[Freeipa-devel] [PATCH] #1881 client install when anonymous access is prevented
Simo Sorce
simo at redhat.com
Wed Sep 28 22:43:17 UTC 2011
This patch allows ipa-client-install to successfully complete if
anonymous access is not allowed on the LDAP server.
I have tested this by changing the value of
nsslapd-allow-anonymous-access from 'on' to 'rootdse' in cn=config
See NOTE about this option.
This patch warns the user that full verification of the LDAP server was
not possible and may even assume realm is domain.upper() if DNS
discovery is not possible.
With these caveats the installation on a DNS compliant domain works fine
against a IPA server with anonynous access to LDAP disabled with this
patch.
Fixes #1881
Simo.
NOTE: Setting rootdse nsslapd-allow-anonymous-access is standards
compliant as it still allows access anonymously to the rootdse entry.
Setting this option to 'off' prevents access even to rootdse and is not
a good idea (the client doesn't know what auth methods are avilable to
authenticate w/o access to rootdse)
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-ipa-client-install-Fix-joining-when-LDAP-access-is-r.patch
Type: text/x-patch
Size: 6099 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110928/827988ca/attachment.bin>
More information about the Freeipa-devel
mailing list