[Freeipa-users] MinSSF suggestions?

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Tue Aug 12 15:29:51 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/12/2014 09:21 AM, Alexander Bokovoy wrote:
> On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>> 
>> On 08/11/2014 09:08 AM, Martin Kosek wrote:
>>> On 08/11/2014 04:24 PM, Jakub Hrozek wrote:
>>>> On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy 
>>>> wrote:
>>>>> On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote:
>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>>> 
>>>>>> It would seem to be prudent to set the minssf setting for
>>>>>> 389 to 56, however I am wondering why this isn't done by
>>>>>> default, and if there is any reason why I shouldn't do
>>>>>> it?
>>>>> Anonymous connection to LDAP wouldn't work. I think we use
>>>>> it for rootdse access when enrolling IPA clients where we
>>>>> don't yet have a CA certificate.
>>>>> 
>>>>> I may be wrong, though.
>>>> 
>>>> Also old (RHEL-5) SSSD versions rely on anonymous access to
>>>> be able to retrieve rootDSE. Newer (RHEL-6.3+) clients are
>>>> able to re-try fetching rootDSE once the authenticated
>>>> connection is established.
>>>> 
>>> 
>>> Also, older FreeIPA clients were not able to join those severs
>>> due to bug in ipa-client-install:
>>> 
>>> https://fedorahosted.org/freeipa/ticket/4459
>>> 
>>> This will be fixed in FreeIPA 4.0.2. Note that this only
>>> affects if you are changing MinSSF for whole DS by
>>> nsslapd-minssf.
>>> 
>>> Martin
>>> 
>> 
>> I guess the part I don't get here, is that this setting does not 
>> disable anonymous access to rootdse it just requires, as far as
>> I understand, that TLS or some security be used for the
>> connection.
>> 
>> I currently have minssf set to 56 and am able to anonymously bind
>> and obtain the rootdse.
> This assumes you have CA certificate available so that you can 
> successfully verify TLS handshake. When you are enrolling a client,
> you don't have the certificate yet.
> 

However, this does bring up one more question in mind, why would the
initial installer care?

I mean that if the intial connection for ipa-client-install is going
to be cleartext to what is basically an untrusted source at that point
why not just ignore CA issues and use a TLS connection anyway? Kind of
in the vein of the first ssh connection to a new host, the host
presents its keys and you can choose whether to trust them or not. In
the installers case trusting them for an anonymous bind would be just
as safe as doing an anonymous bind without tls.

Does that make sense?

- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJT6jLrAAoJEFg7BmJL2iPOxRgIAL2KlWRjPmwMbgzIOL+HNhW9
Ogf2SRNAYlHOCNAiwtLkHRtm2vxAtZbyBaVhIoOvgchejLT0Esj9OZSEA81z3Qkm
FCk41R8xNFjPkDt39lU7r6F+LLECQw2933sSFnCFap3wHfIo2sb4fLGAlHe9SWYE
t/PppCa+ToYuYVRGev6QtO9oAXzBfYbh8naZm2kz4QQil+N40UfhKkrDfwha2abn
iEfIp5Eut+FPh3F2aVugv8Zb5pnqzC4/KR0RBLR7BTc4dLf9CC4DtCKk7S+FBpjV
XOd3A3HDI7psFQy2qijq5Z1mgMNGnIUxB2Q1EhYoCsrTVaTnYCYUxcNvm0zSHvA=
=uifU
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list