Utilize system-wide crypto-policies

Resolves: #1483979

ldap.conf

@@ -17,6 +17,12 @@
 # by TLS_CACERTDIR one has to include them explicitly:
 #TLS_CACERT	/etc/pki/tls/cert.pem
 
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#TLS_CIPHER_SUITE PROFILE=SYSTEM
+
 # Turning this off breaks GSSAPI used with krb5 when rdns = false
 SASL_NOCANON	on
 

openldap.spec

@@ -12,7 +12,7 @@
 
 Name: openldap
 Version: 2.4.45
-Release: 13%{?dist}
+Release: 14%{?dist}
 Summary: LDAP support libraries
 License: OpenLDAP
 URL: http://www.openldap.org/
@@ -504,6 +504,9 @@ exit 0
 %{_mandir}/man3/*
 
 %changelog
+* Mon Mar  5 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-14
+- Utilize system-wide crypto-policies (#1483979)
+
 * Thu Mar  1 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-13
 - fix: openldap does not use Fedora build flags
   + makes use of redhat-rpm-config package

slapd.ldif

@@ -17,6 +17,13 @@ cn: config
 # Private cert and key are not pregenerated.
 #olcTLSCertificateFile:
 #olcTLSCertificateKeyFile:
+#
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#olcTLSCipherSuite: PROFILE=SYSTEM
+
 
 #
 # Do not enable referrals until AFTER you have a working directory