[Freeipa-users] MinSSF suggestions?
Martin Kosek
mkosek at redhat.com
Mon Aug 11 15:08:42 UTC 2014
On 08/11/2014 04:24 PM, Jakub Hrozek wrote:
> On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy wrote:
>> On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> It would seem to be prudent to set the minssf setting for 389 to 56,
>>> however I am wondering why this isn't done by default, and if there is
>>> any reason why I shouldn't do it?
>> Anonymous connection to LDAP wouldn't work. I think we use it for
>> rootdse access when enrolling IPA clients where we don't yet have a CA
>> certificate.
>>
>> I may be wrong, though.
>
> Also old (RHEL-5) SSSD versions rely on anonymous access to be able to
> retrieve rootDSE. Newer (RHEL-6.3+) clients are able to re-try fetching
> rootDSE once the authenticated connection is established.
>
Also, older FreeIPA clients were not able to join those severs due to bug in
ipa-client-install:
https://fedorahosted.org/freeipa/ticket/4459
This will be fixed in FreeIPA 4.0.2. Note that this only affects if you are
changing MinSSF for whole DS by nsslapd-minssf.
Martin
More information about the Freeipa-users
mailing list