-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/12/2014 09:21 AM, Alexander Bokovoy wrote: > On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> On 08/11/2014 09:08 AM, Martin Kosek wrote: >>> On 08/11/2014 04:24 PM, Jakub Hrozek wrote: >>>> On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy >>>> wrote: >>>>> On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote: >>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>>>>> >>>>>> It would seem to be prudent to set the minssf setting for >>>>>> 389 to 56, however I am wondering why this isn't done by >>>>>> default, and if there is any reason why I shouldn't do >>>>>> it? >>>>> Anonymous connection to LDAP wouldn't work. I think we use >>>>> it for rootdse access when enrolling IPA clients where we >>>>> don't yet have a CA certificate. >>>>> >>>>> I may be wrong, though. >>>> >>>> Also old (RHEL-5) SSSD versions rely on anonymous access to >>>> be able to retrieve rootDSE. Newer (RHEL-6.3+) clients are >>>> able to re-try fetching rootDSE once the authenticated >>>> connection is established. >>>> >>> >>> Also, older FreeIPA clients were not able to join those severs >>> due to bug in ipa-client-install: >>> >>> https://fedorahosted.org/freeipa/ticket/4459 >>> >>> This will be fixed in FreeIPA 4.0.2. Note that this only >>> affects if you are changing MinSSF for whole DS by >>> nsslapd-minssf. >>> >>> Martin >>> >> >> I guess the part I don't get here, is that this setting does not >> disable anonymous access to rootdse it just requires, as far as >> I understand, that TLS or some security be used for the >> connection. >> >> I currently have minssf set to 56 and am able to anonymously bind >> and obtain the rootdse. > This assumes you have CA certificate available so that you can > successfully verify TLS handshake. When you are enrolling a client, > you don't have the certificate yet. >
Gotcha, that makes sense, didn't think that through. - -Erinn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJT6jFmAAoJEFg7BmJL2iPOsz8H/1q+dj83Sr7PLLuNxKXp9HGD Gy40XEMu2u/qpNMULikPCmUBEa09fJNZDcLfpFrgG2SrH1q+yDerp7Udwt3lV6nx tUObM+F8/PoKING9YhHY9DlB7ZyRvqyiiG6VTfRFNfRnPzkvWhNUfDM6WpeuyOqN M9gSxDt0ol2PAyApuW0phD8S0GT7uiCaYNdL2Dzkt98QULB30Znn4UBHGDx+VK1l oMiZAVYPpkFJel0WjKsEpFvAMpBIQKJ8zEXjNMVcokyei8KGKRomKDr9T08JypHz Q22ZoljPhXcFVRc80MzWaKVA/sPiNf3gpYRFd+0VEvSyMYS3aItrQW4U+LK6cnk= =CGuF -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project