Re: [Freeipa-devel] FreeIPA 4.0.3 ?
On 09/12/2014 06:36 PM, Petr Viktorin wrote: There were some critical issues in 4.0.2, mainly with integration: https://fedorahosted.org/freeipa/ticket/4529 - broken upgrades https://fedorahosted.org/freeipa/ticket/4430 - python-qrcode packaging fix https://fedorahosted.org/freeipa/ticket/4395 - update of SSL ciphers https://fedorahosted.org/freeipa/ticket/4534 - operational attribute ACIs https://fedorahosted.org/freeipa/ticket/4537 - referential integrity configuration All the fixes are pushed now. Please test! +1. If nothing else shows up, I will release 4.0.3 today. I also sent fixed 389-ds-base-1.3.3.2-2.fc21.src.rpm to our Copr to have it ready for F20. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA 4.0.3 ?
There were some critical issues in 4.0.2, mainly with integration: https://fedorahosted.org/freeipa/ticket/4529 - broken upgrades https://fedorahosted.org/freeipa/ticket/4430 - python-qrcode packaging fix https://fedorahosted.org/freeipa/ticket/4395 - update of SSL ciphers https://fedorahosted.org/freeipa/ticket/4534 - operational attribute ACIs https://fedorahosted.org/freeipa/ticket/4537 - referential integrity configuration All the fixes are pushed now. Please test! If nothing else shows up, I will release 4.0.3 today. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
Ludwig Krispenz wrote: > Hi, > > I alread had sent a patch for review, It is exactly like yours with one > exception: > 65c61 > < +default:allowWeakCipher: off > --- >> +addifnew:allowWeakCipher: off > > I tested with default, but it was ignored - is default only used for new > entries ? Correct. A value for default is only added when creating an entirely new entry. addifnew adds the value to the entry only if it doesn't already exist. rob > > On 09/12/2014 04:08 PM, Nathaniel McCallum wrote: >> On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote: >>> On 09/12/2014 10:25 AM, Martin Kosek wrote: On 09/12/2014 10:13 AM, Ludwig Krispenz wrote: > On 09/12/2014 09:37 AM, Martin Kosek wrote: >> On 09/12/2014 03:21 AM, Nathaniel McCallum wrote: >>> On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: > On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: >> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: >>> On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: >> ... > Also, we will need to add the F21 389-ds-base build to > FreeIPA Copr: > http://copr.fedoraproject.org/coprs/mkosek/freeipa/ > so that F20 users can upgrade to the newest FreeIPA. Are > there any > known issues > in the F21 389-ds-base build that would prevent upstream > FreeIPA > 4.0.x to be > based on it? > > If yes, we may need to include the patch in Fedora 21 > downstream only > after all.. We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we couldn't include the patch even there. There better be no such issues. >>> what do you mean by "no such issues" ? I don't think that >>> 389/F21 will >>> be the first bug free software. At the moment Thierry is >>> investigating a >>> crash in dna-plugin and Noriko a memory leak, which could be >>> in F21 - >>> >> any known issues in the F21 389-ds-base build that would prevent >> upstream FreeIPA 4.0.x to be based on it > Yes. 389 will not start if weak ciphers are specified. Currently, > FreeIPA specifies weak ciphers. This means that FreeIPA in F21 > doesn't > work at all because the DS will never start. > > We need this patch merged: > https://fedorahosted.org/389/ticket/47838 >>> Done: thanks everyone on the DS side! >>> > Then, we need an F21 build of 389-ds-base. >>> Done: thanks nhosoi! >>> > Then we need to merge Ludwig's IPA patch from this thread with a > versioned dependency on the new 389-ds-base build. >>> New patch attached which includes a versioned dep on the new DS. >> ipa-server-install still fails for me, even when I use >> 389-ds-base-1.3.3.2-1.fc20.x86_64: >> >> # ipa-server-install >> ... >>[12/13]: restarting httpd >>[13/13]: configuring httpd to start on boot >> Done configuring the web interface (httpd). >> Applying LDAP updates >> Unexpected error - see /var/log/ipaserver-install.log for details: >> ObjectclassViolation: attribute "allowweakciphers" not allowed >> >> >> I think you simply use a wrong config name - have extra "s" in the >> end. It is >> defined as > that typo was already in my first draft of the patch, sorry >> allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on >> | off] >> >> >> Also, do we really need to put it to "off" in the updates? AFAIU, >> it is off >> by default in our config and with current setting, users could not >> put it to >> "on" (for whatever reason) without the value being overwritten >> with every run >> of FreeIPA upgrade. > could there be an upgrade from a install not yet using that params. > should > "only:allowWeakCipher" be replaced by "addifnew" ? You can try "default:allowWeakCiphers: off" - it would set the attribute to off if it was not there before. Given you are probably working on updated version, I would also recommend following http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2 as I saw couple nitpicks with your patch - ticket number in patch description and not in it's body - bad "From" field - I would rather expect it to be "Ludwig Krispenz " than "lkrispen " Thanks, Martin >>> Hello, any update on this front? Are you or Nathaniel updating the >>> patch? >> Attached. > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/fr
Re: [Freeipa-devel] FreeIPA 4.0.3?
Sorry, I missed that. Let's take your patch. On Fri, 2014-09-12 at 16:16 +0200, Ludwig Krispenz wrote: > Hi, > > I alread had sent a patch for review, It is exactly like yours with one > exception: > 65c61 > < +default:allowWeakCipher: off > --- > > +addifnew:allowWeakCipher: off > > I tested with default, but it was ignored - is default only used for new > entries ? > > On 09/12/2014 04:08 PM, Nathaniel McCallum wrote: > > On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote: > >> On 09/12/2014 10:25 AM, Martin Kosek wrote: > >>> On 09/12/2014 10:13 AM, Ludwig Krispenz wrote: > On 09/12/2014 09:37 AM, Martin Kosek wrote: > > On 09/12/2014 03:21 AM, Nathaniel McCallum wrote: > >> On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: > >>> On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: > On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: > > On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: > >> On 09/11/2014 04:31 PM, Petr Viktorin wrote: > >>> On 09/11/2014 04:26 PM, Martin Kosek wrote: > > ... > Also, we will need to add the F21 389-ds-base build to FreeIPA > Copr: > http://copr.fedoraproject.org/coprs/mkosek/freeipa/ > so that F20 users can upgrade to the newest FreeIPA. Are there > any > known issues > in the F21 389-ds-base build that would prevent upstream FreeIPA > 4.0.x to be > based on it? > > If yes, we may need to include the patch in Fedora 21 downstream > only > after all.. > >>> We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so > >>> we > >>> couldn't include the patch even there. > >>> There better be no such issues. > >> what do you mean by "no such issues" ? I don't think that 389/F21 > >> will > >> be the first bug free software. At the moment Thierry is > >> investigating a > >> crash in dna-plugin and Noriko a memory leak, which could be in > >> F21 - > >> > > any known issues in the F21 389-ds-base build that would prevent > > upstream FreeIPA 4.0.x to be based on it > Yes. 389 will not start if weak ciphers are specified. Currently, > FreeIPA specifies weak ciphers. This means that FreeIPA in F21 > doesn't > work at all because the DS will never start. > > We need this patch merged: https://fedorahosted.org/389/ticket/47838 > >> Done: thanks everyone on the DS side! > >> > Then, we need an F21 build of 389-ds-base. > >> Done: thanks nhosoi! > >> > Then we need to merge Ludwig's IPA patch from this thread with a > versioned dependency on the new 389-ds-base build. > >> New patch attached which includes a versioned dep on the new DS. > > ipa-server-install still fails for me, even when I use > > 389-ds-base-1.3.3.2-1.fc20.x86_64: > > > > # ipa-server-install > > ... > >[12/13]: restarting httpd > >[13/13]: configuring httpd to start on boot > > Done configuring the web interface (httpd). > > Applying LDAP updates > > Unexpected error - see /var/log/ipaserver-install.log for details: > > ObjectclassViolation: attribute "allowweakciphers" not allowed > > > > > > I think you simply use a wrong config name - have extra "s" in the end. > > It is > > defined as > that typo was already in my first draft of the patch, sorry > > allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | > > off] > > > > > > Also, do we really need to put it to "off" in the updates? AFAIU, it is > > off > > by default in our config and with current setting, users could not put > > it to > > "on" (for whatever reason) without the value being overwritten with > > every run > > of FreeIPA upgrade. > could there be an upgrade from a install not yet using that params. > should > "only:allowWeakCipher" be replaced by "addifnew" ? > >>> You can try "default:allowWeakCiphers: off" - it would set the attribute > >>> to off > >>> if it was not there before. > >>> > >>> Given you are probably working on updated version, I would also recommend > >>> following > >>> > >>> http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2 > >>> > >>> as I saw couple nitpicks with your patch > >>> - ticket number in patch description and not in it's body > >>> - bad "From" field - I would rather expect it to be "Ludwig Krispenz > >>> " than "lkrispen " > >>> > >>> Thanks, > >>> Martin > >> Hello, any update on this front? Are you or Nathaniel updating the patch? > > Attached. > ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinf
Re: [Freeipa-devel] FreeIPA 4.0.3?
