[Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
JR Aquino
JR.Aquino at citrix.com
Tue Feb 15 15:36:23 UTC 2011
On 2/15/11 6:52 AM, "Simo Sorce" <ssorce at redhat.com> wrote:
>On Tue, 15 Feb 2011 15:19:50 +0100
>Pavel Zuna <pzuna at redhat.com> wrote:
>
>> I can't reproduce this. :-/
>>
>> For me it goes fine:
>>
>> [root at ipadev tools]# ./ipa-nis-manage enable
>> Directory Manager password:
>>
>> Enabling plugin
>> This setting will not take effect until you restart Directory Server.
>> The rpcbind service may need to be started.
>>
>
>Pavel,
>Jr has set the minimum ssf to a non default value to test a
>configuration in which all communications are required to be encrypted.
>That's why you can't reproduce with the vanilla configuration.
>
>We want to support that mode although it won't be the default, so we
>need to fix any issue that causes that configuration to break (ie all
>non-encrypted/non-ldapi connections).
>
>Simo.
>
>--
>Simo Sorce * Red Hat, Inc * New York
>
>_______________________________________________
>Freeipa-devel mailing list
>Freeipa-devel at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-devel
The best way to do this is:
-=-
service ipa stop
Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif
Change:
nsslapd-minssf: 0
To:
nsslapd-minssf: 56 <- 56 is chosen because SASL communicates a 56bit
handshake even though we utilize a much strong cipher... (It is a known
bug/feature)
service ipa start
More information about the Freeipa-devel
mailing list