[Freeipa-users] weak and null ciphers detected on ldap ports

Discussion:

Murty, Ajeet (US - Arlington)

2014-09-22 12:03:47 UTC

Security scan of FreeIPA server ports uncovered weak, medium and null ciphers on port 389 and 636. We are running âipa-server-3.0.0-37.el6.i686â.
How can I disable/remove these ciphers in my existing setup?

Ciphers Discovered -
TLSv1
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

TLSv1
EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES-CBC(56) Mac=SHA1 export
EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1

Thanks,
Amb.

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.

v.E.1

Nathan Kinder

2014-09-22 20:07:03 UTC

Permalink

Post by Murty, Ajeet (US - Arlington)
Security scan of FreeIPA server ports uncovered weak, medium and null
ciphers on port 389 and 636. We are running ‘ipa-server-3.0.0-37.el6.i686’.
How can I disable/remove these ciphers in my existing setup?

This has recently been worked on in this 389-ds-base ticket:

https://fedorahosted.org/389/ticket/47838

As mentioned in the initial description of that ticket, you can
configure the allowed ciphers in the "cn=config" entry in 389-ds-base.
You can edit this over LDAP, or by stopping 389-ds-base and editing
/etc/dirsrv/slapd-<REALM>/dse.ldif.

Thanks,
-NGK

Post by Murty, Ajeet (US - Arlington)
Ciphers Discovered -
TLSv1
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA
Enc=RC2-CBC(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA
Enc=RC4(40) Mac=MD5 export
TLSv1
EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA
Enc=DES-CBC(56) Mac=SHA1 export
EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA
Enc=RC4(56) Mac=SHA1 export
DES-CBC-SHA Kx=RSA Au=RSA
Enc=DES-CBC(56) Mac=SHA1
TLSv1
NULL-SHA Kx=RSA Au=RSA
Enc=None Mac=SHA1
Thanks,
Amb.
This message (including any attachments) contains confidential
information intended for a specific individual and purpose, and is
protected by law. If you are not the intended recipient, you should
delete this message and any disclosure, copying, or distribution of this
message, or the taking of any action based on it, by you is strictly
prohibited.
v.E.1

Martin Kosek

2014-09-23 15:15:21 UTC

Permalink

Post by Nathan Kinder

https://fedorahosted.org/389/ticket/47838
As mentioned in the initial description of that ticket, you can
configure the allowed ciphers in the "cn=config" entry in 389-ds-base.
You can edit this over LDAP, or by stopping 389-ds-base and editing
/etc/dirsrv/slapd-<REALM>/dse.ldif.
Thanks,
-NGK

You can also check the FreeIPA counterpart:

https://fedorahosted.org/freeipa/ticket/4395

This issue is fixed in FreeIPA 4.0.3 (available in Copr build and Fedora 21+),
we would very much welcome if you can verify that this setup works for you!

Thanks,
Martin

Murty, Ajeet (US - Arlington)

2014-10-07 09:35:50 UTC

Permalink

Hi Martin and Nathan,

Thank you for providing that info.
Unfortunately, my IPA server is running on CentOS, and the latest IPA version available through YUM is - 'ipa-server.i686 3.0.0-37.el6'.
The latest version of 389-DS through YUM is - '389-ds-base.i686 1.2.11.15-34.el6_5 '.

Nessus scan had detected this null cipher -
TLSv1
NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1

I found 2 'dse.ldif' files on disk -
/etc/dirsrv/slapd-PKI-IPA/dse.ldif
/etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif

In each of them, I found this -
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha

So to disable null cipher, I removed 'rsa_null_md5' from that list -
nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha

I restarted the entire IPA stack, and ran the scan again, I am still seeing that Null Cipher.

Any ideas on how to resolve this?

Thanks.

