Re: [Freeipa-users] freeipa update changed my cipher set
On 29.04.2016 14:13, Roderick Johnstone wrote: On 29/04/2016 10:27, Martin Basti wrote: On 29.04.2016 11:02, Martin Basti wrote: On 28.04.2016 19:16, Roderick Johnstone wrote: Hi RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 A couple of months ago I updated /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite in use by freeipa (see previous thread on this list). When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and reverted some, but not all of, my changed settings in dse.ldif. I'd like to understand what is expected to happen to this file on a package upgrade (rpm reports that this file is not owned by any package so I guess its manipulated by a scriplet) since at least one of my changes was preserved. Also, if I need to maintain a customised cipher suite for ipa, am I required to only do yum updates of the ipa-server package by hand and manually merge back in my changes, or is there a better way? Thanks Roderick Johnstone Hello, probably IPA upgrade did this change if you need custom ciphers to be preserved, you have to put your own upgrade file (number must be higher than 20) to IPA '/usr/share/ipa/updates/' something like: $ cat 99-myciphers.update dn: cn=encryption,cn=config only:nsSSL3Ciphers: default only:allowWeakCipher: off update default value with your own required ciphers Martin I forgot to add, you have to run ipa-server-upgrade or ipa-ldap-updater /usr/share/ipa/updates/99-myciphers.update to apply changes. Martin Martin Thats the perfect solution, and works well for me. Thank you very much. I didn't see this info documented in the RHEL7 IdM Guide (apart from a reference to the directory in the list of configuration files in section 28.1) or on the freeipa wiki. Did I miss it somewhere? Thanks again. Roderick You are welcome, well, I don't think that this is documented in the guide, it is quite hackish. I created ticket https://fedorahosted.org/freeipa/ticket/5863 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa update changed my cipher set
On 29/04/2016 10:27, Martin Basti wrote: On 29.04.2016 11:02, Martin Basti wrote: On 28.04.2016 19:16, Roderick Johnstone wrote: Hi RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 A couple of months ago I updated /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite in use by freeipa (see previous thread on this list). When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and reverted some, but not all of, my changed settings in dse.ldif. I'd like to understand what is expected to happen to this file on a package upgrade (rpm reports that this file is not owned by any package so I guess its manipulated by a scriplet) since at least one of my changes was preserved. Also, if I need to maintain a customised cipher suite for ipa, am I required to only do yum updates of the ipa-server package by hand and manually merge back in my changes, or is there a better way? Thanks Roderick Johnstone Hello, probably IPA upgrade did this change if you need custom ciphers to be preserved, you have to put your own upgrade file (number must be higher than 20) to IPA '/usr/share/ipa/updates/' something like: $ cat 99-myciphers.update dn: cn=encryption,cn=config only:nsSSL3Ciphers: default only:allowWeakCipher: off update default value with your own required ciphers Martin I forgot to add, you have to run ipa-server-upgrade or ipa-ldap-updater /usr/share/ipa/updates/99-myciphers.update to apply changes. Martin Martin Thats the perfect solution, and works well for me. Thank you very much. I didn't see this info documented in the RHEL7 IdM Guide (apart from a reference to the directory in the list of configuration files in section 28.1) or on the freeipa wiki. Did I miss it somewhere? Thanks again. Roderick -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa update changed my cipher set
On 29.04.2016 11:02, Martin Basti wrote: On 28.04.2016 19:16, Roderick Johnstone wrote: Hi RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 A couple of months ago I updated /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite in use by freeipa (see previous thread on this list). When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and reverted some, but not all of, my changed settings in dse.ldif. I'd like to understand what is expected to happen to this file on a package upgrade (rpm reports that this file is not owned by any package so I guess its manipulated by a scriplet) since at least one of my changes was preserved. Also, if I need to maintain a customised cipher suite for ipa, am I required to only do yum updates of the ipa-server package by hand and manually merge back in my changes, or is there a better way? Thanks Roderick Johnstone Hello, probably IPA upgrade did this change if you need custom ciphers to be preserved, you have to put your own upgrade file (number must be higher than 20) to IPA '/usr/share/ipa/updates/' something like: $ cat 99-myciphers.update dn: cn=encryption,cn=config only:nsSSL3Ciphers: default only:allowWeakCipher: off update default value with your own required ciphers Martin I forgot to add, you have to run ipa-server-upgrade or ipa-ldap-updater /usr/share/ipa/updates/99-myciphers.update to apply changes. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa update changed my cipher set
On 28.04.2016 19:16, Roderick Johnstone wrote: Hi RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 A couple of months ago I updated /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite in use by freeipa (see previous thread on this list). When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and reverted some, but not all of, my changed settings in dse.ldif. I'd like to understand what is expected to happen to this file on a package upgrade (rpm reports that this file is not owned by any package so I guess its manipulated by a scriplet) since at least one of my changes was preserved. Also, if I need to maintain a customised cipher suite for ipa, am I required to only do yum updates of the ipa-server package by hand and manually merge back in my changes, or is there a better way? Thanks Roderick Johnstone Hello, probably IPA upgrade did this change if you need custom ciphers to be preserved, you have to put your own upgrade file (number must be higher than 20) to IPA '/usr/share/ipa/updates/' something like: $ cat 99-myciphers.update dn: cn=encryption,cn=config only:nsSSL3Ciphers: default only:allowWeakCipher: off update default value with your own required ciphers Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] freeipa update changed my cipher set
Hi RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 A couple of months ago I updated /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite in use by freeipa (see previous thread on this list). When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and reverted some, but not all of, my changed settings in dse.ldif. I'd like to understand what is expected to happen to this file on a package upgrade (rpm reports that this file is not owned by any package so I guess its manipulated by a scriplet) since at least one of my changes was preserved. Also, if I need to maintain a customised cipher suite for ipa, am I required to only do yum updates of the ipa-server package by hand and manually merge back in my changes, or is there a better way? Thanks Roderick Johnstone -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
