Bug 670616
| Summary: | nsslapd-minssf vs ldapi | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Jr Aquino <jr.aquino> | ||||||
| Component: | Security - General | Assignee: | Nathan Kinder <nkinder> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 1.2.7 | CC: | amsharma, jgalipea, rmeggins | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-12-07 16:30:54 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 639035, 656390 | ||||||||
| Attachments: |
|
||||||||
|
Description
Jr Aquino
2011-01-18 20:21:50 UTC
How critical is this? Are there any workarounds? Created attachment 476468 [details]
Patch
Comment on attachment 476468 [details] Patch https://bugzilla.redhat.com/attachment.cgi?id=476468&action=diff#a/ldap/servers/slapd/slap.h_sec1 I think you mean "are secure" not "are not secure" Otherwise, looks good. (In reply to comment #3) > Comment on attachment 476468 [details] > Patch > > https://bugzilla.redhat.com/attachment.cgi?id=476468&action=diff#a/ldap/servers/slapd/slap.h_sec1 > > I think you mean "are secure" not "are not secure" > > Otherwise, looks good. Good catch. I initially made the default localssf "0", so the comment fit. I missed updating the comment when the default was changed to 71. I'll update the comment and provide a new patch. Created attachment 476469 [details]
Revised Patch
This is the same as the previous patch aside from updating the incorrect comment that Rich pointed out.
Pushed to master. Thanks to Rich and Noriko for their reviews! Counting objects: 41, done. Delta compression using up to 2 threads. Compressing objects: 100% (20/20), done. Writing objects: 100% (21/21), 2.64 KiB, done. Total 21 (delta 18), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 3c2d82e..b5bee52 master -> master Can you please add steps to verify? Thanks! (In reply to comment #7) > Can you please add steps to verify? Thanks! 1) set up the directory server to use ldapi 2) if not already set, set the cn=config nsslapd-localssf to 71 3) set the cn=config nsslapd-minssf to 72 4) restart the directory server 5) try an ldapsearch on the ldapi socket - you should get back an UNWILLING_TO_PERFORM (53) error 6) change cn=config nsslapd-minssf to 70 7) restart the directory server 8) try an ldapsearch on the ldapi socket - it should succeed 1. nsslapd-ldapilisten: on nsslapd-ldapifilepath: /var/run/slapd-testvm.socket 2. nsslapd-localssf: 71 nsslapd-minssf: 72 3. [root@testvm sasl]# ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd-testvm.socket -D "cn=Directory Manager" -w Secret123 -b "cn=config" "(objectclass=*)" ldap_bind: Server is unwilling to perform (53) additional info: Minimum SSF not met. 4. After changing the values as: nsslapd-localssf: 71 nsslapd-minssf: 71 It is working fine, thanks for the steps. Marking as VERIFIED. |