[Freeipa-users] freeipa update changed my cipher set

Martin Basti mbasti at redhat.com
Fri Apr 29 12:34:13 UTC 2016 


On 29.04.2016 14:13, Roderick Johnstone wrote:
> On 29/04/2016 10:27, Martin Basti wrote:
>>
>>
>> On 29.04.2016 11:02, Martin Basti wrote:
>>>
>>>
>>> On 28.04.2016 19:16, Roderick Johnstone wrote:
>>>> Hi
>>>>
>>>> RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64
>>>>
>>>> A couple of months ago I updated
>>>> /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite
>>>> in use by freeipa (see previous thread on this list).
>>>>
>>>> When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on
>>>> April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and
>>>> reverted some, but not all of, my changed settings in dse.ldif.
>>>>
>>>> I'd like to understand what is expected to happen to this file on a
>>>> package upgrade (rpm reports that this file is not owned by any
>>>> package so I guess its manipulated by a scriplet) since at least one
>>>> of my changes was preserved.
>>>>
>>>> Also, if I need to maintain a customised cipher suite for ipa, am I
>>>> required to only do yum updates of the ipa-server package by hand and
>>>> manually merge back in my changes, or is there a better way?
>>>>
>>>> Thanks
>>>>
>>>> Roderick Johnstone
>>>>
>>> Hello,
>>>
>>> probably IPA upgrade did this change
>>>
>>> if you need custom ciphers to be preserved, you have to put your own
>>> upgrade file (number must be higher than 20) to IPA
>>> '/usr/share/ipa/updates/'
>>>
>>> something like:
>>>
>>> $ cat 99-myciphers.update
>>> dn: cn=encryption,cn=config
>>> only:nsSSL3Ciphers: default
>>> only:allowWeakCipher: off
>>>
>>> update default value with your own required ciphers
>>>
>>> Martin
>>>
>>>
>> I forgot to add, you have to run ipa-server-upgrade or ipa-ldap-updater
>> /usr/share/ipa/updates/99-myciphers.update to apply changes.
>> Martin
>
> Martin
>
> Thats the perfect solution, and works well for me. Thank you very much.
>
> I didn't see this info documented in the RHEL7 IdM Guide (apart from a 
> reference to the directory in the list of configuration files in 
> section 28.1) or on the freeipa wiki. Did I miss it somewhere?
>
> Thanks again.
>
> Roderick

You are welcome,
well, I don't think that this is documented in the guide, it is quite 
hackish.

I created ticket https://fedorahosted.org/freeipa/ticket/5863

Martin

More information about the Freeipa-users mailing list