[Freeipa-users] freeipa update changed my cipher set
Roderick Johnstone
rmj at ast.cam.ac.uk
Fri Apr 29 12:13:02 UTC 2016
On 29/04/2016 10:27, Martin Basti wrote:
>
>
> On 29.04.2016 11:02, Martin Basti wrote:
>>
>>
>> On 28.04.2016 19:16, Roderick Johnstone wrote:
>>> Hi
>>>
>>> RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64
>>>
>>> A couple of months ago I updated
>>> /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite
>>> in use by freeipa (see previous thread on this list).
>>>
>>> When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on
>>> April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and
>>> reverted some, but not all of, my changed settings in dse.ldif.
>>>
>>> I'd like to understand what is expected to happen to this file on a
>>> package upgrade (rpm reports that this file is not owned by any
>>> package so I guess its manipulated by a scriplet) since at least one
>>> of my changes was preserved.
>>>
>>> Also, if I need to maintain a customised cipher suite for ipa, am I
>>> required to only do yum updates of the ipa-server package by hand and
>>> manually merge back in my changes, or is there a better way?
>>>
>>> Thanks
>>>
>>> Roderick Johnstone
>>>
>> Hello,
>>
>> probably IPA upgrade did this change
>>
>> if you need custom ciphers to be preserved, you have to put your own
>> upgrade file (number must be higher than 20) to IPA
>> '/usr/share/ipa/updates/'
>>
>> something like:
>>
>> $ cat 99-myciphers.update
>> dn: cn=encryption,cn=config
>> only:nsSSL3Ciphers: default
>> only:allowWeakCipher: off
>>
>> update default value with your own required ciphers
>>
>> Martin
>>
>>
> I forgot to add, you have to run ipa-server-upgrade or ipa-ldap-updater
> /usr/share/ipa/updates/99-myciphers.update to apply changes.
> Martin
Martin
Thats the perfect solution, and works well for me. Thank you very much.
I didn't see this info documented in the RHEL7 IdM Guide (apart from a
reference to the directory in the list of configuration files in section
28.1) or on the freeipa wiki. Did I miss it somewhere?
Thanks again.
Roderick
More information about the Freeipa-users
mailing list