[Freeipa-users] freeipa update changed my cipher set
Martin Basti
mbasti at redhat.com
Fri Apr 29 09:02:10 UTC 2016
On 28.04.2016 19:16, Roderick Johnstone wrote:
> Hi
>
> RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64
>
> A couple of months ago I updated
> /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite
> in use by freeipa (see previous thread on this list).
>
> When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on
> April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and
> reverted some, but not all of, my changed settings in dse.ldif.
>
> I'd like to understand what is expected to happen to this file on a
> package upgrade (rpm reports that this file is not owned by any
> package so I guess its manipulated by a scriplet) since at least one
> of my changes was preserved.
>
> Also, if I need to maintain a customised cipher suite for ipa, am I
> required to only do yum updates of the ipa-server package by hand and
> manually merge back in my changes, or is there a better way?
>
> Thanks
>
> Roderick Johnstone
>
Hello,
probably IPA upgrade did this change
if you need custom ciphers to be preserved, you have to put your own
upgrade file (number must be higher than 20) to IPA
'/usr/share/ipa/updates/'
something like:
$ cat 99-myciphers.update
dn: cn=encryption,cn=config
only:nsSSL3Ciphers: default
only:allowWeakCipher: off
update default value with your own required ciphers
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160429/05d55c6c/attachment.htm>
More information about the Freeipa-users
mailing list