[Freeipa-devel] [PATCH] 0153 ipa-ldap-updater does not work with hardened LDAP configuration
Simo Sorce
simo at redhat.com
Thu Jul 3 15:21:27 UTC 2014
On Thu, 2014-07-03 at 15:21 +0200, Petr Spacek wrote:
> On 2.7.2014 15:52, Alexander Bokovoy wrote:
> > When nsslapd-minssf is greater than 0, running as root
> > ipa-ldap-updater [-l]
> > will fail even if we force use of autobind for root over LDAPI.
> >
> > The reason for this is that schema updater doesn't get ldapi flag passed
> > and attempts to connect to LDAP port instead and for hardened
> > configurations using simple bind over LDAP is not enough.
> >
> > Additionally, report properly previously unhandled LDAP exceptions.
> > https://fedorahosted.org/freeipa/ticket/3468
> >
> > Note that the ticket is in 'Future releases' but we have this bug in 3.3
> > and in my view it is serious enough to fix it.
>
> ACK from functional perspective. I have tested clean installation and upgrade
> from 3.3.5 (Fedora 20) and both works.
>
> Also ipa-ldap-updates works with minssf = 56.
>
> It can be pushed if there is no problem with Python side of things.
>
I would love to see this in 4.0 GA too.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list