Hi, I alread had sent a patch for review, It is exactly like yours with one exception: 65c61 < +default:allowWeakCipher: off --- > +addifnew:allowWeakCipher: off I tested with default, but it was ignored - is default only used for new entries ? On 09/12/2014 04:08 PM, Nathaniel McCallum wrote: On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote: On 09/12/2014 10:25 AM, Martin Kosek wrote: On 09/12/2014 10:13 AM, Ludwig Krispenz wrote: On 09/12/2014 09:37 AM, Martin Kosek wrote: On 09/12/2014 03:21 AM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: ... Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade to the newest FreeIPA. Are there any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it? If yes, we may need to include the patch in Fedora 21 downstream only after all.. We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we couldn't include the patch even there. There better be no such issues. what do you mean by "no such issues" ? I don't think that 389/F21 will be the first bug free software. At the moment Thierry is investigating a crash in dna-plugin and Noriko a memory leak, which could be in F21 - any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it Yes. 389 will not start if weak ciphers are specified. Currently, FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't work at all because the DS will never start. We need this patch merged: https://fedorahosted.org/389/ticket/47838 Done: thanks everyone on the DS side! Then, we need an F21 build of 389-ds-base. Done: thanks nhosoi! Then we need to merge Ludwig's IPA patch from this thread with a versioned dependency on the new 389-ds-base build. New patch attached which includes a versioned dep on the new DS. ipa-server-install still fails for me, even when I use 389-ds-base-1.3.3.2-1.fc20.x86_64: # ipa-server-install ... [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Unexpected error - see /var/log/ipaserver-install.log for details: ObjectclassViolation: attribute "allowweakciphers" not allowed I think you simply use a wrong config name - have extra "s" in the end. It is defined as that typo was already in my first draft of the patch, sorry allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | off] Also, do we really need to put it to "off" in the updates? AFAIU, it is off by default in our config and with current setting, users could not put it to "on" (for whatever reason) without the value being overwritten with every run of FreeIPA upgrade. could there be an upgrade from a install not yet using that params. should "only:allowWeakCipher" be replaced by "addifnew" ? You can try "default:allowWeakCiphers: off" - it would set the attribute to off if it was not there before. Given you are probably working on updated version, I would also recommend following http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2 as I saw couple nitpicks with your patch - ticket number in patch description and not in it's body - bad "From" field - I would rather expect it to be "Ludwig Krispenz " than "lkrispen " Thanks, Martin Hello, any update on this front? Are you or Nathaniel updating the patch? Attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote: > On 09/12/2014 10:25 AM, Martin Kosek wrote: > > On 09/12/2014 10:13 AM, Ludwig Krispenz wrote: > >> > >> On 09/12/2014 09:37 AM, Martin Kosek wrote: > >>> On 09/12/2014 03:21 AM, Nathaniel McCallum wrote: > On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: > > On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: > >> On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: > >>> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: > > On 09/11/2014 04:31 PM, Petr Viktorin wrote: > > On 09/11/2014 04:26 PM, Martin Kosek wrote: > >>> ... > >> Also, we will need to add the F21 389-ds-base build to FreeIPA > >> Copr: > >> http://copr.fedoraproject.org/coprs/mkosek/freeipa/ > >> so that F20 users can upgrade to the newest FreeIPA. Are there any > >> known issues > >> in the F21 389-ds-base build that would prevent upstream FreeIPA > >> 4.0.x to be > >> based on it? > >> > >> If yes, we may need to include the patch in Fedora 21 downstream > >> only > >> after all.. > > > > We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we > > couldn't include the patch even there. > > There better be no such issues. > what do you mean by "no such issues" ? I don't think that 389/F21 > will > be the first bug free software. At the moment Thierry is > investigating a > crash in dna-plugin and Noriko a memory leak, which could be in F21 - > > >>> > >>> any known issues in the F21 389-ds-base build that would prevent > >>> upstream FreeIPA 4.0.x to be based on it > >> > >> Yes. 389 will not start if weak ciphers are specified. Currently, > >> FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't > >> work at all because the DS will never start. > >> > >> We need this patch merged: https://fedorahosted.org/389/ticket/47838 > > Done: thanks everyone on the DS side! > > >> Then, we need an F21 build of 389-ds-base. > > Done: thanks nhosoi! > > >> Then we need to merge Ludwig's IPA patch from this thread with a > >> versioned dependency on the new 389-ds-base build. > > New patch attached which includes a versioned dep on the new DS. > >>> > >>> ipa-server-install still fails for me, even when I use > >>> 389-ds-base-1.3.3.2-1.fc20.x86_64: > >>> > >>> # ipa-server-install > >>> ... > >>> [12/13]: restarting httpd > >>> [13/13]: configuring httpd to start on boot > >>> Done configuring the web interface (httpd). > >>> Applying LDAP updates > >>> Unexpected error - see /var/log/ipaserver-install.log for details: > >>> ObjectclassViolation: attribute "allowweakciphers" not allowed > >>> > >>> > >>> I think you simply use a wrong config name - have extra "s" in the end. > >>> It is > >>> defined as > >> that typo was already in my first draft of the patch, sorry > >>> > >>> allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | off] > >>> > >>> > >>> Also, do we really need to put it to "off" in the updates? AFAIU, it is > >>> off > >>> by default in our config and with current setting, users could not put it > >>> to > >>> "on" (for whatever reason) without the value being overwritten with every > >>> run > >>> of FreeIPA upgrade. > >> could there be an upgrade from a install not yet using that params. should > >> "only:allowWeakCipher" be replaced by "addifnew" ? > > > > You can try "default:allowWeakCiphers: off" - it would set the attribute to > > off > > if it was not there before. > > > > Given you are probably working on updated version, I would also recommend > > following > > > > http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2 > > > > as I saw couple nitpicks with your patch > > - ticket number in patch description and not in it's body > > - bad "From" field - I would rather expect it to be "Ludwig Krispenz > > " than "lkrispen " > > > > Thanks, > > Martin > > Hello, any update on this front? Are you or Nathaniel updating the patch? Attached. From d4d24366c6392a1cd0c3d7c8513e20d0f9520766 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Fri, 12 Sep 2014 10:02:00 -0400 Subject: [PATCH] Update 389 SSL cipher config We allow 389 to choose its own ciphers, but we default to disabling weak ciphers. This offloads the choice to the proper place so that we don't have to manage it in FreeIPA anymore. Thanks to Ludwig Krispenz for the first version of this patch. https://fedorahosted.org/freeipa/ticket/4395 --- freeipa.spec.in | 6 +++--- install/updates/20-sslciphers.update | 6 ++ install/updates/Makefile.am | 1 + ipaserver/install/dsinstance.py | 7 ++- 4 files changed, 12 insertions(+), 8 deletions(-) create mode 100644 install/updates/
