The cipher suites used against ldap in /etc/openldap/ldap.conf and /etc/sssd/sssd.conf need to remove all 128 bit ciphers in EL6

Description

There appears to be a bug in the underlying libldap library that will set the ssf level to 128 when talking to OpenLDAP in EL6 systems iff there is a 128 bit cipher set in the cipher list.

This affects both the LDAP command line utilities as well as SSSD and needs to be addressed in both places.

The impact of this is that EL6 systems will not be able to talk to a server with an ssf setting over 128.

Issue discovered by when running the system in FIPS mode during final release testing for 6.0.0-0

Acceptance Criteria

None

Activity

Show:
Trevor Vaughan
April 7, 2017, 2:46 PM

Issue debugged, code in development.

Labels

None

Epic Link

Story Points

2

Assignee

Trevor Vaughan

Sprint

None

Affects versions

Priority

Highest
Configure