On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy wrote: > On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA256 > > > >It would seem to be prudent to set the minssf setting for 389 to 56, > >however I am wondering why this isn't done by default, and if there is > >any reason why I shouldn't do it? > Anonymous connection to LDAP wouldn't work. I think we use it for > rootdse access when enrolling IPA clients where we don't yet have a CA > certificate. > > I may be wrong, though.
Also old (RHEL-5) SSSD versions rely on anonymous access to be able to retrieve rootDSE. Newer (RHEL-6.3+) clients are able to re-try fetching rootDSE once the authenticated connection is established. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project