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.

v.E.1

-----Original Message-----
From: Martin Kosek [mailto:***@redhat.com]
Sent: Tuesday, September 23, 2014 11:15 AM
To: Nathan Kinder; freeipa-***@redhat.com; Murty, Ajeet (US - Arlington)
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Post by Nathan Kinder

Post by Murty, Ajeet (US - Arlington)
Security scan of FreeIPA server ports uncovered weak, medium and null
ciphers on port 389 and 636. We are running 'ipa-server-3.0.0-37.el6.i686'.
How can I disable/remove these ciphers in my existing setup?

Alexander Bokovoy

2014-10-07 09:46:14 UTC

Permalink

Post by Murty, Ajeet (US - Arlington)
Hi Martin and Nathan,
Thank you for providing that info.
Unfortunately, my IPA server is running on CentOS, and the latest IPA version available through YUM is - 'ipa-server.i686 3.0.0-37.el6'.
The latest version of 389-DS through YUM is - '389-ds-base.i686 1.2.11.15-34.el6_5 '.
Nessus scan had detected this null cipher -
TLSv1
NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1
I found 2 'dse.ldif' files on disk -
/etc/dirsrv/slapd-PKI-IPA/dse.ldif
/etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
In each of them, I found this -
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha
So to disable null cipher, I removed 'rsa_null_md5' from that list -
nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha
I restarted the entire IPA stack, and ran the scan again, I am still seeing that Null Cipher.
Any ideas on how to resolve this?

I can see also fortezza_null in the above list, maybe you are getting
into that one?

Post by Murty, Ajeet (US - Arlington)
-----Original Message-----
Sent: Tuesday, September 23, 2014 11:15 AM
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Post by Nathan Kinder

https://fedorahosted.org/freeipa/ticket/4395
This issue is fixed in FreeIPA 4.0.3 (available in Copr build and Fedora 21+),
we would very much welcome if you can verify that this setup works for you!
Thanks,
Martin
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

--
/ Alexander Bokovoy

Murty, Ajeet (US - Arlington)

2014-10-07 10:02:23 UTC

Permalink

I edited both ldif files to remove fortezza_null. Looks like this now -

nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha

Ran the scan again, still seeing Null Cipher -

TLSv1
NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.

v.E.1

-----Original Message-----
From: Alexander Bokovoy [mailto:***@redhat.com]
Sent: Tuesday, October 07, 2014 5:46 AM
To: Murty, Ajeet (US - Arlington)
Cc: Martin Kosek; Nathan Kinder; freeipa-***@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

I can see also fortezza_null in the above list, maybe you are getting
into that one?

Post by Murty, Ajeet (US - Arlington)
-----Original Message-----
Sent: Tuesday, September 23, 2014 11:15 AM
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Post by Nathan Kinder

--
/ Alexander Bokovoy

Alexander Bokovoy

2014-10-07 10:12:57 UTC

Permalink

Post by Murty, Ajeet (US - Arlington)
I edited both ldif files to remove fortezza_null. Looks like this now -
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs

Here I can still see +fortezza_null.

Post by Murty, Ajeet (US - Arlington)
a_export1024_with_des_cbc_sha
Ran the scan again, still seeing Null Cipher -
TLSv1
NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.
v.E.1
-----Original Message-----
Sent: Tuesday, October 07, 2014 5:46 AM
To: Murty, Ajeet (US - Arlington)
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

I can see also fortezza_null in the above list, maybe you are getting
into that one?

Post by Murty, Ajeet (US - Arlington)
-----Original Message-----
Sent: Tuesday, September 23, 2014 11:15 AM
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Post by Nathan Kinder

--
/ Alexander Bokovoy

Murty, Ajeet (US - Arlington)

2014-10-07 10:16:13 UTC

Permalink

Sorry, messed up copy paste, here is the edited section -

nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
_sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1

I double checked this time. No Null ciphers in dse.ldif files.
Still seeing the Null Cipher in scans.

-----Original Message-----
From: Alexander Bokovoy [mailto:***@redhat.com]
Sent: Tuesday, October 07, 2014 6:13 AM
To: Murty, Ajeet (US - Arlington)
Cc: Martin Kosek; Nathan Kinder; freeipa-***@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Here I can still see +fortezza_null.

I can see also fortezza_null in the above list, maybe you are getting
into that one?

