On Чцв, 28 вер 2023, Christian Heimes via FreeIPA-users wrote:
On 27/09/2023 22.00, Andrew Imeson via FreeIPA-users wrote:
The password can be stored in Ansible Vault, prompted for, or whatever
preferred Ansible secret management strategy you employ.
I run it from the FreeIPA nodes, so it’s over an encrypted SSH session and then
done via the loopback. It’s also using “ldaps” not “ldap,” so even a privileged
used sniffing on the loopback wouldn’t see it (although a privileged user would
have a hundred other ways to potentially gain access).
It may be easier to use ipa-ldap-updater as root. The command uses
LDAP over Unix sockets for secure communication and authentication.
You don't have to pass any additional options like shost, port, or
password. The update syntax is based on LDIF, but shorter and IMO
easier to read.
Create a file "rootdse.update" with content:
dn: cn=config
only: nsslapd-allow-anonymous-access: rootdse
then run "ipa-ldap-updater rootdse.update" on every IPA server.
Changes to cn=config are not replicated.
You don't even need that. Just use 'dsconf' utility provided by 389-ds,
as root.
[root@id ~]# dsconf IPA-TEST config get nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: on
[root@id ~]# dsconf IPA-TEST config replace nsslapd-allow-anonymous-access=off
Successfully replaced "nsslapd-allow-anonymous-access"
[root@id ~]# dsconf IPA-TEST config get nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: off
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue