[Freeipa-users] MinSSF suggestions?
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Tue Aug 12 18:40:39 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 08/12/2014 12:33 PM, Alexander Bokovoy wrote:
> On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote:
>>>> I guess the part I don't get here, is that this setting does
>>>> not disable anonymous access to rootdse it just requires, as
>>>> far as I understand, that TLS or some security be used for
>>>> the connection.
>>>>
>>>> I currently have minssf set to 56 and am able to anonymously
>>>> bind and obtain the rootdse.
>>> This assumes you have CA certificate available so that you can
>>> successfully verify TLS handshake. When you are enrolling a
>>> client, you don't have the certificate yet.
>>>
>>
>> However, this does bring up one more question in mind, why would
>> the initial installer care?
>>
>> I mean that if the intial connection for ipa-client-install is
>> going to be cleartext to what is basically an untrusted source at
>> that point why not just ignore CA issues and use a TLS connection
>> anyway? Kind of in the vein of the first ssh connection to a new
>> host, the host presents its keys and you can choose whether to
>> trust them or not. In the installers case trusting them for an
>> anonymous bind would be just as safe as doing an anonymous bind
>> without tls.
>>
>> Does that make sense?
> We need to support old clients which don't have chance to get
> updated to support this logic. I think we pretty much stuck with
> existing approach, given that now we have ability to serve the
> certificate through LDAP connection already (it is stored at
> cn=CACert,cn=ipa,cn=etc,$SUFFIX) and then the client does use it
> after downloading to perform actual join operation against LDAP
> over TLS.
>
Makes sense, I reckoned there was probably good reasons, but I just
wanted to bring it up as an option to see if it was possible.
Thanks,
- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJT6l+jAAoJEFg7BmJL2iPOz/cIAItTGO9Kwouu8871ByEMd83D
rLxVjg0eWgipuEg4K9Je5JI9nKZIKi+g9B7M/9LWXzIGH7meN6srG+9Wk/GkqkEu
Q518n06iGT+8B/PqfgkTJBdXqRPH/oXJcypXq1Mfkyr0mO+h5rqb3/iM79cJATdJ
r++h70TdZ8ELN51OETcTmhV7eg7IqKfNwuMTvLvR9Q/XjzZHWACgiF1lX80ODSNC
QHTo7y7U8M6SLLj8UjERVvGAcznzTlrw4UA5oIDUtgzlf7s+qXdkfXwivrqVBdVy
PV5bP3xRcP8jPVwojr6fb6FjFFemGyoAsHOgRkcjmJsVlk+TqXYUGl+ENVO/3DU=
=rTN/
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list