On 28.04.2016 19:16, Roderick Johnstone wrote:

RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64

A couple of months ago I updated /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite in use by freeipa (see previous thread on this list).

When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and reverted some, but not all of, my changed settings in dse.ldif.

I'd like to understand what is expected to happen to this file on a package upgrade (rpm reports that this file is not owned by any package so I guess its manipulated by a scriplet) since at least one of my changes was preserved.

Also, if I need to maintain a customised cipher suite for ipa, am I required to only do yum updates of the ipa-server package by hand and manually merge back in my changes, or is there a better way?


Roderick Johnstone


probably IPA upgrade did this change

if you need custom ciphers to be preserved, you have to put your own upgrade file (number must be higher than 20) to IPA '/usr/share/ipa/updates/'

something like:

$ cat 99-myciphers.update

dn: cn=encryption,cn=config
only:nsSSL3Ciphers: default
only:allowWeakCipher: off

update default value with your own required ciphers

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to