[Freeipa-users] MinSSF suggestions?

[Alexander Bokovoy]

On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote:
>>> I guess the part I don't get here, is that this setting does not
>>> disable anonymous access to rootdse it just requires, as far as
>>> I understand, that TLS or some security be used for the
>>> connection.
>>>
>>> I currently have minssf set to 56 and am able to anonymously bind
>>> and obtain the rootdse.
>> This assumes you have CA certificate available so that you can
>> successfully verify TLS handshake. When you are enrolling a client,
>> you don't have the certificate yet.
>>
>
>However, this does bring up one more question in mind, why would the
>initial installer care?
>
>I mean that if the intial connection for ipa-client-install is going
>to be cleartext to what is basically an untrusted source at that point
>why not just ignore CA issues and use a TLS connection anyway? Kind of
>in the vein of the first ssh connection to a new host, the host
>presents its keys and you can choose whether to trust them or not. In
>the installers case trusting them for an anonymous bind would be just
>as safe as doing an anonymous bind without tls.
>
>Does that make sense?
We need to support old clients which don't have chance to get updated to
support this logic. I think we pretty much stuck with existing approach,
given that now we have ability to serve the certificate through LDAP
connection already (it is stored at cn=CACert,cn=ipa,cn=etc,$SUFFIX) and
then the client does use it after downloading to perform actual join
operation against LDAP over TLS.

-- 
/ Alexander Bokovoy