On 27/09/2023 22.00, Andrew Imeson via FreeIPA-users wrote:
The password can be stored in Ansible Vault, prompted for, or whatever
preferred Ansible secret management strategy you employ.
I run it from the FreeIPA nodes, so it’s over an encrypted SSH session and then
done via the loopback. It’s also using “ldaps” not “ldap,” so even a privileged
used sniffing on the loopback wouldn’t see it (although a privileged user would
have a hundred other ways to potentially gain access).
It may be easier to use ipa-ldap-updater as root. The command uses LDAP
over Unix sockets for secure communication and authentication. You don't
have to pass any additional options like shost, port, or password. The
update syntax is based on LDIF, but shorter and IMO easier to read.
Create a file "rootdse.update" with content:
dn: cn=config
only: nsslapd-allow-anonymous-access: rootdse
then run "ipa-ldap-updater rootdse.update" on every IPA server. Changes
to cn=config are not replicated.
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
