Bug 803836
| Summary: | IPA needs to set the nsslapd-minssf-exclude-rootdse option by default | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Stephen Gallagher <sgallagh> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3 | CC: | jgalipea, mkosek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.2.0-6.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: IPA did not configure its Directory Server instance to always keep its RootDSE available anonymously and unencrypted.
Consequence: When user changes nsslapd-minssf in the Directory Server instance configuration to make higher security demands on connection the the instance, some applications (as SSSD) may stop working as they can no longer read RootDSE for the instance anonymously.
Fix: IPA sets nsslapd-minssf-exclude-rootdse option in Directory Server instance configuration
Result: Users or applications can access RootDSE in IPA Directory Server instance anonymously even when the instance is configured with increased security demands on incoming connections
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 13:21:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 768086 | ||
| Bug Blocks: | |||
|
Description
Stephen Gallagher
2012-03-15 18:08:39 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2542 For verifying this see the steps in https://fedorahosted.org/389/ticket/168#comment:8 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/a735420a9ba3d507855a75a1a48f79a2358c7081 ipa-2-2: https://fedorahosted.org/freeipa/changeset/96311d02dd5e068dc2d30a71ee5dbf34bcf29dec
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: IPA did not configure its Directory Server instance to always keep its RootDSE available anonymously and unencrypted.
Consequence: When user changes nsslapd-minssf in the Directory Server instance configuration to make higher security demands on connection the the instance, some applications (as SSSD) may stop working as they can no longer read RootDSE for the instance anonymously.
Fix: IPA sets nsslapd-minssf-exclude-rootdse option in Directory Server instance configuration
Result: Users or applications can access RootDSE in IPA Directory Server instance anonymously even when the instance is configured with increased security demands on incoming connections
# ldapsearch -x -D "cn=Directory Manager" -w mypassword -b "cn=config" | grep minssf nsslapd-minssf: 0 nsslapd-minssf-exclude-rootdse: on version :: ipa-server-2.2.0-11.el6.x86_64 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz803836 IPA needs to set the nsslapd-minssf-exclude-rootdse option by default :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: nsslapd-minssf-exclude-rootdse as expected 'on' :: [ LOG ] :: Duration: 0s :: [ LOG ] :: Assertions: 1 good, 0 bad :: [ PASS ] :: RESULT: bz803836 IPA needs to set the nsslapd-minssf-exclude-rootdse option by default Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html |