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/12/2014 10:25 AM, Martin Kosek wrote: On 09/12/2014 10:13 AM, Ludwig Krispenz wrote: On 09/12/2014 09:37 AM, Martin Kosek wrote: On 09/12/2014 03:21 AM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: ... Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade to the newest FreeIPA. Are there any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it? If yes, we may need to include the patch in Fedora 21 downstream only after all.. We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we couldn't include the patch even there. There better be no such issues. what do you mean by "no such issues" ? I don't think that 389/F21 will be the first bug free software. At the moment Thierry is investigating a crash in dna-plugin and Noriko a memory leak, which could be in F21 - any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it Yes. 389 will not start if weak ciphers are specified. Currently, FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't work at all because the DS will never start. We need this patch merged: https://fedorahosted.org/389/ticket/47838 Done: thanks everyone on the DS side! Then, we need an F21 build of 389-ds-base. Done: thanks nhosoi! Then we need to merge Ludwig's IPA patch from this thread with a versioned dependency on the new 389-ds-base build. New patch attached which includes a versioned dep on the new DS. ipa-server-install still fails for me, even when I use 389-ds-base-1.3.3.2-1.fc20.x86_64: # ipa-server-install ... [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Unexpected error - see /var/log/ipaserver-install.log for details: ObjectclassViolation: attribute "allowweakciphers" not allowed I think you simply use a wrong config name - have extra "s" in the end. It is defined as that typo was already in my first draft of the patch, sorry allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | off] Also, do we really need to put it to "off" in the updates? AFAIU, it is off by default in our config and with current setting, users could not put it to "on" (for whatever reason) without the value being overwritten with every run of FreeIPA upgrade. could there be an upgrade from a install not yet using that params. should "only:allowWeakCipher" be replaced by "addifnew" ? You can try "default:allowWeakCiphers: off" - it would set the attribute to off if it was not there before. Given you are probably working on updated version, I would also recommend following http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2 as I saw couple nitpicks with your patch - ticket number in patch description and not in it's body - bad "From" field - I would rather expect it to be "Ludwig Krispenz " than "lkrispen " Thanks, Martin Hello, any update on this front? Are you or Nathaniel updating the patch? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/12/2014 10:13 AM, Ludwig Krispenz wrote: On 09/12/2014 09:37 AM, Martin Kosek wrote: On 09/12/2014 03:21 AM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: ... Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade to the newest FreeIPA. Are there any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it? If yes, we may need to include the patch in Fedora 21 downstream only after all.. We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we couldn't include the patch even there. There better be no such issues. what do you mean by "no such issues" ? I don't think that 389/F21 will be the first bug free software. At the moment Thierry is investigating a crash in dna-plugin and Noriko a memory leak, which could be in F21 - any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it Yes. 389 will not start if weak ciphers are specified. Currently, FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't work at all because the DS will never start. We need this patch merged: https://fedorahosted.org/389/ticket/47838 Done: thanks everyone on the DS side! Then, we need an F21 build of 389-ds-base. Done: thanks nhosoi! Then we need to merge Ludwig's IPA patch from this thread with a versioned dependency on the new 389-ds-base build. New patch attached which includes a versioned dep on the new DS. ipa-server-install still fails for me, even when I use 389-ds-base-1.3.3.2-1.fc20.x86_64: # ipa-server-install ... [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Unexpected error - see /var/log/ipaserver-install.log for details: ObjectclassViolation: attribute "allowweakciphers" not allowed I think you simply use a wrong config name - have extra "s" in the end. It is defined as that typo was already in my first draft of the patch, sorry allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | off] Also, do we really need to put it to "off" in the updates? AFAIU, it is off by default in our config and with current setting, users could not put it to "on" (for whatever reason) without the value being overwritten with every run of FreeIPA upgrade. could there be an upgrade from a install not yet using that params. should "only:allowWeakCipher" be replaced by "addifnew" ? You can try "default:allowWeakCiphers: off" - it would set the attribute to off if it was not there before. Given you are probably working on updated version, I would also recommend following http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2 as I saw couple nitpicks with your patch - ticket number in patch description and not in it's body - bad "From" field - I would rather expect it to be "Ludwig Krispenz " than "lkrispen " Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/12/2014 09:37 AM, Martin Kosek wrote: On 09/12/2014 03:21 AM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: ... Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade to the newest FreeIPA. Are there any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it? If yes, we may need to include the patch in Fedora 21 downstream only after all.. We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we couldn't include the patch even there. There better be no such issues. what do you mean by "no such issues" ? I don't think that 389/F21 will be the first bug free software. At the moment Thierry is investigating a crash in dna-plugin and Noriko a memory leak, which could be in F21 - any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it Yes. 389 will not start if weak ciphers are specified. Currently, FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't work at all because the DS will never start. We need this patch merged: https://fedorahosted.org/389/ticket/47838 Done: thanks everyone on the DS side! Then, we need an F21 build of 389-ds-base. Done: thanks nhosoi! Then we need to merge Ludwig's IPA patch from this thread with a versioned dependency on the new 389-ds-base build. New patch attached which includes a versioned dep on the new DS. ipa-server-install still fails for me, even when I use 389-ds-base-1.3.3.2-1.fc20.x86_64: # ipa-server-install ... [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Unexpected error - see /var/log/ipaserver-install.log for details: ObjectclassViolation: attribute "allowweakciphers" not allowed I think you simply use a wrong config name - have extra "s" in the end. It is defined as that typo was already in my first draft of the patch, sorry allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | off] Also, do we really need to put it to "off" in the updates? AFAIU, it is off by default in our config and with current setting, users could not put it to "on" (for whatever reason) without the value being overwritten with every run of FreeIPA upgrade. could there be an upgrade from a install not yet using that params. should "only:allowWeakCipher" be replaced by "addifnew" ? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/12/2014 03:21 AM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: ... Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade to the newest FreeIPA. Are there any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it? If yes, we may need to include the patch in Fedora 21 downstream only after all.. We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we couldn't include the patch even there. There better be no such issues. what do you mean by "no such issues" ? I don't think that 389/F21 will be the first bug free software. At the moment Thierry is investigating a crash in dna-plugin and Noriko a memory leak, which could be in F21 - any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it Yes. 389 will not start if weak ciphers are specified. Currently, FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't work at all because the DS will never start. We need this patch merged: https://fedorahosted.org/389/ticket/47838 Done: thanks everyone on the DS side! Then, we need an F21 build of 389-ds-base. Done: thanks nhosoi! Then we need to merge Ludwig's IPA patch from this thread with a versioned dependency on the new 389-ds-base build. New patch attached which includes a versioned dep on the new DS. ipa-server-install still fails for me, even when I use 389-ds-base-1.3.3.2-1.fc20.x86_64: # ipa-server-install ... [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Unexpected error - see /var/log/ipaserver-install.log for details: ObjectclassViolation: attribute "allowweakciphers" not allowed I think you simply use a wrong config name - have extra "s" in the end. It is defined as allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | off] Also, do we really need to put it to "off" in the updates? AFAIU, it is off by default in our config and with current setting, users could not put it to "on" (for whatever reason) without the value being overwritten with every run of FreeIPA upgrade. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: > On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: > > On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: > >> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: > >>> > >>> On 09/11/2014 04:31 PM, Petr Viktorin wrote: > On 09/11/2014 04:26 PM, Martin Kosek wrote: > >> ... > > Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: > > http://copr.fedoraproject.org/coprs/mkosek/freeipa/ > > so that F20 users can upgrade to the newest FreeIPA. Are there any > > known issues > > in the F21 389-ds-base build that would prevent upstream FreeIPA > > 4.0.x to be > > based on it? > > > > If yes, we may need to include the patch in Fedora 21 downstream only > > after all.. > > We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we > couldn't include the patch even there. > There better be no such issues. > >>> what do you mean by "no such issues" ? I don't think that 389/F21 will > >>> be the first bug free software. At the moment Thierry is investigating a > >>> crash in dna-plugin and Noriko a memory leak, which could be in F21 - > >>> > >> > >> any known issues in the F21 389-ds-base build that would prevent > >> upstream FreeIPA 4.0.x to be based on it > > > > Yes. 389 will not start if weak ciphers are specified. Currently, > > FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't > > work at all because the DS will never start. > > > > We need this patch merged: https://fedorahosted.org/389/ticket/47838 Done: thanks everyone on the DS side! > > Then, we need an F21 build of 389-ds-base. Done: thanks nhosoi! > > Then we need to merge Ludwig's IPA patch from this thread with a > > versioned dependency on the new 389-ds-base build. New patch attached which includes a versioned dep on the new DS. > > Then we release 4.0.3. > > That's what I understood, but thanks for confirming. > > We need to move fast; FreeIPA is an f21 alpha blocker. > > > >> Plugin crashes or memory leaks are bad, but we can release with them. > > > > +1. The real problem is that without the above fixes, IPA doesn't work > > at all. > > > > Nathaniel > > > > > > From e172f638e9aa12ccb3cecedf80433bcdac9f54cb Mon Sep 17 00:00:00 2001 From: lkrispen Date: Thu, 11 Sep 2014 14:06:34 +0200 Subject: [PATCH] ticket 4395 - change ciphers enabled by default --- freeipa.spec.in | 6 +++--- install/updates/20-sslciphers.update | 6 ++ install/updates/Makefile.am | 1 + ipaserver/install/dsinstance.py | 7 ++- 4 files changed, 12 insertions(+), 8 deletions(-) create mode 100644 install/updates/20-sslciphers.update diff --git a/freeipa.spec.in b/freeipa.spec.in index b672ecb03bdd73c1a911a6a982ccd894bebcbce4..685b345fedb9d157c8deedc66f8712da32c5963b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -18,7 +18,7 @@ Source0:freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.2.16 +BuildRequires: 389-ds-base-devel >= 1.3.3.2 BuildRequires: svrcore-devel BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} BuildRequires: systemd-units @@ -87,7 +87,7 @@ Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} -Requires: 389-ds-base >= 1.3.2.20 +Requires: 389-ds-base >= 1.3.3.2 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 @@ -124,7 +124,7 @@ Requires: zip Requires: policycoreutils >= %{POLICYCOREUTILSVER} Requires: tar Requires(pre): certmonger >= 0.75.13 -Requires(pre): 389-ds-base >= 1.3.2.20 +Requires(pre): 389-ds-base >= 1.3.3.2 Requires: fontawesome-fonts Requires: open-sans-fonts diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update new file mode 100644 index ..ce88dae8fbe5f8976a06dca34c6a98b8ab76caaa --- /dev/null +++ b/install/updates/20-sslciphers.update @@ -0,0 +1,6 @@ +# change configured ciphers +# the result of this update will be that all ciphers +# provided by NSS which ar not weak will be enabled +dn: cn=encryption,cn=config +only:nsSSL3Ciphers: +all +only:allowWeakCiphers: off diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 1d912a7d29552000d082aca58d345924ab84e11c..026cde0498dc15bda10605dd427881d71c4bfa25 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -14,6 +14,7 @@ app_DATA =\ 20-indices.update \ 20-nss_ldap.update \ 20-replication.update \ + 20-sslciphers.update \ 20-syncrepl.update \ 20-user_private_groups.update \ 20-winsync_index.update \ diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index cc1d32709f55
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 04:51 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: ... Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade to the newest FreeIPA. Are there any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it? If yes, we may need to include the patch in Fedora 21 downstream only after all.. We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we couldn't include the patch even there. There better be no such issues. what do you mean by "no such issues" ? I don't think that 389/F21 will be the first bug free software. At the moment Thierry is investigating a crash in dna-plugin and Noriko a memory leak, which could be in F21 - any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it Yes. 389 will not start if weak ciphers are specified. Currently, FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't work at all because the DS will never start. We need this patch merged: https://fedorahosted.org/389/ticket/47838 Then, we need an F21 build of 389-ds-base. Then we need to merge Ludwig's IPA patch from this thread with a versioned dependency on the new 389-ds-base build. Then we release 4.0.3. That's what I understood, but thanks for confirming. We need to move fast; FreeIPA is an f21 alpha blocker. Have we filed a blocker bug? They are discussing go/no go right now. The meeting starts in 2 hours, and AFAIK it's already certain it's no-go. Is there a 389 Fedora bug for the issue that I could reference in an IPA bug? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: > On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: > > On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: > >> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: > >>> > >>> On 09/11/2014 04:31 PM, Petr Viktorin wrote: > On 09/11/2014 04:26 PM, Martin Kosek wrote: > >> ... > > Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: > > http://copr.fedoraproject.org/coprs/mkosek/freeipa/ > > so that F20 users can upgrade to the newest FreeIPA. Are there any > > known issues > > in the F21 389-ds-base build that would prevent upstream FreeIPA > > 4.0.x to be > > based on it? > > > > If yes, we may need to include the patch in Fedora 21 downstream only > > after all.. > > We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we > couldn't include the patch even there. > There better be no such issues. > >>> what do you mean by "no such issues" ? I don't think that 389/F21 will > >>> be the first bug free software. At the moment Thierry is investigating a > >>> crash in dna-plugin and Noriko a memory leak, which could be in F21 - > >>> > >> > >> any known issues in the F21 389-ds-base build that would prevent > >> upstream FreeIPA 4.0.x to be based on it > > > > Yes. 389 will not start if weak ciphers are specified. Currently, > > FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't > > work at all because the DS will never start. > > > > We need this patch merged: https://fedorahosted.org/389/ticket/47838 > > > > Then, we need an F21 build of 389-ds-base. > > > > Then we need to merge Ludwig's IPA patch from this thread with a > > versioned dependency on the new 389-ds-base build. > > > > Then we release 4.0.3. > > That's what I understood, but thanks for confirming. > > We need to move fast; FreeIPA is an f21 alpha blocker. Have we filed a blocker bug? They are discussing go/no go right now. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On Thu, 2014-09-11 at 10:43 -0400, Nathaniel McCallum wrote: > On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: > > On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: > > > > > > On 09/11/2014 04:31 PM, Petr Viktorin wrote: > > >> On 09/11/2014 04:26 PM, Martin Kosek wrote: > > ... > > >>> Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: > > >>> http://copr.fedoraproject.org/coprs/mkosek/freeipa/ > > >>> so that F20 users can upgrade to the newest FreeIPA. Are there any > > >>> known issues > > >>> in the F21 389-ds-base build that would prevent upstream FreeIPA > > >>> 4.0.x to be > > >>> based on it? > > >>> > > >>> If yes, we may need to include the patch in Fedora 21 downstream only > > >>> after all.. > > >> > > >> We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we > > >> couldn't include the patch even there. > > >> There better be no such issues. > > > what do you mean by "no such issues" ? I don't think that 389/F21 will > > > be the first bug free software. At the moment Thierry is investigating a > > > crash in dna-plugin and Noriko a memory leak, which could be in F21 - > > > > > > > any known issues in the F21 389-ds-base build that would prevent > > upstream FreeIPA 4.0.x to be based on it > > Yes. 389 will not start if weak ciphers are specified. Currently, > FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't > work at all because the DS will never start. > > We need this patch merged: https://fedorahosted.org/389/ticket/47838 > > Then, we need an F21 build of 389-ds-base. > > Then we need to merge Ludwig's IPA patch from this thread with a > versioned dependency on the new 389-ds-base build. > > Then we release 4.0.3. > > > Plugin crashes or memory leaks are bad, but we can release with them. > > +1. The real problem is that without the above fixes, IPA doesn't work > at all. I can confirm that with the COPR build of 389 including the above patch and Ludwig's patch to FreeIPA, everything is working again in F21. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 04:46 PM, Martin Kosek wrote: On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: ... Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade to the newest FreeIPA. Are there any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it? If yes, we may need to include the patch in Fedora 21 downstream only after all.. We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we couldn't include the patch even there. There better be no such issues. what do you mean by "no such issues" ? I don't think that 389/F21 will be the first bug free software. At the moment Thierry is investigating a crash in dna-plugin and Noriko a memory leak, which could be in F21 - any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it Yes. 389 will not start if weak ciphers are specified. Currently, FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't work at all because the DS will never start. We need this patch merged: https://fedorahosted.org/389/ticket/47838 Yes. Then, we need an F21 build of 389-ds-base. Yes (and add the build to FreeIPA Copr). Note that Noriko also released a fix for https://fedorahosted.org/389/ticket/47838 on F21 and was waiting for Adam tests: http://koji.fedoraproject.org/koji/taskinfo?taskID=7566760 thierry Then we need to merge Ludwig's IPA patch from this thread with a versioned dependency on the new 389-ds-base build. Then we release 4.0.3. Exactly, and we need all that very fast as we are blocking Fedora 21. CCing Noriko to be aware. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: ... Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade to the newest FreeIPA. Are there any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it? If yes, we may need to include the patch in Fedora 21 downstream only after all.. We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we couldn't include the patch even there. There better be no such issues. what do you mean by "no such issues" ? I don't think that 389/F21 will be the first bug free software. At the moment Thierry is investigating a crash in dna-plugin and Noriko a memory leak, which could be in F21 - any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it Yes. 389 will not start if weak ciphers are specified. Currently, FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't work at all because the DS will never start. We need this patch merged: https://fedorahosted.org/389/ticket/47838 Then, we need an F21 build of 389-ds-base. Then we need to merge Ludwig's IPA patch from this thread with a versioned dependency on the new 389-ds-base build. Then we release 4.0.3. That's what I understood, but thanks for confirming. We need to move fast; FreeIPA is an f21 alpha blocker. Plugin crashes or memory leaks are bad, but we can release with them. +1. The real problem is that without the above fixes, IPA doesn't work at all. Nathaniel -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: > On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: >> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: >>> >>> On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: >> ... > Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: > http://copr.fedoraproject.org/coprs/mkosek/freeipa/ > so that F20 users can upgrade to the newest FreeIPA. Are there any > known issues > in the F21 389-ds-base build that would prevent upstream FreeIPA > 4.0.x to be > based on it? > > If yes, we may need to include the patch in Fedora 21 downstream only > after all.. We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we couldn't include the patch even there. There better be no such issues. >>> what do you mean by "no such issues" ? I don't think that 389/F21 will >>> be the first bug free software. At the moment Thierry is investigating a >>> crash in dna-plugin and Noriko a memory leak, which could be in F21 - >>> >> >> any known issues in the F21 389-ds-base build that would prevent >> upstream FreeIPA 4.0.x to be based on it > > Yes. 389 will not start if weak ciphers are specified. Currently, > FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't > work at all because the DS will never start. > > We need this patch merged: https://fedorahosted.org/389/ticket/47838 Yes. > Then, we need an F21 build of 389-ds-base. Yes (and add the build to FreeIPA Copr). > Then we need to merge Ludwig's IPA patch from this thread with a > versioned dependency on the new 389-ds-base build. > > Then we release 4.0.3. Exactly, and we need all that very fast as we are blocking Fedora 21. CCing Noriko to be aware. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: > On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: > > > > On 09/11/2014 04:31 PM, Petr Viktorin wrote: > >> On 09/11/2014 04:26 PM, Martin Kosek wrote: > ... > >>> Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: > >>> http://copr.fedoraproject.org/coprs/mkosek/freeipa/ > >>> so that F20 users can upgrade to the newest FreeIPA. Are there any > >>> known issues > >>> in the F21 389-ds-base build that would prevent upstream FreeIPA > >>> 4.0.x to be > >>> based on it? > >>> > >>> If yes, we may need to include the patch in Fedora 21 downstream only > >>> after all.. > >> > >> We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we > >> couldn't include the patch even there. > >> There better be no such issues. > > what do you mean by "no such issues" ? I don't think that 389/F21 will > > be the first bug free software. At the moment Thierry is investigating a > > crash in dna-plugin and Noriko a memory leak, which could be in F21 - > > > > any known issues in the F21 389-ds-base build that would prevent > upstream FreeIPA 4.0.x to be based on it Yes. 389 will not start if weak ciphers are specified. Currently, FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't work at all because the DS will never start. We need this patch merged: https://fedorahosted.org/389/ticket/47838 Then, we need an F21 build of 389-ds-base. Then we need to merge Ludwig's IPA patch from this thread with a versioned dependency on the new 389-ds-base build. Then we release 4.0.3. > Plugin crashes or memory leaks are bad, but we can release with them. +1. The real problem is that without the above fixes, IPA doesn't work at all. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: ... Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade to the newest FreeIPA. Are there any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it? If yes, we may need to include the patch in Fedora 21 downstream only after all.. We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we couldn't include the patch even there. There better be no such issues. what do you mean by "no such issues" ? I don't think that 389/F21 will be the first bug free software. At the moment Thierry is investigating a crash in dna-plugin and Noriko a memory leak, which could be in F21 - any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it Plugin crashes or memory leaks are bad, but we can release with them. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: On 09/11/2014 04:22 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote: On 09/11/2014 04:17 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote: On 09/11/2014 04:04 PM, Martin Kosek wrote: On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: On 09/11/2014 01:37 PM, Martin Kosek wrote: Hi team, It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking upgrade from older releases: https://fedorahosted.org/freeipa/ticket/4529 We also have packaging fix requested by Fedora Server roles group: https://fedorahosted.org/freeipa/ticket/4430 It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release... Makes sense? Any other tickets or patches we would like to get in? Looks like it's just those two. I'll start releasing shortly. I'd like to get a fix in for the missing ciphers in the new NSS. I can have a patch on the list shortly. Nathaniel Isn't this related to https://fedorahosted.org/freeipa/ticket/4395 ? I think we do not work with the newest DS which fixed the default ciphers. yes Don't we need to set our SSL ciphers setting to https://fedorahosted.org/389/ticket/47838#comment:29 yes tjhe attached patch tries this, but at the moment I failed to build and also to upgrade to F21 NACKallowweakcipher LDAP error: OBJECT_CLASS_VIOLATION attribute "allowweakcipher" not allowed I suspect we are missing a spec file requirement on a newer version of 389... yes, you need the latest build of DS, Noriko added the allowweakcipher only yesterday. That's the problem, I wanted to wait with the ipa side patch until allowweakcipher was implemented and then on F21 