[Freeipa-devel] [PATCH] 911 ensure confidential minssf
Martin Kosek
mkosek at redhat.com
Mon Feb 6 16:30:10 UTC 2012
On Tue, 2011-12-06 at 18:18 -0500, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Ensure that we always use at least 56 for minssf when communicating with
> > 389-ds. This will prevent someone from modifying /etc/openldap/ldap.conf
> > in a way to put all communication in the clear.
> >
> > See the ticket for testing information.
> >
> > rob
>
> Note that it should be setting minssf to 56 and not 1 here. I hadn't
> committed that change yet, I'll fix before pushing if acked.
>
> rob
>
If you mean changing these 2 lines:
+ if minssf <= 0:
+ minssf = 1
to
+ if minssf < 56:
+ minssf = 56
then its ACK. With this change my "ipa passwd" worked fine even with
misconfigured ssf settings in ldap.conf.
Martin
More information about the Freeipa-devel
mailing list