On 08/11/2014 04:24 PM, Jakub Hrozek wrote:
> On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy wrote:
>> On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>> It would seem to be prudent to set the minssf setting for 389 to 56,
>>> however I am wondering why this isn't done by default, and if there is
>>> any reason why I shouldn't do it?
>> Anonymous connection to LDAP wouldn't work. I think we use it for
>> rootdse access when enrolling IPA clients where we don't yet have a CA
>> I may be wrong, though.
> Also old (RHEL-5) SSSD versions rely on anonymous access to be able to
> retrieve rootDSE. Newer (RHEL-6.3+) clients are able to re-try fetching
> rootDSE once the authenticated connection is established.
Also, older FreeIPA clients were not able to join those severs due to bug in
This will be fixed in FreeIPA 4.0.2. Note that this only affects if you are
changing MinSSF for whole DS by nsslapd-minssf.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project