[Freeipa-users] MinSSF suggestions?
Jakub Hrozek
jhrozek at redhat.com
Mon Aug 11 14:24:34 UTC 2014
On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy wrote:
> On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA256
> >
> >It would seem to be prudent to set the minssf setting for 389 to 56,
> >however I am wondering why this isn't done by default, and if there is
> >any reason why I shouldn't do it?
> Anonymous connection to LDAP wouldn't work. I think we use it for
> rootdse access when enrolling IPA clients where we don't yet have a CA
> certificate.
>
> I may be wrong, though.
Also old (RHEL-5) SSSD versions rely on anonymous access to be able to
retrieve rootDSE. Newer (RHEL-6.3+) clients are able to re-try fetching
rootDSE once the authenticated connection is established.
More information about the Freeipa-users
mailing list