Post by Murty, Ajeet (US - Arlington)
-----Original Message-----
Sent: Tuesday, September 23, 2014 11:15 AM
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Post by Nathan Kinder

--
/ Alexander Bokovoy

Ludwig Krispenz

2014-10-07 10:49:51 UTC

Permalink

Post by Murty, Ajeet (US - Arlington)
Sorry, messed up copy paste, here is the edited section -
nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
_sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1

the +xxxx are probably added to a default set of ciphers, could you try
with

"-fortezza_null" ?

Post by Murty, Ajeet (US - Arlington)
I double checked this time. No Null ciphers in dse.ldif files.
Still seeing the Null Cipher in scans.
-----Original Message-----
Sent: Tuesday, October 07, 2014 6:13 AM
To: Murty, Ajeet (US - Arlington)
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Here I can still see +fortezza_null.

I can see also fortezza_null in the above list, maybe you are getting
into that one?

Post by Murty, Ajeet (US - Arlington)
-----Original Message-----
Sent: Tuesday, September 23, 2014 11:15 AM
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Post by Nathan Kinder

--
/ Alexander Bokovoy

Rich Megginson

2014-10-07 14:16:14 UTC

Permalink

NOTE: You cannot edit dse.ldif while dirsrv is running. You must ensure
dirsrv is not running before you edit dse.ldif.

Post by Murty, Ajeet (US - Arlington)
-----Original Message-----
Sent: Tuesday, October 07, 2014 6:13 AM
To: Murty, Ajeet (US - Arlington)
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Here I can still see +fortezza_null.

I can see also fortezza_null in the above list, maybe you are getting
into that one?

Post by Murty, Ajeet (US - Arlington)
-----Original Message-----
Sent: Tuesday, September 23, 2014 11:15 AM
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Post by Nathan Kinder

--
/ Alexander Bokovoy

Rob Crittenden

2014-10-07 14:18:32 UTC

Permalink

Are you shutting down the server(s) before modifying dse.ldif or are you
doing the changes online using ldapmodify?

389-ds writes dse.ldif during shutdown so if you make changes while the
server is up and then restart it those changes will be lost.

rob

Here I can still see +fortezza_null.

I can see also fortezza_null in the above list, maybe you are getting
into that one?

Post by Murty, Ajeet (US - Arlington)
-----Original Message-----
Sent: Tuesday, September 23, 2014 11:15 AM
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Post by Nathan Kinder

--
/ Alexander Bokovoy

Murty, Ajeet (US - Arlington)

2014-10-07 16:10:38 UTC

Permalink

I was shutting down IPA before making any changes -

1. Shutdown IPA -

[root]# /etc/init.d/ipa stop
Stopping CA Service
Stopping pki-ca: [ OK ]
Stopping HTTP Service
Stopping httpd: [ OK ]
Stopping MEMCACHE Service
Stopping ipa_memcached: [ OK ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Stopping Directory Service
Shutting down dirsrv:
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]

2. Edit 'dse.ldif' files to remove null ciphers -

nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
_sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1

3. Start IPA -

[root]# /etc/init.d/ipa start
Starting Directory Service
Starting dirsrv:
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting MEMCACHE Service
Starting ipa_memcached: [ OK ]
Starting HTTP Service
Starting httpd: [ OK ]
Starting CA Service
Starting pki-ca: [ OK ]

4. Run Scan.

Null Ciphers detected again by Nessus -

Here is the list of null SSL ciphers supported by the remote server :
Null Ciphers (no encryption)
TLSv1
NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Port
389 / tcp / ldap
636 / tcp / ldap

Ajeet Murty
Deloitte & Touche LLP
Tel: +1 571 882 5614 | Mobile: +1 704 421 8756
***@deloitte.com | www.deloitte.com

-----Original Message-----
From: Rob Crittenden [mailto:***@redhat.com]
Sent: Tuesday, October 07, 2014 10:19 AM
To: Murty, Ajeet (US - Arlington); Alexander Bokovoy
Cc: freeipa-***@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Here I can still see +fortezza_null.

