
 
 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] FreeIPA 4.0.3 ?

2014-09-12 Thread Petr Viktorin


There were some critical issues in 4.0.2, mainly with integration:

https://fedorahosted.org/freeipa/ticket/4529 - broken upgrades
https://fedorahosted.org/freeipa/ticket/4430 - python-qrcode packaging fix
https://fedorahosted.org/freeipa/ticket/4395 - update of SSL ciphers
https://fedorahosted.org/freeipa/ticket/4534 - operational attribute ACIs
https://fedorahosted.org/freeipa/ticket/4537 - referential integrity 
configuration


All the fixes are pushed now. Please test!
If nothing else shows up, I will release 4.0.3 today.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3 ?


On 09/12/2014 06:36 PM, Petr Viktorin wrote:

There were some critical issues in 4.0.2, mainly with integration:

https://fedorahosted.org/freeipa/ticket/4529 - broken upgrades
https://fedorahosted.org/freeipa/ticket/4430 - python-qrcode packaging fix
https://fedorahosted.org/freeipa/ticket/4395 - update of SSL ciphers
https://fedorahosted.org/freeipa/ticket/4534 - operational attribute ACIs
https://fedorahosted.org/freeipa/ticket/4537 - referential integrity 
configuration

All the fixes are pushed now. Please test!


+1.


If nothing else shows up, I will release 4.0.3 today.


I also sent fixed 389-ds-base-1.3.3.2-2.fc21.src.rpm to our Copr to have it 
ready for F20.


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] FreeIPA 4.0.3?

Hi team,

It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking
upgrade from older releases:

https://fedorahosted.org/freeipa/ticket/4529

We also have packaging fix requested by Fedora Server roles group:

https://fedorahosted.org/freeipa/ticket/4430

It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release...
Makes sense? Any other tickets or patches we would like to get in?

Thanks.

-- 
Martin Kosek mko...@redhat.com
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?


On 09/11/2014 01:37 PM, Martin Kosek wrote:

Hi team,

It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking
upgrade from older releases:

https://fedorahosted.org/freeipa/ticket/4529

We also have packaging fix requested by Fedora Server roles group:

https://fedorahosted.org/freeipa/ticket/4430

It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release...
Makes sense? Any other tickets or patches we would like to get in?


Looks like it's just those two. I'll start releasing shortly.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:
 On 09/11/2014 01:37 PM, Martin Kosek wrote:
  Hi team,
 
  It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking
  upgrade from older releases:
 
  https://fedorahosted.org/freeipa/ticket/4529
 
  We also have packaging fix requested by Fedora Server roles group:
 
  https://fedorahosted.org/freeipa/ticket/4430
 
  It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release...
  Makes sense? Any other tickets or patches we would like to get in?
 
 Looks like it's just those two. I'll start releasing shortly.

I'd like to get a fix in for the missing ciphers in the new NSS. I can
have a patch on the list shortly.

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:
 On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:
 On 09/11/2014 01:37 PM, Martin Kosek wrote:
 Hi team,

 It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking
 upgrade from older releases:

 https://fedorahosted.org/freeipa/ticket/4529

 We also have packaging fix requested by Fedora Server roles group:

 https://fedorahosted.org/freeipa/ticket/4430

 It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release...
 Makes sense? Any other tickets or patches we would like to get in?

 Looks like it's just those two. I'll start releasing shortly.
 
 I'd like to get a fix in for the missing ciphers in the new NSS. I can
 have a patch on the list shortly.
 
 Nathaniel

Isn't this related to
https://fedorahosted.org/freeipa/ticket/4395
? I think we do not work with the newest DS which fixed the default ciphers.

Don't we need to set our SSL ciphers setting to

https://fedorahosted.org/389/ticket/47838#comment:29

? If yes, I think this is definitely a 4.0.3 candidate.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

2014-09-11 Thread Ludwig Krispenz



On 09/11/2014 04:04 PM, Martin Kosek wrote:

On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:

On 09/11/2014 01:37 PM, Martin Kosek wrote:

Hi team,

It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking
upgrade from older releases:

https://fedorahosted.org/freeipa/ticket/4529

We also have packaging fix requested by Fedora Server roles group:

https://fedorahosted.org/freeipa/ticket/4430

It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release...
Makes sense? Any other tickets or patches we would like to get in?

Looks like it's just those two. I'll start releasing shortly.

I'd like to get a fix in for the missing ciphers in the new NSS. I can
have a patch on the list shortly.

Nathaniel

Isn't this related to
https://fedorahosted.org/freeipa/ticket/4395
? I think we do not work with the newest DS which fixed the default ciphers.

yes


Don't we need to set our SSL ciphers setting to

https://fedorahosted.org/389/ticket/47838#comment:29

yes
tjhe attached patch tries this, but at the moment I failed to build and 
also to upgrade to F21




? If yes, I think this is definitely a 4.0.3 candidate.

Martin


From 40d4318cfc9dc53073316af8b1edff5a68b3fe6b Mon Sep 17 00:00:00 2001
From: lkrispen lkris...@redhat.com
Date: Thu, 11 Sep 2014 14:06:34 +0200
Subject: [PATCH] ticket 4395 - change ciphers enabled by default

---
 install/updates/20-sslciphers.update | 6 ++
 install/updates/Makefile.am  | 1 +
 ipaserver/install/dsinstance.py  | 7 ++-
 3 files changed, 9 insertions(+), 5 deletions(-)
 create mode 100644 install/updates/20-sslciphers.update

diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update
new file mode 100644
index 000..ce88dae
--- /dev/null
+++ b/install/updates/20-sslciphers.update
@@ -0,0 +1,6 @@
+# change configured ciphers
+# the result of this update will be that all ciphers
+# provided by NSS which ar not weak will be enabled
+dn: cn=encryption,cn=config
+only:nsSSL3Ciphers: +all
+only:allowWeakCiphers: off
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 1d912a7..026cde0 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -14,6 +14,7 @@ app_DATA =\
 	20-indices.update		\
 	20-nss_ldap.update		\
 	20-replication.update		\
+	20-sslciphers.update		\
 	20-syncrepl.update		\
 	20-user_private_groups.update	\
 	20-winsync_index.update		\
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index cc1d327..0518dd0 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -664,11 +664,8 @@ class DsInstance(service.Service):
 conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
 
 mod = [(ldap.MOD_REPLACE, nsSSLClientAuth, allowed),
-   (ldap.MOD_REPLACE, nsSSL3Ciphers,
--rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\
-+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\
-+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\
-+tls_rsa_export1024_with_des_cbc_sha)]
+   (ldap.MOD_REPLACE, nsSSL3Ciphers, +all),
+   (ldap.MOD_REPLACE, allowWeakCipher, off)]
 conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
 
 mod = [(ldap.MOD_ADD, nsslapd-security, on)]
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote:
 On 09/11/2014 04:04 PM, Martin Kosek wrote:
  On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:
  On 09/11/2014 01:37 PM, Martin Kosek wrote:
  Hi team,
 
  It seems we have pretty serious bug in our FreeIPA 4.0.2 release, 
  breaking
  upgrade from older releases:
 
  https://fedorahosted.org/freeipa/ticket/4529
 
  We also have packaging fix requested by Fedora Server roles group:
 
  https://fedorahosted.org/freeipa/ticket/4430
 
  It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 
  release...
  Makes sense? Any other tickets or patches we would like to get in?
  Looks like it's just those two. I'll start releasing shortly.
  I'd like to get a fix in for the missing ciphers in the new NSS. I can
  have a patch on the list shortly.
 
  Nathaniel
  Isn't this related to
  https://fedorahosted.org/freeipa/ticket/4395
  ? I think we do not work with the newest DS which fixed the default ciphers.
 yes
 
  Don't we need to set our SSL ciphers setting to
 
  https://fedorahosted.org/389/ticket/47838#comment:29
 yes
 tjhe attached patch tries this, but at the moment I failed to build and 
 also to upgrade to F21

I am reviewing this patch now as I am blocked on the issue.

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

2014-09-11 Thread Ludwig Krispenz



On 09/11/2014 04:17 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote:

On 09/11/2014 04:04 PM, Martin Kosek wrote:

On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:

On 09/11/2014 01:37 PM, Martin Kosek wrote:

Hi team,

It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking
upgrade from older releases:

https://fedorahosted.org/freeipa/ticket/4529

We also have packaging fix requested by Fedora Server roles group:

https://fedorahosted.org/freeipa/ticket/4430

It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release...
Makes sense? Any other tickets or patches we would like to get in?

Looks like it's just those two. I'll start releasing shortly.

I'd like to get a fix in for the missing ciphers in the new NSS. I can
have a patch on the list shortly.

Nathaniel

Isn't this related to
https://fedorahosted.org/freeipa/ticket/4395
? I think we do not work with the newest DS which fixed the default ciphers.

yes

Don't we need to set our SSL ciphers setting to

https://fedorahosted.org/389/ticket/47838#comment:29

yes
tjhe attached patch tries this, but at the moment I failed to build and
also to upgrade to F21

NACKallowweakcipher


LDAP error: OBJECT_CLASS_VIOLATION
attribute allowweakcipher not allowed

I suspect we are missing a spec file requirement on a newer version of 389...
yes, you need the latest build of DS, Noriko added the allowweakcipher 
only yesterday.
That's the problem, I wanted to wait with the ipa side patch until 
allowweakcipher was implemented and then on F21 ipa and 389 no longer 
played well and now there is a rush




Nathaniel



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote:
 On 09/11/2014 04:17 PM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote:
  On 09/11/2014 04:04 PM, Martin Kosek wrote:
  On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:
  On 09/11/2014 01:37 PM, Martin Kosek wrote:
  Hi team,
 
  It seems we have pretty serious bug in our FreeIPA 4.0.2 release, 
  breaking
  upgrade from older releases:
 
  https://fedorahosted.org/freeipa/ticket/4529
 
  We also have packaging fix requested by Fedora Server roles group:
 
  https://fedorahosted.org/freeipa/ticket/4430
 
  It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 
  release...
  Makes sense? Any other tickets or patches we would like to get in?
  Looks like it's just those two. I'll start releasing shortly.
  I'd like to get a fix in for the missing ciphers in the new NSS. I can
  have a patch on the list shortly.
 
  Nathaniel
  Isn't this related to
  https://fedorahosted.org/freeipa/ticket/4395
  ? I think we do not work with the newest DS which fixed the default 
  ciphers.
  yes
  Don't we need to set our SSL ciphers setting to
 
  https://fedorahosted.org/389/ticket/47838#comment:29
  yes
  tjhe attached patch tries this, but at the moment I failed to build and
  also to upgrade to F21
  NACKallowweakcipher
 
 
  LDAP error: OBJECT_CLASS_VIOLATION
  attribute allowweakcipher not allowed
 
  I suspect we are missing a spec file requirement on a newer version of 
  389...
 yes, you need the latest build of DS, Noriko added the allowweakcipher 
 only yesterday.
 That's the problem, I wanted to wait with the ipa side patch until 
 allowweakcipher was implemented and then on F21 ipa and 389 no longer 
 played well and now there is a rush

What is the status on the new 389 patch/build?

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

2014-09-11 Thread Ludwig Krispenz



On 09/11/2014 04:22 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote:

On 09/11/2014 04:17 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote:

On 09/11/2014 04:04 PM, Martin Kosek wrote:

On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:

On 09/11/2014 01:37 PM, Martin Kosek wrote:

Hi team,

It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking
upgrade from older releases:

https://fedorahosted.org/freeipa/ticket/4529

We also have packaging fix requested by Fedora Server roles group:

https://fedorahosted.org/freeipa/ticket/4430

It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release...
Makes sense? Any other tickets or patches we would like to get in?

