If minssf is set in configuration and this is not set then clients won't be able to detect the available namingContexts, defaultNamingContext, capabilities, etc.

This was requested by the SSSD team.

rob
>From fad83276833a5f2b854f74810fc6cc0d41834628 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 22 Mar 2012 17:19:01 -0400
Subject: [PATCH] Set nsslapd-minssf-exclude-rootdse to on so the DSE is
 always available.

If minssf is set in configuration and this is not set then clients won't
be able to detect the available namingContexts, defaultNamingContext,
capabilities, etc.

https://fedorahosted.org/freeipa/ticket/2542
---
 install/updates/10-config.update |    4 ++++
 ipaserver/ipaldap.py             |    2 +-
 2 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/install/updates/10-config.update b/install/updates/10-config.update
index 97fbdef2d20d4bc444f0c94fbea6fb76e7e45603..ecddb812f90c8441af8bb8643b4cd0a727591418 100644
--- a/install/updates/10-config.update
+++ b/install/updates/10-config.update
@@ -38,3 +38,7 @@ only:nsslapd-anonlimitsdn:'cn=anonymous-limits,cn=etc,$SUFFIX'
 # doesn't support it generates a non-fatal error.
 dn: cn=config
 add:nsslapd-defaultNamingContext:'$SUFFIX'
+
+# Allow the root DSE to be searched even with minssf set
+dn: cn=config
+only:nsslapd-minssf-exclude-rootdse:on
diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index 9a8d9e121cea661b34c37137d2c9c454e587ea7b..58b1b926de2024ba466639e5e7bc511cbc38a422 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -540,7 +540,7 @@ class IPAdmin(IPAEntryLDAPObject):
 
         # Some attributes, like those in cn=config, need to be replaced
         # not deleted/added.
-        FORCE_REPLACE_ON_UPDATE_ATTRS = ('nsslapd-ssl-check-hostname', 'nsslapd-lookthroughlimit', 'nsslapd-idlistscanlimit', 'nsslapd-anonlimitsdn')
+        FORCE_REPLACE_ON_UPDATE_ATTRS = ('nsslapd-ssl-check-hostname', 'nsslapd-lookthroughlimit', 'nsslapd-idlistscanlimit', 'nsslapd-anonlimitsdn', 'nsslapd-minssf-exclude-rootdse')
         modlist = []
 
         old_entry = ipautil.CIDict(old_entry)
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to