I can see also fortezza_null in the above list, maybe you are getting
into that one?

Post by Murty, Ajeet (US - Arlington)
-----Original Message-----
Sent: Tuesday, September 23, 2014 11:15 AM
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Post by Nathan Kinder

--
/ Alexander Bokovoy

Alexander Bokovoy

2014-10-07 16:43:10 UTC

Permalink

Post by Murty, Ajeet (US - Arlington)
I was shutting down IPA before making any changes -
1. Shutdown IPA -
[root]# /etc/init.d/ipa stop
Stopping CA Service
Stopping pki-ca: [ OK ]
Stopping HTTP Service
Stopping httpd: [ OK ]
Stopping MEMCACHE Service
Stopping ipa_memcached: [ OK ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Stopping Directory Service
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]
2. Edit 'dse.ldif' files to remove null ciphers -
nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
_sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1

I think Ludwig gave a good suggestion -- instead of removing them from
the list, prefix the *_null ciphers with -, i.e. -rsa_null_md5, -fortezza_null.
The way nsSSL3Ciphers attribute works, is by modifying default NSS
ciphers list, with + and - to add and remove the ciphers accordingly.

--
/ Alexander Bokovoy

Murty, Ajeet (US - Arlington)

2014-10-07 16:59:53 UTC

Permalink

I shutdown IPA and modified both dse ldif files to look like this -

nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha

Then, when I try to start up IPA, I get this error message -

[root]# /etc/init.d/ipa start
Starting Directory Service
Starting dirsrv:
EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be parsed
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be parsed
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 116) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with ...]
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 121) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [numSubordinates: 1]
[07/Oct/2014:12:49:59 -0400] dse - Could not load config file [dse.ldif]
[07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the reported problems and then restart the server.
[FAILED]
PKI-IPA...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 110) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with ...]
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 115) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [numSubordinates: 1]
[07/Oct/2014:12:49:59 -0400] dse - Could not load config file [dse.ldif]
[07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the reported problems and then restart the server.
[FAILED]

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.

v.E.1

-----Original Message-----
From: Alexander Bokovoy [mailto:***@redhat.com]
Sent: Tuesday, October 07, 2014 12:43 PM
To: Murty, Ajeet (US - Arlington)
Cc: Rob Crittenden; Rich Megginson; freeipa-***@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Alexander Bokovoy

2014-10-07 17:07:37 UTC

Permalink

Post by Murty, Ajeet (US - Arlington)
I shutdown IPA and modified both dse ldif files to look like this -
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha
Then, when I try to start up IPA, I get this error message -
[root]# /etc/init.d/ipa start
Starting Directory Service
EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be parsed
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn

The lines above suggest that you actually separated nsSSL3Ciphers line
from the entry itself. At least in my case it looks like this:

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20141001151245Z
modifyTimestamp: 20141001151430Z
nsSSL3Ciphers: +all
allowWeakCipher: off
numSubordinates: 1

note that it is part of cn=encryption,cn=config entry. You cannot
separate attributes within the entry with empty lines because empty line
finishes current entry and starts another one.

Post by Murty, Ajeet (US - Arlington)
[07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be parsed
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 116) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with ...]
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 121) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [numSubordinates: 1]
[07/Oct/2014:12:49:59 -0400] dse - Could not load config file [dse.ldif]
[07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the reported problems and then restart the server.
[FAILED]
PKI-IPA...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 110) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with ...]
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 115) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [numSubordinates: 1]
[07/Oct/2014:12:49:59 -0400] dse - Could not load config file [dse.ldif]
[07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the reported problems and then restart the server.
[FAILED]
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.
v.E.1
-----Original Message-----
Sent: Tuesday, October 07, 2014 12:43 PM
To: Murty, Ajeet (US - Arlington)
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

--
/ Alexander Bokovoy

Murty, Ajeet (US - Arlington)

2014-10-07 17:21:04 UTC

Permalink

I removed the new lines, looks like this now -

modifyTimestamp: 20140915221826Z
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha
numSubordinates: 1

I am still seeing the null ciphers in my scan results.

