[Freeipa-users] MinSSF suggestions?
Alexander Bokovoy
abokovoy at redhat.com
Tue Aug 12 15:21:31 UTC 2014
On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>On 08/11/2014 09:08 AM, Martin Kosek wrote:
>> On 08/11/2014 04:24 PM, Jakub Hrozek wrote:
>>> On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy
>>> wrote:
>>>> On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>>
>>>>> It would seem to be prudent to set the minssf setting for 389
>>>>> to 56, however I am wondering why this isn't done by default,
>>>>> and if there is any reason why I shouldn't do it?
>>>> Anonymous connection to LDAP wouldn't work. I think we use it
>>>> for rootdse access when enrolling IPA clients where we don't
>>>> yet have a CA certificate.
>>>>
>>>> I may be wrong, though.
>>>
>>> Also old (RHEL-5) SSSD versions rely on anonymous access to be
>>> able to retrieve rootDSE. Newer (RHEL-6.3+) clients are able to
>>> re-try fetching rootDSE once the authenticated connection is
>>> established.
>>>
>>
>> Also, older FreeIPA clients were not able to join those severs due
>> to bug in ipa-client-install:
>>
>> https://fedorahosted.org/freeipa/ticket/4459
>>
>> This will be fixed in FreeIPA 4.0.2. Note that this only affects if
>> you are changing MinSSF for whole DS by nsslapd-minssf.
>>
>> Martin
>>
>
>I guess the part I don't get here, is that this setting does not
>disable anonymous access to rootdse it just requires, as far as I
>understand, that TLS or some security be used for the connection.
>
>I currently have minssf set to 56 and am able to anonymously bind and
>obtain the rootdse.
This assumes you have CA certificate available so that you can
successfully verify TLS handshake. When you are enrolling a client, you
don't have the certificate yet.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list