[Freeipa-users] MinSSF suggestions?
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Tue Aug 12 15:13:21 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 08/11/2014 09:08 AM, Martin Kosek wrote:
> On 08/11/2014 04:24 PM, Jakub Hrozek wrote:
>> On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy
>> wrote:
>>> On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>
>>>> It would seem to be prudent to set the minssf setting for 389
>>>> to 56, however I am wondering why this isn't done by default,
>>>> and if there is any reason why I shouldn't do it?
>>> Anonymous connection to LDAP wouldn't work. I think we use it
>>> for rootdse access when enrolling IPA clients where we don't
>>> yet have a CA certificate.
>>>
>>> I may be wrong, though.
>>
>> Also old (RHEL-5) SSSD versions rely on anonymous access to be
>> able to retrieve rootDSE. Newer (RHEL-6.3+) clients are able to
>> re-try fetching rootDSE once the authenticated connection is
>> established.
>>
>
> Also, older FreeIPA clients were not able to join those severs due
> to bug in ipa-client-install:
>
> https://fedorahosted.org/freeipa/ticket/4459
>
> This will be fixed in FreeIPA 4.0.2. Note that this only affects if
> you are changing MinSSF for whole DS by nsslapd-minssf.
>
> Martin
>
I guess the part I don't get here, is that this setting does not
disable anonymous access to rootdse it just requires, as far as I
understand, that TLS or some security be used for the connection.
I currently have minssf set to 56 and am able to anonymously bind and
obtain the rootdse.
I understand there may be troubles along the way but wouldn't setting
this as a default be a "good" thing to aim for?
- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJT6i8MAAoJEFg7BmJL2iPO6IkIALotkQHu8XRNRbxIl+NlXNn+
TgfjCHyu37jn+xGYjRkciH/wDaPgq3VJxoac1LZ5InU7iNqk3tBwXboeOmtw24yx
sgS7QnFmH7la/+OIRqy7anOcj0eSC6YCVEpAp2/Igx/Fi1XE5aYf+4xvnudLaTRH
MtVSDo7+RO6Aixn9nVKEvyz4gOky0BHnWlLWye/+vPVidwu5lWAU7HMy8h/lzsXB
2PEcOdyiQu5QSXHLjU4IN1mwOHjGZZGEmw5y8hYPU5z3RWhGakBpEQB9BrgR2rUO
xZ/eJrCuWjhBvzQbkU7guIajZvT37pzDdAir/v3exreRIWZVI3Cf3TB3cKrUcxc=
=0RQg
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list