-----Original Message-----
From: Alexander Bokovoy [mailto:***@redhat.com]
Sent: Tuesday, October 07, 2014 1:08 PM
To: Murty, Ajeet (US - Arlington)
Cc: Rob Crittenden; Rich Megginson; freeipa-***@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

--
/ Alexander Bokovoy

Murty, Ajeet (US - Arlington)

2014-10-08 04:15:34 UTC

Permalink

Any ideas on what else I can try here?
Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months?

Thanks again for all your help.

-----Original Message-----
From: freeipa-users-***@redhat.com [mailto:freeipa-users-***@redhat.com] On Behalf Of Murty, Ajeet (US - Arlington)
Sent: Tuesday, October 07, 2014 1:21 PM
To: Alexander Bokovoy
Cc: freeipa-***@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

I removed the new lines, looks like this now -

modifyTimestamp: 20140915221826Z
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha
numSubordinates: 1

I am still seeing the null ciphers in my scan results.

-----Original Message-----
From: Alexander Bokovoy [mailto:***@redhat.com]
Sent: Tuesday, October 07, 2014 1:08 PM
To: Murty, Ajeet (US - Arlington)
Cc: Rob Crittenden; Rich Megginson; freeipa-***@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Rich Megginson

2014-10-08 04:36:37 UTC

Permalink

Post by Murty, Ajeet (US - Arlington)
Any ideas on what else I can try here?

Please file a ticket.

Post by Murty, Ajeet (US - Arlington)
Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months?
Thanks again for all your help.
-----Original Message-----
Sent: Tuesday, October 07, 2014 1:21 PM
To: Alexander Bokovoy
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
I removed the new lines, looks like this now -
modifyTimestamp: 20140915221826Z
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha
numSubordinates: 1
I am still seeing the null ciphers in my scan results.
-----Original Message-----
Sent: Tuesday, October 07, 2014 1:08 PM
To: Murty, Ajeet (US - Arlington)
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

The lines above suggest that you actually separated nsSSL3Ciphers line
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20141001151245Z
modifyTimestamp: 20141001151430Z
nsSSL3Ciphers: +all
allowWeakCipher: off
numSubordinates: 1
note that it is part of cn=encryption,cn=config entry. You cannot
separate attributes within the entry with empty lines because empty line
finishes current entry and starts another one.

Murty, Ajeet (US - Arlington)

2014-10-08 05:08:39 UTC

Permalink

Done. 'Bug 1150368 -Unable to disable Null Ciphers on 389-Directory-Server using nsSSL3Ciphers in Ldif '

https://bugzilla.redhat.com/show_bug.cgi?id=1150368

Thanks.

-----Original Message-----
From: Rich Megginson [mailto:***@redhat.com]
Sent: Wednesday, October 08, 2014 12:37 AM
To: Murty, Ajeet (US - Arlington); Alexander Bokovoy; Rob Crittenden
Cc: freeipa-***@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Post by Murty, Ajeet (US - Arlington)
Any ideas on what else I can try here?

Please file a ticket.

Alexander Bokovoy

2014-10-08 06:00:47 UTC

Permalink

Post by Murty, Ajeet (US - Arlington)
Any ideas on what else I can try here?
Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months?

In general, FreeIPA team doesn't do backports to older versions due to
tight cooperation with other components when introducing new features.
We depend a lot on changes in 389-ds, Dogtag, MIT Kerberos, and SSSD, at least,
but also in Samba and other components, including Linux kernel.

Backporting all the changes to older releases of certain distributions
is left to distribution maintainers. For Fedora we do have some freedom
on what can be done and try to maintain availability of FreeIPA releases
on two current versions but sometimes it is impossible due to update
polices -- Fedora 20 got 4.0.x upgrade via COPR repository while we are
cleaning up Fedora 21 for 4.1 support.

