-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/11/2014 09:08 AM, Martin Kosek wrote: > On 08/11/2014 04:24 PM, Jakub Hrozek wrote: >> On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy >> wrote: >>> On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>>> >>>> It would seem to be prudent to set the minssf setting for 389 >>>> to 56, however I am wondering why this isn't done by default, >>>> and if there is any reason why I shouldn't do it? >>> Anonymous connection to LDAP wouldn't work. I think we use it >>> for rootdse access when enrolling IPA clients where we don't >>> yet have a CA certificate. >>> >>> I may be wrong, though. >> >> Also old (RHEL-5) SSSD versions rely on anonymous access to be >> able to retrieve rootDSE. Newer (RHEL-6.3+) clients are able to >> re-try fetching rootDSE once the authenticated connection is >> established. >> > > Also, older FreeIPA clients were not able to join those severs due > to bug in ipa-client-install: > > https://fedorahosted.org/freeipa/ticket/4459 > > This will be fixed in FreeIPA 4.0.2. Note that this only affects if > you are changing MinSSF for whole DS by nsslapd-minssf. > > Martin >
I guess the part I don't get here, is that this setting does not disable anonymous access to rootdse it just requires, as far as I understand, that TLS or some security be used for the connection. I currently have minssf set to 56 and am able to anonymously bind and obtain the rootdse. I understand there may be troubles along the way but wouldn't setting this as a default be a "good" thing to aim for? - -Erinn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJT6i8MAAoJEFg7BmJL2iPO6IkIALotkQHu8XRNRbxIl+NlXNn+ TgfjCHyu37jn+xGYjRkciH/wDaPgq3VJxoac1LZ5InU7iNqk3tBwXboeOmtw24yx sgS7QnFmH7la/+OIRqy7anOcj0eSC6YCVEpAp2/Igx/Fi1XE5aYf+4xvnudLaTRH MtVSDo7+RO6Aixn9nVKEvyz4gOky0BHnWlLWye/+vPVidwu5lWAU7HMy8h/lzsXB 2PEcOdyiQu5QSXHLjU4IN1mwOHjGZZGEmw5y8hYPU5z3RWhGakBpEQB9BrgR2rUO xZ/eJrCuWjhBvzQbkU7guIajZvT37pzDdAir/v3exreRIWZVI3Cf3TB3cKrUcxc= =0RQg -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project