From 81afb5768a29e7c033514860da6e25d3d9242d24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C3=BA=C5=A1=20Hon=C4=9Bk?= <mhonek@redhat.com>
Date: Mon, 5 Mar 2018 09:48:07 +0100
Subject: [PATCH] Utilize system-wide crypto-policies

Resolves: #1483979
---
 ldap.conf     | 6 ++++++
 openldap.spec | 5 ++++-
 slapd.ldif    | 7 +++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/ldap.conf b/ldap.conf
index 3069535..02c595f 100644
--- a/ldap.conf
+++ b/ldap.conf
@@ -17,6 +17,12 @@
 # by TLS_CACERTDIR one has to include them explicitly:
 #TLS_CACERT	/etc/pki/tls/cert.pem
 
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#TLS_CIPHER_SUITE PROFILE=SYSTEM
+
 # Turning this off breaks GSSAPI used with krb5 when rdns = false
 SASL_NOCANON	on
 
diff --git a/openldap.spec b/openldap.spec
index d1bdade..645f6a6 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -12,7 +12,7 @@
 
 Name: openldap
 Version: 2.4.45
-Release: 13%{?dist}
+Release: 14%{?dist}
 Summary: LDAP support libraries
 License: OpenLDAP
 URL: http://www.openldap.org/
@@ -504,6 +504,9 @@ exit 0
 %{_mandir}/man3/*
 
 %changelog
+* Mon Mar  5 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-14
+- Utilize system-wide crypto-policies (#1483979)
+
 * Thu Mar  1 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-13
 - fix: openldap does not use Fedora build flags
   + makes use of redhat-rpm-config package
diff --git a/slapd.ldif b/slapd.ldif
index b9ba4f9..a4ae4c0 100644
--- a/slapd.ldif
+++ b/slapd.ldif
@@ -17,6 +17,13 @@ cn: config
 # Private cert and key are not pregenerated.
 #olcTLSCertificateFile:
 #olcTLSCertificateKeyFile:
+#
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#olcTLSCipherSuite: PROFILE=SYSTEM
+
 
 #
 # Do not enable referrals until AFTER you have a working directory