On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/11/2014 09:08 AM, Martin Kosek wrote:
On 08/11/2014 04:24 PM, Jakub Hrozek wrote:
On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy
wrote:
On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

It would seem to be prudent to set the minssf setting for 389
to 56, however I am wondering why this isn't done by default,
and if there is any reason why I shouldn't do it?
Anonymous connection to LDAP wouldn't work. I think we use it
for rootdse access when enrolling IPA clients where we don't
yet have a CA certificate.

I may be wrong, though.

Also old (RHEL-5) SSSD versions rely on anonymous access to be
able to retrieve rootDSE. Newer (RHEL-6.3+) clients are able to
re-try fetching rootDSE once the authenticated connection is
established.


Also, older FreeIPA clients were not able to join those severs due
to bug in ipa-client-install:

https://fedorahosted.org/freeipa/ticket/4459

This will be fixed in FreeIPA 4.0.2. Note that this only affects if
you are changing MinSSF for whole DS by nsslapd-minssf.

Martin


I guess the part I don't get here, is that this setting does not
disable anonymous access to rootdse it just requires, as far as I
understand, that TLS or some security be used for the connection.

I currently have minssf set to 56 and am able to anonymously bind and
obtain the rootdse.
This assumes you have CA certificate available so that you can
successfully verify TLS handshake. When you are enrolling a client, you
don't have the certificate yet.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to