On 29/04/2016 10:27, Martin Basti wrote:
On 29.04.2016 11:02, Martin Basti wrote:
On 28.04.2016 19:16, Roderick Johnstone wrote:
Hi
RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64
A couple of months ago I updated
/etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite
in use by freeipa (see previous thread on this list).
When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on
April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and
reverted some, but not all of, my changed settings in dse.ldif.
I'd like to understand what is expected to happen to this file on a
package upgrade (rpm reports that this file is not owned by any
package so I guess its manipulated by a scriplet) since at least one
of my changes was preserved.
Also, if I need to maintain a customised cipher suite for ipa, am I
required to only do yum updates of the ipa-server package by hand and
manually merge back in my changes, or is there a better way?
Thanks
Roderick Johnstone
Hello,
probably IPA upgrade did this change
if you need custom ciphers to be preserved, you have to put your own
upgrade file (number must be higher than 20) to IPA
'/usr/share/ipa/updates/'
something like:
$ cat 99-myciphers.update
dn: cn=encryption,cn=config
only:nsSSL3Ciphers: default
only:allowWeakCipher: off
update default value with your own required ciphers
Martin
I forgot to add, you have to run ipa-server-upgrade or ipa-ldap-updater
/usr/share/ipa/updates/99-myciphers.update to apply changes.
Martin
Martin
Thats the perfect solution, and works well for me. Thank you very much.
I didn't see this info documented in the RHEL7 IdM Guide (apart from a
reference to the directory in the list of configuration files in section
28.1) or on the freeipa wiki. Did I miss it somewhere?
Thanks again.
Roderick
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
