[Freeipa-users] MinSSF suggestions?

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Tue Aug 12 15:23:23 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/12/2014 09:21 AM, Alexander Bokovoy wrote:
> On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>> 
>> On 08/11/2014 09:08 AM, Martin Kosek wrote:
>>> On 08/11/2014 04:24 PM, Jakub Hrozek wrote:
>>>> On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy 
>>>> wrote:
>>>>> On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote:
>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>>> 
>>>>>> It would seem to be prudent to set the minssf setting for
>>>>>> 389 to 56, however I am wondering why this isn't done by
>>>>>> default, and if there is any reason why I shouldn't do
>>>>>> it?
>>>>> Anonymous connection to LDAP wouldn't work. I think we use
>>>>> it for rootdse access when enrolling IPA clients where we
>>>>> don't yet have a CA certificate.
>>>>> 
>>>>> I may be wrong, though.
>>>> 
>>>> Also old (RHEL-5) SSSD versions rely on anonymous access to
>>>> be able to retrieve rootDSE. Newer (RHEL-6.3+) clients are
>>>> able to re-try fetching rootDSE once the authenticated
>>>> connection is established.
>>>> 
>>> 
>>> Also, older FreeIPA clients were not able to join those severs
>>> due to bug in ipa-client-install:
>>> 
>>> https://fedorahosted.org/freeipa/ticket/4459
>>> 
>>> This will be fixed in FreeIPA 4.0.2. Note that this only
>>> affects if you are changing MinSSF for whole DS by
>>> nsslapd-minssf.
>>> 
>>> Martin
>>> 
>> 
>> I guess the part I don't get here, is that this setting does not 
>> disable anonymous access to rootdse it just requires, as far as
>> I understand, that TLS or some security be used for the
>> connection.
>> 
>> I currently have minssf set to 56 and am able to anonymously bind
>> and obtain the rootdse.
> This assumes you have CA certificate available so that you can 
> successfully verify TLS handshake. When you are enrolling a client,
> you don't have the certificate yet.
> 

Gotcha, that makes sense, didn't think that through.

- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJT6jFmAAoJEFg7BmJL2iPOsz8H/1q+dj83Sr7PLLuNxKXp9HGD
Gy40XEMu2u/qpNMULikPCmUBEa09fJNZDcLfpFrgG2SrH1q+yDerp7Udwt3lV6nx
tUObM+F8/PoKING9YhHY9DlB7ZyRvqyiiG6VTfRFNfRnPzkvWhNUfDM6WpeuyOqN
M9gSxDt0ol2PAyApuW0phD8S0GT7uiCaYNdL2Dzkt98QULB30Znn4UBHGDx+VK1l
oMiZAVYPpkFJel0WjKsEpFvAMpBIQKJ8zEXjNMVcokyei8KGKRomKDr9T08JypHz
Q22ZoljPhXcFVRc80MzWaKVA/sPiNf3gpYRFd+0VEvSyMYS3aItrQW4U+LK6cnk=
=CGuF
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list