On 08/11/2014 04:24 PM, Jakub Hrozek wrote: > On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy wrote: >> On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> It would seem to be prudent to set the minssf setting for 389 to 56, >>> however I am wondering why this isn't done by default, and if there is >>> any reason why I shouldn't do it? >> Anonymous connection to LDAP wouldn't work. I think we use it for >> rootdse access when enrolling IPA clients where we don't yet have a CA >> certificate. >> >> I may be wrong, though. > > Also old (RHEL-5) SSSD versions rely on anonymous access to be able to > retrieve rootDSE. Newer (RHEL-6.3+) clients are able to re-try fetching > rootDSE once the authenticated connection is established. >
Also, older FreeIPA clients were not able to join those severs due to bug in ipa-client-install: https://fedorahosted.org/freeipa/ticket/4459 This will be fixed in FreeIPA 4.0.2. Note that this only affects if you are changing MinSSF for whole DS by nsslapd-minssf. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project