In case of Red Hat Enterprise Linux releases, Red Hat itself (I cannot
speak for the company) makes decisions what to support and these
decisions are also based on certain stability promises for ABI, see
https://access.redhat.com/solutions/5154 for details. Some of components
FreeIPA depends on change their ABI and therefore the changes can only
be introduced in newer major releases. When these changes occurred, we
coordinated with Red Hat engineering teams to make sure most important
changes were folded into RHEL 7.0 release to provide a base for FreeIPA
integration.

For CentOS, as it tracks corresponding Red Hat Enterprise Linux
releases, situation is similar. For packages that are not in RHEL/CentOS
releases there are means to provide them through a side channels, like
EPEL, but EPEL's policy prevents from packaging something that is
available through the main channels for the release.

We use COPR repositories to make possible to install newer FreeIPA
versions on RHEL 7/CentOS 7/Fedora 20. However, these packages have no
official support from Red Hat or CentOS project. They are FreeIPA
upstream effort to make our releases more easily testable. For any issues
found through COPR repositories you are welcome to file tickets to
FreeIPA issue tracker at https://fedorahosted.org/freeipa/.

Post by Murty, Ajeet (US - Arlington)
Thanks again for all your help.
-----Original Message-----
Sent: Tuesday, October 07, 2014 1:21 PM
To: Alexander Bokovoy
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
I removed the new lines, looks like this now -
modifyTimestamp: 20140915221826Z
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha
numSubordinates: 1
I am still seeing the null ciphers in my scan results.
-----Original Message-----
Sent: Tuesday, October 07, 2014 1:08 PM
To: Murty, Ajeet (US - Arlington)
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

--
/ Alexander Bokovoy
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

--
/ Alexander Bokovoy

Murty, Ajeet (US - Arlington)

2014-10-08 07:10:26 UTC

Permalink

Understood. Thank you for clarifying all that.
I believe my best options at this point are to rebuild my environment on CentOS 7, enable COPR repo, and get the latest version of FreeIPA 4.x.
I will hold out for a few more weeks to see if someone at RedHat can provide a fix/patch for the older version. Fingers crossed.

-----Original Message-----
From: Alexander Bokovoy [mailto:***@redhat.com]
Sent: Wednesday, October 08, 2014 2:01 AM
To: Murty, Ajeet (US - Arlington)
Cc: Rob Crittenden; Rich Megginson; freeipa-***@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Post by Murty, Ajeet (US - Arlington)
Any ideas on what else I can try here?
Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months?

--
/ Alexander Bokovoy
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

--
/ Alexander Bokovoy

Ludwig Krispenz

2014-10-08 15:49:14 UTC

Permalink

Post by Murty, Ajeet (US - Arlington)
Understood. Thank you for clarifying all that.
I believe my best options at this point are to rebuild my environment on CentOS 7, enable COPR repo, and get the latest version of FreeIPA 4.x.
I will hold out for a few more weeks to see if someone at RedHat can provide a fix/patch for the older version. Fingers crossed.
-----Original Message-----
Sent: Wednesday, October 08, 2014 2:01 AM
To: Murty, Ajeet (US - Arlington)
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Post by Murty, Ajeet (US - Arlington)
Any ideas on what else I can try here?
Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months?

In general, FreeIPA team doesn't do backports to older versions due to
tight cooperation with other components when introducing new features.
We depend a lot on changes in 389-ds, Dogtag, MIT Kerberos, and SSSD, at least,
but also in Samba and other components, including Linux kernel.
Backporting all the changes to older releases of certain distributions
is left to distribution maintainers. For Fedora we do have some freedom
on what can be done and try to maintain availability of FreeIPA releases
on two current versions but sometimes it is impossible due to update
polices -- Fedora 20 got 4.0.x upgrade via COPR repository while we are
cleaning up Fedora 21 for 4.1 support.
In case of Red Hat Enterprise Linux releases, Red Hat itself (I cannot
speak for the company) makes decisions what to support and these
decisions are also based on certain stability promises for ABI, see
https://access.redhat.com/solutions/5154 for details. Some of components
FreeIPA depends on change their ABI and therefore the changes can only
be introduced in newer major releases. When these changes occurred, we
coordinated with Red Hat engineering teams to make sure most important
changes were folded into RHEL 7.0 release to provide a base for FreeIPA
integration.
For CentOS, as it tracks corresponding Red Hat Enterprise Linux
releases, situation is similar. For packages that are not in RHEL/CentOS
releases there are means to provide them through a side channels, like
EPEL, but EPEL's policy prevents from packaging something that is
available through the main channels for the release.
We use COPR repositories to make possible to install newer FreeIPA
versions on RHEL 7/CentOS 7/Fedora 20. However, these packages have no
official support from Red Hat or CentOS project. They are FreeIPA
upstream effort to make our releases more easily testable. For any issues
found through COPR repositories you are welcome to file tickets to
FreeIPA issue tracker at https://fedorahosted.org/freeipa/.

