<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 28.04.2016 19:16, Roderick Johnstone wrote: </div> <blockquote cite="mid:57224564.9080305@ast.cam.ac.uk" type="cite">Hi RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 A couple of months ago I updated /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite in use by freeipa (see previous thread on this list). When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and reverted some, but not all of, my changed settings in dse.ldif. I'd like to understand what is expected to happen to this file on a package upgrade (rpm reports that this file is not owned by any package so I guess its manipulated by a scriplet) since at least one of my changes was preserved. Also, if I need to maintain a customised cipher suite for ipa, am I required to only do yum updates of the ipa-server package by hand and manually merge back in my changes, or is there a better way? Thanks Roderick Johnstone </blockquote> Hello, probably IPA upgrade did this change if you need custom ciphers to be preserved, you have to put your own upgrade file (number must be higher than 20) to IPA '/usr/share/ipa/updates/' something like: $ cat 99-myciphers.update <meta http-equiv="content-type" content="text/html; charset=windows-1252"> <pre style="background-color:#ffffff;color:#000000;font-family:'DejaVu Sans Mono';font-size:9.0pt;">dn: cn=encryption,cn=config only:nsSSL3Ciphers: default only:allowWeakCipher: off</pre> update default value with your own required ciphers Martin </body> </html>