Looks like it's just those two. I'll start releasing shortly.

I'd like to get a fix in for the missing ciphers in the new NSS. I can
have a patch on the list shortly.

Nathaniel

Isn't this related to
https://fedorahosted.org/freeipa/ticket/4395
? I think we do not work with the newest DS which fixed the default ciphers.

yes

Don't we need to set our SSL ciphers setting to

https://fedorahosted.org/389/ticket/47838#comment:29

yes
tjhe attached patch tries this, but at the moment I failed to build and
also to upgrade to F21

NACKallowweakcipher


LDAP error: OBJECT_CLASS_VIOLATION
attribute allowweakcipher not allowed

I suspect we are missing a spec file requirement on a newer version of 389...

yes, you need the latest build of DS, Noriko added the allowweakcipher
only yesterday.
That's the problem, I wanted to wait with the ipa side patch until
allowweakcipher was implemented and then on F21 ipa and 389 no longer
played well and now there is a rush

What is the status on the new 389 patch/build?
a build is here: 
http://copr-be.cloud.fedoraproject.org/results/nhosoi/389-ds-f21/fedora-21-x86_64/389-ds-base-1.3.3.2-a1.fc21/




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote:
 On 09/11/2014 04:04 PM, Martin Kosek wrote:
  On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:
  On 09/11/2014 01:37 PM, Martin Kosek wrote:
  Hi team,
 
  It seems we have pretty serious bug in our FreeIPA 4.0.2 release, 
  breaking
  upgrade from older releases:
 
  https://fedorahosted.org/freeipa/ticket/4529
 
  We also have packaging fix requested by Fedora Server roles group:
 
  https://fedorahosted.org/freeipa/ticket/4430
 
  It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 
  release...
  Makes sense? Any other tickets or patches we would like to get in?
  Looks like it's just those two. I'll start releasing shortly.
  I'd like to get a fix in for the missing ciphers in the new NSS. I can
  have a patch on the list shortly.
 
  Nathaniel
  Isn't this related to
  https://fedorahosted.org/freeipa/ticket/4395
  ? I think we do not work with the newest DS which fixed the default ciphers.
 yes
 
  Don't we need to set our SSL ciphers setting to
 
  https://fedorahosted.org/389/ticket/47838#comment:29
 yes
 tjhe attached patch tries this, but at the moment I failed to build and 
 also to upgrade to F21

NACK

LDAP error: OBJECT_CLASS_VIOLATION
attribute allowweakcipher not allowed

I suspect we are missing a spec file requirement on a newer version of 389...

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

On 09/11/2014 04:22 PM, Nathaniel McCallum wrote:
 On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote:
 On 09/11/2014 04:17 PM, Nathaniel McCallum wrote:
 On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote:
 On 09/11/2014 04:04 PM, Martin Kosek wrote:
 On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:
 On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:
 On 09/11/2014 01:37 PM, Martin Kosek wrote:
 Hi team,

 It seems we have pretty serious bug in our FreeIPA 4.0.2 release, 
 breaking
 upgrade from older releases:

 https://fedorahosted.org/freeipa/ticket/4529

 We also have packaging fix requested by Fedora Server roles group:

 https://fedorahosted.org/freeipa/ticket/4430

 It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 
 release...
 Makes sense? Any other tickets or patches we would like to get in?
 Looks like it's just those two. I'll start releasing shortly.
 I'd like to get a fix in for the missing ciphers in the new NSS. I can
 have a patch on the list shortly.

 Nathaniel
 Isn't this related to
 https://fedorahosted.org/freeipa/ticket/4395
 ? I think we do not work with the newest DS which fixed the default 
 ciphers.
 yes
 Don't we need to set our SSL ciphers setting to

 https://fedorahosted.org/389/ticket/47838#comment:29
 yes
 tjhe attached patch tries this, but at the moment I failed to build and
 also to upgrade to F21
 NACKallowweakcipher


 LDAP error: OBJECT_CLASS_VIOLATION
 attribute allowweakcipher not allowed

 I suspect we are missing a spec file requirement on a newer version of 
 389...
 yes, you need the latest build of DS, Noriko added the allowweakcipher 
 only yesterday.
 That's the problem, I wanted to wait with the ipa side patch until 
 allowweakcipher was implemented and then on F21 ipa and 389 no longer 
 played well and now there is a rush

Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only after 
all...

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

On Thu, 2014-09-11 at 16:25 +0200, Ludwig Krispenz wrote:
On 09/11/2014 04:22 PM, Nathaniel McCallum wrote:
On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote:
On 09/11/2014 04:17 PM, Nathaniel McCallum wrote:
On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote:
On 09/11/2014 04:04 PM, Martin Kosek wrote:
On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:
On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:
On 09/11/2014 01:37 PM, Martin Kosek wrote:
Hi team,

It seems we have pretty serious bug in our FreeIPA 4.0.2 release,
breaking
upgrade from older releases:

https://fedorahosted.org/freeipa/ticket/4529

We also have packaging fix requested by Fedora Server roles group:

https://fedorahosted.org/freeipa/ticket/4430

It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3
release...
Makes sense? Any other tickets or patches we would like to get in?
Looks like it's just those two. I'll start releasing shortly.
I'd like to get a fix in for the missing ciphers in the new NSS. I can
have a patch on the list shortly.

Nathaniel
Isn't this related to
https://fedorahosted.org/freeipa/ticket/4395
? I think we do not work with the newest DS which fixed the default
ciphers.
yes
Don't we need to set our SSL ciphers setting to

https://fedorahosted.org/389/ticket/47838#comment:29
yes
tjhe attached patch tries this, but at the moment I failed to build and
also to upgrade to F21
NACKallowweakcipher

LDAP error: OBJECT_CLASS_VIOLATION
attribute allowweakcipher not allowed

I suspect we are missing a spec file requirement on a newer version of
389...
yes, you need the latest build of DS, Noriko added the allowweakcipher
only yesterday.
That's the problem, I wanted to wait with the ipa side patch until
allowweakcipher was implemented and then on F21 ipa and 389 no longer
played well and now there is a rush
What is the status on the new 389 patch/build?
a build is here:
http://copr-be.cloud.fedoraproject.org/results/nhosoi/389-ds-f21/fedora-21-x86_64/389-ds-base-1.3.3.2-a1.fc21/

The upstream patch is not merged yet. We need 389 to merge the patch, do
a release and get an official Fedora 20/21 build.

Just to be clear, Fedora 21 IPA doesn't work *at all*. So this is an
urgent fix.

Martin, can you coordinate with 389 to prioritize a release with this
fix?

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?


On 09/11/2014 04:26 PM, Martin Kosek wrote:

On 09/11/2014 04:22 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote:

On 09/11/2014 04:17 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote:

On 09/11/2014 04:04 PM, Martin Kosek wrote:

On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:

On 09/11/2014 01:37 PM, Martin Kosek wrote:

Hi team,

It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking
upgrade from older releases:

https://fedorahosted.org/freeipa/ticket/4529

We also have packaging fix requested by Fedora Server roles group:

https://fedorahosted.org/freeipa/ticket/4430

It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release...
Makes sense? Any other tickets or patches we would like to get in?

Looks like it's just those two. I'll start releasing shortly.

I'd like to get a fix in for the missing ciphers in the new NSS. I can
have a patch on the list shortly.

Nathaniel

Isn't this related to
https://fedorahosted.org/freeipa/ticket/4395
? I think we do not work with the newest DS which fixed the default ciphers.

yes

Don't we need to set our SSL ciphers setting to

https://fedorahosted.org/389/ticket/47838#comment:29

yes
tjhe attached patch tries this, but at the moment I failed to build and
also to upgrade to F21

NACKallowweakcipher


LDAP error: OBJECT_CLASS_VIOLATION
attribute allowweakcipher not allowed

I suspect we are missing a spec file requirement on a newer version of 389...

yes, you need the latest build of DS, Noriko added the allowweakcipher
only yesterday.
That's the problem, I wanted to wait with the ipa side patch until
allowweakcipher was implemented and then on F21 ipa and 389 no longer
played well and now there is a rush


Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only after 
all..


We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we 
couldn't include the patch even there.

There better be no such issues.

--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

On Thu, 2014-09-11 at 16:31 +0200, Petr Viktorin wrote:
 On 09/11/2014 04:26 PM, Martin Kosek wrote:
  On 09/11/2014 04:22 PM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote:
  On 09/11/2014 04:17 PM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote:
  On 09/11/2014 04:04 PM, Martin Kosek wrote:
  On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:
  On 09/11/2014 01:37 PM, Martin Kosek wrote:
  Hi team,
 
  It seems we have pretty serious bug in our FreeIPA 4.0.2 release, 
  breaking
  upgrade from older releases:
 
  https://fedorahosted.org/freeipa/ticket/4529
 
  We also have packaging fix requested by Fedora Server roles group:
 
  https://fedorahosted.org/freeipa/ticket/4430
 
  It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 
  release...
  Makes sense? Any other tickets or patches we would like to get in?
  Looks like it's just those two. I'll start releasing shortly.
  I'd like to get a fix in for the missing ciphers in the new NSS. I can
  have a patch on the list shortly.
 
  Nathaniel
  Isn't this related to
  https://fedorahosted.org/freeipa/ticket/4395
  ? I think we do not work with the newest DS which fixed the default 
  ciphers.
  yes
  Don't we need to set our SSL ciphers setting to
 
  https://fedorahosted.org/389/ticket/47838#comment:29
  yes
  tjhe attached patch tries this, but at the moment I failed to build and
  also to upgrade to F21
  NACKallowweakcipher
 
 
  LDAP error: OBJECT_CLASS_VIOLATION
  attribute allowweakcipher not allowed
 
  I suspect we are missing a spec file requirement on a newer version of 
  389...
  yes, you need the latest build of DS, Noriko added the allowweakcipher
  only yesterday.
  That's the problem, I wanted to wait with the ipa side patch until
  allowweakcipher was implemented and then on F21 ipa and 389 no longer
  played well and now there is a rush
 
  Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
  http://copr.fedoraproject.org/coprs/mkosek/freeipa/
  so that F20 users can upgrade to the newest FreeIPA. Are there any known 
  issues
  in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be
  based on it?
 
  If yes, we may need to include the patch in Fedora 21 downstream only after 
  all..
 
 We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we 
 couldn't include the patch even there.
 There better be no such issues.

Right now FreeIPA in Fedora 21 is completely broken.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?


On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:


On 09/11/2014 04:31 PM, Petr Viktorin wrote:

On 09/11/2014 04:26 PM, Martin Kosek wrote:

...

Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only
after all..


We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.

what do you mean by no such issues ? I don't think that 389/F21 will
be the first bug free software. At the moment Thierry is investigating a
crash in dna-plugin and Noriko a memory leak, which could be in F21 -



any known issues in the F21 389-ds-base build that would prevent 
upstream FreeIPA 4.0.x to be based on it


Plugin crashes or memory leaks are bad, but we can release with them.

--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
 On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
 
  On 09/11/2014 04:31 PM, Petr Viktorin wrote:
  On 09/11/2014 04:26 PM, Martin Kosek wrote:
 ...
  Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
  http://copr.fedoraproject.org/coprs/mkosek/freeipa/
  so that F20 users can upgrade to the newest FreeIPA. Are there any
  known issues
  in the F21 389-ds-base build that would prevent upstream FreeIPA
  4.0.x to be
  based on it?
 
  If yes, we may need to include the patch in Fedora 21 downstream only
  after all..
 
  We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
  couldn't include the patch even there.
  There better be no such issues.
  what do you mean by no such issues ? I don't think that 389/F21 will
  be the first bug free software. At the moment Thierry is investigating a
  crash in dna-plugin and Noriko a memory leak, which could be in F21 -
 
 
 any known issues in the F21 389-ds-base build that would prevent 
 upstream FreeIPA 4.0.x to be based on it

Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838

Then, we need an F21 build of 389-ds-base.

Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.

Then we release 4.0.3.

 Plugin crashes or memory leaks are bad, but we can release with them.

+1. The real problem is that without the above fixes, IPA doesn't work
at all.

Nathaniel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
 On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
 On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:

 On 09/11/2014 04:31 PM, Petr Viktorin wrote:
 On 09/11/2014 04:26 PM, Martin Kosek wrote:
 ...
 Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
 http://copr.fedoraproject.org/coprs/mkosek/freeipa/
 so that F20 users can upgrade to the newest FreeIPA. Are there any
 known issues
 in the F21 389-ds-base build that would prevent upstream FreeIPA
 4.0.x to be
 based on it?

 If yes, we may need to include the patch in Fedora 21 downstream only
 after all..

 We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
 couldn't include the patch even there.
 There better be no such issues.
 what do you mean by no such issues ? I don't think that 389/F21 will
 be the first bug free software. At the moment Thierry is investigating a
 crash in dna-plugin and Noriko a memory leak, which could be in F21 -


 any known issues in the F21 389-ds-base build that would prevent 
 upstream FreeIPA 4.0.x to be based on it
 
 Yes. 389 will not start if weak ciphers are specified. Currently,
 FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
 work at all because the DS will never start.
 
 We need this patch merged: https://fedorahosted.org/389/ticket/47838

Yes.

 Then, we need an F21 build of 389-ds-base.

Yes (and add the build to FreeIPA Copr).

 Then we need to merge Ludwig's IPA patch from this thread with a
 versioned dependency on the new 389-ds-base build.
 
 Then we release 4.0.3.

Exactly, and we need all that very fast as we are blocking Fedora 21. CCing
Noriko to be aware.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?


On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:

On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:


On 09/11/2014 04:31 PM, Petr Viktorin wrote:

On 09/11/2014 04:26 PM, Martin Kosek wrote:

...

Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only
after all..


We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.

what do you mean by no such issues ? I don't think that 389/F21 will
be the first bug free software. At the moment Thierry is investigating a
crash in dna-plugin and Noriko a memory leak, which could be in F21 -



any known issues in the F21 389-ds-base build that would prevent
upstream FreeIPA 4.0.x to be based on it


Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838

Then, we need an F21 build of 389-ds-base.

Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.

Then we release 4.0.3.


That's what I understood, but thanks for confirming.

We need to move fast; FreeIPA is an f21 alpha blocker.



Plugin crashes or memory leaks are bad, but we can release with them.


+1. The real problem is that without the above fixes, IPA doesn't work
at all.

Nathaniel





--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

2014-09-11 Thread thierry bordaz


On 09/11/2014 04:46 PM, Martin Kosek wrote:

On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:

On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:

On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:

On 09/11/2014 04:31 PM, Petr Viktorin wrote:

On 09/11/2014 04:26 PM, Martin Kosek wrote:

...

Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/
so that F20 users can upgrade to the newest FreeIPA. Are there any
known issues
in the F21 389-ds-base build that would prevent upstream FreeIPA
4.0.x to be
based on it?

If yes, we may need to include the patch in Fedora 21 downstream only
after all..

We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
couldn't include the patch even there.
There better be no such issues.

what do you mean by no such issues ? I don't think that 389/F21 will
be the first bug free software. At the moment Thierry is investigating a
crash in dna-plugin and Noriko a memory leak, which could be in F21 -


any known issues in the F21 389-ds-base build that would prevent
upstream FreeIPA 4.0.x to be based on it

Yes. 389 will not start if weak ciphers are specified. Currently,
FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
work at all because the DS will never start.