--
/ Alexander Bokovoy
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Murty, Ajeet (US - Arlington)

2014-10-09 05:08:18 UTC

Permalink

That worked!

I should have read the DS-389 documentation more carefully.

I had to set nsSSL3Ciphers to the following -

modifyTimestamp: 20140915221826Z
nsSSL3Ciphers: +all,-rsa_null_sha
numSubordinates: 1

Ran the scan again, and no Null Ciphers detected.

Cipher configuration documentation for DS-389 - http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html

Thanks!

-----Original Message-----
From: freeipa-users-***@redhat.com [mailto:freeipa-users-***@redhat.com] On Behalf Of Ludwig Krispenz
Sent: Wednesday, October 08, 2014 11:49 AM
To: freeipa-***@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

Hi,

I did a test with 1.2.11.15-33

first test:
nsSSL3Ciphers: +all
running nmap gave:
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA - strong
| SSL_RSA_FIPS_WITH_DES_CBC_SHA - weak
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - weak
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - weak
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_NULL_SHA - broken <<<<<<<<<<<<<<
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: broken

next test:
nsSSL3Ciphers: +all,-rsa_null_sha

nmap result:
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA - strong
| SSL_RSA_FIPS_WITH_DES_CBC_SHA - weak
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - weak
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - weak
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: weak

maybe you can try adding "-rsa_null_sha" to your nSSL3cipher config.

Post by Murty, Ajeet (US - Arlington)
Any ideas on what else I can try here?
Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months?

In general, FreeIPA team doesn't do backports to older versions due to
tight cooperation with other components when introducing new features.
We depend a lot on changes in 389-ds, Dogtag, MIT Kerberos, and SSSD, at least,
but also in Samba and other components, including Linux kernel.
Backporting all the changes to older releases of certain distributions
is left to distribution maintainers. For Fedora we do have some freedom
on what can be done and try to maintain availability of FreeIPA releases
on two current versions but sometimes it is impossible due to update
polices -- Fedora 20 got 4.0.x upgrade via COPR repository while we are
cleaning up Fedora 21 for 4.1 support.
In case of Red Hat Enterprise Linux releases, Red Hat itself (I cannot
speak for the company) makes decisions what to support and these
decisions are also based on certain stability promises for ABI, see
https://access.redhat.com/solutions/5154 for details. Some of components
FreeIPA depends on change their ABI and therefore the changes can only
be introduced in newer major releases. When these changes occurred, we
coordinated with Red Hat engineering teams to make sure most important
changes were folded into RHEL 7.0 release to provide a base for FreeIPA
integration.
For CentOS, as it tracks corresponding Red Hat Enterprise Linux
releases, situation is similar. For packages that are not in RHEL/CentOS
releases there are means to provide them through a side channels, like
EPEL, but EPEL's policy prevents from packaging something that is
available through the main channels for the release.
We use COPR repositories to make possible to install newer FreeIPA
versions on RHEL 7/CentOS 7/Fedora 20. However, these packages have no
official support from Red Hat or CentOS project. They are FreeIPA
upstream effort to make our releases more easily testable. For any issues
found through COPR repositories you are welcome to file tickets to
FreeIPA issue tracker at https://fedorahosted.org/freeipa/.

--
/ Alexander Bokovoy
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project