[Freeipa-users] freeipa update changed my cipher set
Martin Basti
mbasti at redhat.com
Fri Apr 29 09:27:21 UTC 2016
On 29.04.2016 11:02, Martin Basti wrote:
>
>
> On 28.04.2016 19:16, Roderick Johnstone wrote:
>> Hi
>>
>> RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64
>>
>> A couple of months ago I updated
>> /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite
>> in use by freeipa (see previous thread on this list).
>>
>> When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on
>> April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and
>> reverted some, but not all of, my changed settings in dse.ldif.
>>
>> I'd like to understand what is expected to happen to this file on a
>> package upgrade (rpm reports that this file is not owned by any
>> package so I guess its manipulated by a scriplet) since at least one
>> of my changes was preserved.
>>
>> Also, if I need to maintain a customised cipher suite for ipa, am I
>> required to only do yum updates of the ipa-server package by hand and
>> manually merge back in my changes, or is there a better way?
>>
>> Thanks
>>
>> Roderick Johnstone
>>
> Hello,
>
> probably IPA upgrade did this change
>
> if you need custom ciphers to be preserved, you have to put your own
> upgrade file (number must be higher than 20) to IPA
> '/usr/share/ipa/updates/'
>
> something like:
>
> $ cat 99-myciphers.update
> dn: cn=encryption,cn=config
> only:nsSSL3Ciphers: default
> only:allowWeakCipher: off
>
> update default value with your own required ciphers
>
> Martin
>
>
I forgot to add, you have to run ipa-server-upgrade or ipa-ldap-updater
/usr/share/ipa/updates/99-myciphers.update to apply changes.
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160429/cdd77e7f/attachment.htm>
More information about the Freeipa-users
mailing list