We need this patch merged: https://fedorahosted.org/389/ticket/47838

Yes.


Then, we need an F21 build of 389-ds-base.

Yes (and add the build to FreeIPA Copr).


Note that Noriko also released a fix for 
https://fedorahosted.org/389/ticket/47838 on F21 and was waiting for 
Adam tests:

http://koji.fedoraproject.org/koji/taskinfo?taskID=7566760

thierry



Then we need to merge Ludwig's IPA patch from this thread with a
versioned dependency on the new 389-ds-base build.

Then we release 4.0.3.

Exactly, and we need all that very fast as we are blocking Fedora 21. CCing
Noriko to be aware.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

On Thu, 2014-09-11 at 10:43 -0400, Nathaniel McCallum wrote:
 On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
  On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
  
   On 09/11/2014 04:31 PM, Petr Viktorin wrote:
   On 09/11/2014 04:26 PM, Martin Kosek wrote:
  ...
   Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
   http://copr.fedoraproject.org/coprs/mkosek/freeipa/
   so that F20 users can upgrade to the newest FreeIPA. Are there any
   known issues
   in the F21 389-ds-base build that would prevent upstream FreeIPA
   4.0.x to be
   based on it?
  
   If yes, we may need to include the patch in Fedora 21 downstream only
   after all..
  
   We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
   couldn't include the patch even there.
   There better be no such issues.
   what do you mean by no such issues ? I don't think that 389/F21 will
   be the first bug free software. At the moment Thierry is investigating a
   crash in dna-plugin and Noriko a memory leak, which could be in F21 -
  
  
  any known issues in the F21 389-ds-base build that would prevent 
  upstream FreeIPA 4.0.x to be based on it
 
 Yes. 389 will not start if weak ciphers are specified. Currently,
 FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
 work at all because the DS will never start.
 
 We need this patch merged: https://fedorahosted.org/389/ticket/47838
 
 Then, we need an F21 build of 389-ds-base.
 
 Then we need to merge Ludwig's IPA patch from this thread with a
 versioned dependency on the new 389-ds-base build.
 
 Then we release 4.0.3.
 
  Plugin crashes or memory leaks are bad, but we can release with them.
 
 +1. The real problem is that without the above fixes, IPA doesn't work
 at all.

I can confirm that with the COPR build of 389 including the above patch
and Ludwig's patch to FreeIPA, everything is working again in F21.

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?

On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
 On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
  On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
  On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
 
  On 09/11/2014 04:31 PM, Petr Viktorin wrote:
  On 09/11/2014 04:26 PM, Martin Kosek wrote:
  ...
  Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
  http://copr.fedoraproject.org/coprs/mkosek/freeipa/
  so that F20 users can upgrade to the newest FreeIPA. Are there any
  known issues
  in the F21 389-ds-base build that would prevent upstream FreeIPA
  4.0.x to be
  based on it?
 
  If yes, we may need to include the patch in Fedora 21 downstream only
  after all..
 
  We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
  couldn't include the patch even there.
  There better be no such issues.
  what do you mean by no such issues ? I don't think that 389/F21 will
  be the first bug free software. At the moment Thierry is investigating a
  crash in dna-plugin and Noriko a memory leak, which could be in F21 -
 
 
  any known issues in the F21 389-ds-base build that would prevent
  upstream FreeIPA 4.0.x to be based on it
 
  Yes. 389 will not start if weak ciphers are specified. Currently,
  FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
  work at all because the DS will never start.
 
  We need this patch merged: https://fedorahosted.org/389/ticket/47838
 
  Then, we need an F21 build of 389-ds-base.
 
  Then we need to merge Ludwig's IPA patch from this thread with a
  versioned dependency on the new 389-ds-base build.
 
  Then we release 4.0.3.
 
 That's what I understood, but thanks for confirming.
 
 We need to move fast; FreeIPA is an f21 alpha blocker.

Have we filed a blocker bug? They are discussing go/no go right now.

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FreeIPA 4.0.3?