Hash: SHA256

On 08/12/2014 12:33 PM, Alexander Bokovoy wrote:
> On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote:
>>>> I guess the part I don't get here, is that this setting does
>>>> not disable anonymous access to rootdse it just requires, as
>>>> far as I understand, that TLS or some security be used for
>>>> the connection.
>>>> I currently have minssf set to 56 and am able to anonymously
>>>> bind and obtain the rootdse.
>>> This assumes you have CA certificate available so that you can 
>>> successfully verify TLS handshake. When you are enrolling a
>>> client, you don't have the certificate yet.
>> However, this does bring up one more question in mind, why would
>> the initial installer care?
>> I mean that if the intial connection for ipa-client-install is
>> going to be cleartext to what is basically an untrusted source at
>> that point why not just ignore CA issues and use a TLS connection
>> anyway? Kind of in the vein of the first ssh connection to a new
>> host, the host presents its keys and you can choose whether to
>> trust them or not. In the installers case trusting them for an
>> anonymous bind would be just as safe as doing an anonymous bind
>> without tls.
>> Does that make sense?
> We need to support old clients which don't have chance to get
> updated to support this logic. I think we pretty much stuck with
> existing approach, given that now we have ability to serve the
> certificate through LDAP connection already (it is stored at
> cn=CACert,cn=ipa,cn=etc,$SUFFIX) and then the client does use it
> after downloading to perform actual join operation against LDAP
> over TLS.

Makes sense, I reckoned there was probably good reasons, but I just
wanted to bring it up as an option to see if it was possible.

- -Erinn
Version: GnuPG v1


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to