ipa and 389 no longer played well and now there is a rush Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade to the newest FreeIPA. Are there any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it? If yes, we may need to include the patch in Fedora 21 downstream only after all.. We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we couldn't include the patch even there. There better be no such issues. what do you mean by "no such issues" ? I don't think that 389/F21 will be the first bug free software. At the moment Thierry is investigating a crash in dna-plugin and Noriko a memory leak, which could be in F21 - ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 04:28 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:25 +0200, Ludwig Krispenz wrote: On 09/11/2014 04:22 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote: On 09/11/2014 04:17 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote: On 09/11/2014 04:04 PM, Martin Kosek wrote: On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: On 09/11/2014 01:37 PM, Martin Kosek wrote: Hi team, It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking upgrade from older releases: https://fedorahosted.org/freeipa/ticket/4529 We also have packaging fix requested by Fedora Server roles group: https://fedorahosted.org/freeipa/ticket/4430 It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release... Makes sense? Any other tickets or patches we would like to get in? Looks like it's just those two. I'll start releasing shortly. I'd like to get a fix in for the missing ciphers in the new NSS. I can have a patch on the list shortly. Nathaniel Isn't this related to https://fedorahosted.org/freeipa/ticket/4395 ? I think we do not work with the newest DS which fixed the default ciphers. yes Don't we need to set our SSL ciphers setting to https://fedorahosted.org/389/ticket/47838#comment:29 yes tjhe attached patch tries this, but at the moment I failed to build and also to upgrade to F21 NACKallowweakcipher LDAP error: OBJECT_CLASS_VIOLATION attribute "allowweakcipher" not allowed I suspect we are missing a spec file requirement on a newer version of 389... yes, you need the latest build of DS, Noriko added the allowweakcipher only yesterday. That's the problem, I wanted to wait with the ipa side patch until allowweakcipher was implemented and then on F21 ipa and 389 no longer played well and now there is a rush What is the status on the new 389 patch/build? a build is here: http://copr-be.cloud.fedoraproject.org/results/nhosoi/389-ds-f21/fedora-21-x86_64/389-ds-base-1.3.3.2-a1.fc21/ The upstream patch is not merged yet. We need 389 to merge the patch, do a release and get an official Fedora 20/21 build. Just to be clear, Fedora 21 IPA doesn't work *at all*. So this is an urgent fix. Martin, can you coordinate with 389 to prioritize a release with this fix? Hi! It looks like I'll be the release manager for FreeIPA 4.0.3. Currently I'm waiting for the new build of 389 and possibly an updated IPA patch, when that's in I'll test and release. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On Thu, 2014-09-11 at 16:31 +0200, Petr Viktorin wrote: > On 09/11/2014 04:26 PM, Martin Kosek wrote: > > On 09/11/2014 04:22 PM, Nathaniel McCallum wrote: > >> On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote: > >>> On 09/11/2014 04:17 PM, Nathaniel McCallum wrote: > On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote: > > On 09/11/2014 04:04 PM, Martin Kosek wrote: > >> On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: > >>> On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: > On 09/11/2014 01:37 PM, Martin Kosek wrote: > > Hi team, > > > > It seems we have pretty serious bug in our FreeIPA 4.0.2 release, > > breaking > > upgrade from older releases: > > > > https://fedorahosted.org/freeipa/ticket/4529 > > > > We also have packaging fix requested by Fedora Server roles group: > > > > https://fedorahosted.org/freeipa/ticket/4430 > > > > It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 > > release... > > Makes sense? Any other tickets or patches we would like to get in? > Looks like it's just those two. I'll start releasing shortly. > >>> I'd like to get a fix in for the missing ciphers in the new NSS. I can > >>> have a patch on the list shortly. > >>> > >>> Nathaniel > >> Isn't this related to > >> https://fedorahosted.org/freeipa/ticket/4395 > >> ? I think we do not work with the newest DS which fixed the default > >> ciphers. > > yes > >> Don't we need to set our SSL ciphers setting to > >> > >> https://fedorahosted.org/389/ticket/47838#comment:29 > > yes > > tjhe attached patch tries this, but at the moment I failed to build and > > also to upgrade to F21 > NACKallowweakcipher > > > LDAP error: OBJECT_CLASS_VIOLATION > attribute "allowweakcipher" not allowed > > I suspect we are missing a spec file requirement on a newer version of > 389... > >>> yes, you need the latest build of DS, Noriko added the allowweakcipher > >>> only yesterday. > >>> That's the problem, I wanted to wait with the ipa side patch until > >>> allowweakcipher was implemented and then on F21 ipa and 389 no longer > >>> played well and now there is a rush > > > > Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: > > http://copr.fedoraproject.org/coprs/mkosek/freeipa/ > > so that F20 users can upgrade to the newest FreeIPA. Are there any known > > issues > > in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be > > based on it? > > > > If yes, we may need to include the patch in Fedora 21 downstream only after > > all.. > > We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we > couldn't include the patch even there. > There better be no such issues. Right now FreeIPA in Fedora 21 is completely broken. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 04:26 PM, Martin Kosek wrote: On 09/11/2014 04:22 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote: On 09/11/2014 04:17 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote: On 09/11/2014 04:04 PM, Martin Kosek wrote: On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: On 09/11/2014 01:37 PM, Martin Kosek wrote: Hi team, It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking upgrade from older releases: https://fedorahosted.org/freeipa/ticket/4529 We also have packaging fix requested by Fedora Server roles group: https://fedorahosted.org/freeipa/ticket/4430 It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release... Makes sense? Any other tickets or patches we would like to get in? Looks like it's just those two. I'll start releasing shortly. I'd like to get a fix in for the missing ciphers in the new NSS. I can have a patch on the list shortly. Nathaniel Isn't this related to https://fedorahosted.org/freeipa/ticket/4395 ? I think we do not work with the newest DS which fixed the default ciphers. yes Don't we need to set our SSL ciphers setting to https://fedorahosted.org/389/ticket/47838#comment:29 yes tjhe attached patch tries this, but at the moment I failed to build and also to upgrade to F21 NACKallowweakcipher LDAP error: OBJECT_CLASS_VIOLATION attribute "allowweakcipher" not allowed I suspect we are missing a spec file requirement on a newer version of 389... yes, you need the latest build of DS, Noriko added the allowweakcipher only yesterday. That's the problem, I wanted to wait with the ipa side patch until allowweakcipher was implemented and then on F21 ipa and 389 no longer played well and now there is a rush Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade to the newest FreeIPA. Are there any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it? If yes, we may need to include the patch in Fedora 21 downstream only after all.. We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we couldn't include the patch even there. There better be no such issues. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On Thu, 2014-09-11 at 16:25 +0200, Ludwig Krispenz wrote: > On 09/11/2014 04:22 PM, Nathaniel McCallum wrote: > > On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote: > >> On 09/11/2014 04:17 PM, Nathaniel McCallum wrote: > >>> On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote: > On 09/11/2014 04:04 PM, Martin Kosek wrote: > > On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: > >> On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: > >>> On 09/11/2014 01:37 PM, Martin Kosek wrote: > Hi team, > > It seems we have pretty serious bug in our FreeIPA 4.0.2 release, > breaking > upgrade from older releases: > > https://fedorahosted.org/freeipa/ticket/4529 > > We also have packaging fix requested by Fedora Server roles group: > > https://fedorahosted.org/freeipa/ticket/4430 > > It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 > release... > Makes sense? Any other tickets or patches we would like to get in? > >>> Looks like it's just those two. I'll start releasing shortly. > >> I'd like to get a fix in for the missing ciphers in the new NSS. I can > >> have a patch on the list shortly. > >> > >> Nathaniel > > Isn't this related to > > https://fedorahosted.org/freeipa/ticket/4395 > > ? I think we do not work with the newest DS which fixed the default > > ciphers. > yes > > Don't we need to set our SSL ciphers setting to > > > > https://fedorahosted.org/389/ticket/47838#comment:29 > yes > tjhe attached patch tries this, but at the moment I failed to build and > also to upgrade to F21 > >>> NACKallowweakcipher > >>> > >>> > >>> LDAP error: OBJECT_CLASS_VIOLATION > >>> attribute "allowweakcipher" not allowed > >>> > >>> I suspect we are missing a spec file requirement on a newer version of > >>> 389... > >> yes, you need the latest build of DS, Noriko added the allowweakcipher > >> only yesterday. > >> That's the problem, I wanted to wait with the ipa side patch until > >> allowweakcipher was implemented and then on F21 ipa and 389 no longer > >> played well and now there is a rush > > What is the status on the new 389 patch/build? > a build is here: > http://copr-be.cloud.fedoraproject.org/results/nhosoi/389-ds-f21/fedora-21-x86_64/389-ds-base-1.3.3.2-a1.fc21/ The upstream patch is not merged yet. We need 389 to merge the patch, do a release and get an official Fedora 20/21 build. Just to be clear, Fedora 21 IPA doesn't work *at all*. So this is an urgent fix. Martin, can you coordinate with 389 to prioritize a release with this fix? Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 04:22 PM, Nathaniel McCallum wrote: > On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote: >> On 09/11/2014 04:17 PM, Nathaniel McCallum wrote: >>> On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote: On 09/11/2014 04:04 PM, Martin Kosek wrote: > On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: >> On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: >>> On 09/11/2014 01:37 PM, Martin Kosek wrote: Hi team, It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking upgrade from older releases: https://fedorahosted.org/freeipa/ticket/4529 We also have packaging fix requested by Fedora Server roles group: https://fedorahosted.org/freeipa/ticket/4430 It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release... Makes sense? Any other tickets or patches we would like to get in? >>> Looks like it's just those two. I'll start releasing shortly. >> I'd like to get a fix in for the missing ciphers in the new NSS. I can >> have a patch on the list shortly. >> >> Nathaniel > Isn't this related to > https://fedorahosted.org/freeipa/ticket/4395 > ? I think we do not work with the newest DS which fixed the default > ciphers. yes > Don't we need to set our SSL ciphers setting to > > https://fedorahosted.org/389/ticket/47838#comment:29 yes tjhe attached patch tries this, but at the moment I failed to build and also to upgrade to F21 >>> NACKallowweakcipher >>> >>> >>> LDAP error: OBJECT_CLASS_VIOLATION >>> attribute "allowweakcipher" not allowed >>> >>> I suspect we are missing a spec file requirement on a newer version of >>> 389... >> yes, you need the latest build of DS, Noriko added the allowweakcipher >> only yesterday. >> That's the problem, I wanted to wait with the ipa side patch until >> allowweakcipher was implemented and then on F21 ipa and 389 no longer >> played well and now there is a rush Also, we will need to add the F21 389-ds-base build to FreeIPA Copr: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ so that F20 users can upgrade to the newest FreeIPA. Are there any known issues in the F21 389-ds-base build that would prevent upstream FreeIPA 4.0.x to be based on it? If yes, we may need to include the patch in Fedora 21 downstream only after all... Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote: > On 09/11/2014 04:04 PM, Martin Kosek wrote: > > On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: > >> On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: > >>> On 09/11/2014 01:37 PM, Martin Kosek wrote: > Hi team, > > It seems we have pretty serious bug in our FreeIPA 4.0.2 release, > breaking > upgrade from older releases: > > https://fedorahosted.org/freeipa/ticket/4529 > > We also have packaging fix requested by Fedora Server roles group: > > https://fedorahosted.org/freeipa/ticket/4430 > > It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 > release... > Makes sense? Any other tickets or patches we would like to get in? > >>> Looks like it's just those two. I'll start releasing shortly. > >> I'd like to get a fix in for the missing ciphers in the new NSS. I can > >> have a patch on the list shortly. > >> > >> Nathaniel > > Isn't this related to > > https://fedorahosted.org/freeipa/ticket/4395 > > ? I think we do not work with the newest DS which fixed the default ciphers. > yes > > > > Don't we need to set our SSL ciphers setting to > > > > https://fedorahosted.org/389/ticket/47838#comment:29 > yes > tjhe attached patch tries this, but at the moment I failed to build and > also to upgrade to F21 NACK LDAP error: OBJECT_CLASS_VIOLATION attribute "allowweakcipher" not allowed I suspect we are missing a spec file requirement on a newer version of 389... Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 04:22 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote: On 09/11/2014 04:17 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote: On 09/11/2014 04:04 PM, Martin Kosek wrote: On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: On 09/11/2014 01:37 PM, Martin Kosek wrote: Hi team, It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking upgrade from older releases: https://fedorahosted.org/freeipa/ticket/4529 We also have packaging fix requested by Fedora Server roles group: https://fedorahosted.org/freeipa/ticket/4430 It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release... Makes sense? Any other tickets or patches we would like to get in? Looks like it's just those two. I'll start releasing shortly. I'd like to get a fix in for the missing ciphers in the new NSS. I can have a patch on the list shortly. Nathaniel Isn't this related to https://fedorahosted.org/freeipa/ticket/4395 ? I think we do not work with the newest DS which fixed the default ciphers. yes Don't we need to set our SSL ciphers setting to https://fedorahosted.org/389/ticket/47838#comment:29 yes tjhe attached patch tries this, but at the moment I failed to build and also to upgrade to F21 NACKallowweakcipher LDAP error: OBJECT_CLASS_VIOLATION attribute "allowweakcipher" not allowed I suspect we are missing a spec file requirement on a newer version of 389... yes, you need the latest build of DS, Noriko added the allowweakcipher only yesterday. That's the problem, I wanted to wait with the ipa side patch until allowweakcipher was implemented and then on F21 ipa and 389 no longer played well and now there is a rush What is the status on the new 389 patch/build? a build is here: http://copr-be.cloud.fedoraproject.org/results/nhosoi/389-ds-f21/fedora-21-x86_64/389-ds-base-1.3.3.2-a1.fc21/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote: > On 09/11/2014 04:17 PM, Nathaniel McCallum wrote: > > On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote: > >> On 09/11/2014 04:04 PM, Martin Kosek wrote: > >>> On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: > On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: > > On 09/11/2014 01:37 PM, Martin Kosek wrote: > >> Hi team, > >> > >> It seems we have pretty serious bug in our FreeIPA 4.0.2 release, > >> breaking > >> upgrade from older releases: > >> > >> https://fedorahosted.org/freeipa/ticket/4529 > >> > >> We also have packaging fix requested by Fedora Server roles group: > >> > >> https://fedorahosted.org/freeipa/ticket/4430 > >> > >> It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 > >> release... > >> Makes sense? Any other tickets or patches we would like to get in? > > Looks like it's just those two. I'll start releasing shortly. > I'd like to get a fix in for the missing ciphers in the new NSS. I can > have a patch on the list shortly. > > Nathaniel > >>> Isn't this related to > >>> https://fedorahosted.org/freeipa/ticket/4395 > >>> ? I think we do not work with the newest DS which fixed the default > >>> ciphers. > >> yes > >>> Don't we need to set our SSL ciphers setting to > >>> > >>> https://fedorahosted.org/389/ticket/47838#comment:29 > >> yes > >> tjhe attached patch tries this, but at the moment I failed to build and > >> also to upgrade to F21 > > NACKallowweakcipher > > > > > > LDAP error: OBJECT_CLASS_VIOLATION > > attribute "allowweakcipher" not allowed > > > > I suspect we are missing a spec file requirement on a newer version of > > 389... > yes, you need the latest build of DS, Noriko added the allowweakcipher > only yesterday. > That's the problem, I wanted to wait with the ipa side patch until > allowweakcipher was implemented and then on F21 ipa and 389 no longer > played well and now there is a rush What is the status on the new 389 patch/build? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 04:17 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote: On 09/11/2014 04:04 PM, Martin Kosek wrote: On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: On 09/11/2014 01:37 PM, Martin Kosek wrote: Hi team, It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking upgrade from older releases: https://fedorahosted.org/freeipa/ticket/4529 We also have packaging fix requested by Fedora Server roles group: https://fedorahosted.org/freeipa/ticket/4430 It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release... Makes sense? Any other tickets or patches we would like to get in? Looks like it's just those two. I'll start releasing shortly. I'd like to get a fix in for the missing ciphers in the new NSS. I can have a patch on the list shortly. Nathaniel Isn't this related to https://fedorahosted.org/freeipa/ticket/4395 ? I think we do not work with the newest DS which fixed the default ciphers. yes Don't we need to set our SSL ciphers setting to https://fedorahosted.org/389/ticket/47838#comment:29 yes tjhe attached patch tries this, but at the moment I failed to build and also to upgrade to F21 NACKallowweakcipher LDAP error: OBJECT_CLASS_VIOLATION attribute "allowweakcipher" not allowed I suspect we are missing a spec file requirement on a newer version of 389... yes, you need the latest build of DS, Noriko added the allowweakcipher only yesterday. That's the problem, I wanted to wait with the ipa side patch until allowweakcipher was implemented and then on F21 ipa and 389 no longer played well and now there is a rush Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote: > On 09/11/2014 04:04 PM, Martin Kosek wrote: > > On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: > >> On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: > >>> On 09/11/2014 01:37 PM, Martin Kosek wrote: > Hi team, > > It seems we have pretty serious bug in our FreeIPA 4.0.2 release, > breaking > upgrade from older releases: > > https://fedorahosted.org/freeipa/ticket/4529 > > We also have packaging fix requested by Fedora Server roles group: > > https://fedorahosted.org/freeipa/ticket/4430 > > It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 > release... > Makes sense? Any other tickets or patches we would like to get in? > >>> Looks like it's just those two. I'll start releasing shortly. > >> I'd like to get a fix in for the missing ciphers in the new NSS. I can > >> have a patch on the list shortly. > >> > >> Nathaniel > > Isn't this related to > > https://fedorahosted.org/freeipa/ticket/4395 > > ? I think we do not work with the newest DS which fixed the default ciphers. > yes > > > > Don't we need to set our SSL ciphers setting to > > > > https://fedorahosted.org/389/ticket/47838#comment:29 > yes > tjhe attached patch tries this, but at the moment I failed to build and > also to upgrade to F21 I am reviewing this patch now as I am blocked on the issue. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 04:04 PM, Martin Kosek wrote: On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: On 09/11/2014 01:37 PM, Martin Kosek wrote: Hi team, It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking upgrade from older releases: https://fedorahosted.org/freeipa/ticket/4529 We also have packaging fix requested by Fedora Server roles group: https://fedorahosted.org/freeipa/ticket/4430 It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release... Makes sense? Any other tickets or patches we would like to get in? Looks like it's just those two. I'll start releasing shortly. I'd like to get a fix in for the missing ciphers in the new NSS. I can have a patch on the list shortly. Nathaniel Isn't this related to https://fedorahosted.org/freeipa/ticket/4395 ? I think we do not work with the newest DS which fixed the default ciphers. yes Don't we need to set our SSL ciphers setting to https://fedorahosted.org/389/ticket/47838#comment:29 yes tjhe attached patch tries this, but at the moment I failed to build and also to upgrade to F21 ? If yes, I think this is definitely a 4.0.3 candidate. Martin >From 40d4318cfc9dc53073316af8b1edff5a68b3fe6b Mon Sep 17 00:00:00 2001 From: lkrispen Date: Thu, 11 Sep 2014 14:06:34 +0200 Subject: [PATCH] ticket 4395 - change ciphers enabled by default --- install/updates/20-sslciphers.update | 6 ++ install/updates/Makefile.am | 1 + ipaserver/install/dsinstance.py | 7 ++- 3 files changed, 9 insertions(+), 5 deletions(-) create mode 100644 install/updates/20-sslciphers.update diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update new file mode 100644 index 000..ce88dae --- /dev/null +++ b/install/updates/20-sslciphers.update @@ -0,0 +1,6 @@ +# change configured ciphers +# the result of this update will be that all ciphers +# provided by NSS which ar not weak will be enabled +dn: cn=encryption,cn=config +only:nsSSL3Ciphers: +all +only:allowWeakCiphers: off diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 1d912a7..026cde0 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -14,6 +14,7 @@ app_DATA =\ 20-indices.update \ 20-nss_ldap.update \ 20-replication.update \ + 20-sslciphers.update \ 20-syncrepl.update \ 20-user_private_groups.update \ 20-winsync_index.update \ diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index cc1d327..0518dd0 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -664,11 +664,8 @@ class DsInstance(service.Service): conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password) mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), - (ldap.MOD_REPLACE, "nsSSL3Ciphers", -"-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\ -+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\ -+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\ -+tls_rsa_export1024_with_des_cbc_sha")] + (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"), + (ldap.MOD_REPLACE, "allowWeakCipher", "off")] conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod) mod = [(ldap.MOD_ADD, "nsslapd-security", "on")] -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 03:47 PM, Nathaniel McCallum wrote: > On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: >> On 09/11/2014 01:37 PM, Martin Kosek wrote: >>> Hi team, >>> >>> It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking >>> upgrade from older releases: >>> >>> https://fedorahosted.org/freeipa/ticket/4529 >>> >>> We also have packaging fix requested by Fedora Server roles group: >>> >>> https://fedorahosted.org/freeipa/ticket/4430 >>> >>> It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release... >>> Makes sense? Any other tickets or patches we would like to get in? >> >> Looks like it's just those two. I'll start releasing shortly. > > I'd like to get a fix in for the missing ciphers in the new NSS. I can > have a patch on the list shortly. > > Nathaniel Isn't this related to https://fedorahosted.org/freeipa/ticket/4395 ? I think we do not work with the newest DS which fixed the default ciphers. Don't we need to set our SSL ciphers setting to https://fedorahosted.org/389/ticket/47838#comment:29 ? If yes, I think this is definitely a 4.0.3 candidate. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote: > On 09/11/2014 01:37 PM, Martin Kosek wrote: > > Hi team, > > > > It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking > > upgrade from older releases: > > > > https://fedorahosted.org/freeipa/ticket/4529 > > > > We also have packaging fix requested by Fedora Server roles group: > > > > https://fedorahosted.org/freeipa/ticket/4430 > > > > It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release... > > Makes sense? Any other tickets or patches we would like to get in? > > Looks like it's just those two. I'll start releasing shortly. I'd like to get a fix in for the missing ciphers in the new NSS. I can have a patch on the list shortly. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.3?
On 09/11/2014 01:37 PM, Martin Kosek wrote: Hi team, It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking upgrade from older releases: https://fedorahosted.org/freeipa/ticket/4529 We also have packaging fix requested by Fedora Server roles group: https://fedorahosted.org/freeipa/ticket/4430 It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release... Makes sense? Any other tickets or patches we would like to get in? Looks like it's just those two. I'll start releasing shortly. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA 4.0.3?
Hi team, It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking upgrade from older releases: https://fedorahosted.org/freeipa/ticket/4529 We also have packaging fix requested by Fedora Server roles group: https://fedorahosted.org/freeipa/ticket/4430 It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release... Makes sense? Any other tickets or patches we would like to get in? Thanks. -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel