-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/12/2014 12:33 PM, Alexander Bokovoy wrote: > On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote: >>>> I guess the part I don't get here, is that this setting does >>>> not disable anonymous access to rootdse it just requires, as >>>> far as I understand, that TLS or some security be used for >>>> the connection. >>>> >>>> I currently have minssf set to 56 and am able to anonymously >>>> bind and obtain the rootdse. >>> This assumes you have CA certificate available so that you can >>> successfully verify TLS handshake. When you are enrolling a >>> client, you don't have the certificate yet. >>> >> >> However, this does bring up one more question in mind, why would >> the initial installer care? >> >> I mean that if the intial connection for ipa-client-install is >> going to be cleartext to what is basically an untrusted source at >> that point why not just ignore CA issues and use a TLS connection >> anyway? Kind of in the vein of the first ssh connection to a new >> host, the host presents its keys and you can choose whether to >> trust them or not. In the installers case trusting them for an >> anonymous bind would be just as safe as doing an anonymous bind >> without tls. >> >> Does that make sense? > We need to support old clients which don't have chance to get > updated to support this logic. I think we pretty much stuck with > existing approach, given that now we have ability to serve the > certificate through LDAP connection already (it is stored at > cn=CACert,cn=ipa,cn=etc,$SUFFIX) and then the client does use it > after downloading to perform actual join operation against LDAP > over TLS. >
Makes sense, I reckoned there was probably good reasons, but I just wanted to bring it up as an option to see if it was possible. Thanks, - -Erinn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJT6l+jAAoJEFg7BmJL2iPOz/cIAItTGO9Kwouu8871ByEMd83D rLxVjg0eWgipuEg4K9Je5JI9nKZIKi+g9B7M/9LWXzIGH7meN6srG+9Wk/GkqkEu Q518n06iGT+8B/PqfgkTJBdXqRPH/oXJcypXq1Mfkyr0mO+h5rqb3/iM79cJATdJ r++h70TdZ8ELN51OETcTmhV7eg7IqKfNwuMTvLvR9Q/XjzZHWACgiF1lX80ODSNC QHTo7y7U8M6SLLj8UjERVvGAcznzTlrw4UA5oIDUtgzlf7s+qXdkfXwivrqVBdVy PV5bP3xRcP8jPVwojr6fb6FjFFemGyoAsHOgRkcjmJsVlk+TqXYUGl+ENVO/3DU= =rTN/ -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project