Created attachment 950452 [details] tcpdump -nn -vv -s0 -w /tmp/RHOSldapminssf1.cap port 389 on IPA server (RHEL 6.6) with minssf set to 1 Description of problem: When nsslapd-minssf is set > 0, keystone fails to authenticate. Version-Release number of selected component (if applicable): RHOS5 (RHEL7) How reproducible: 100% Steps to Reproduce: 1. Install RHEL 6.6 IPA server 2. Set nsslapd-minssf to 1 on IPA server 3. keystone user-list Actual results: # keystone user-list Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'} (HTTP 500) Expected results: list of users from LDAP Additional info: This bug is the second of three that deal with the scenario where a customer is running IPA and using it to authenticate RHEV and RHOS5. As of IPA 6.6, RHEV requires minssf to be set to >0 in order to authenticate against IPA, which breaks RHOS5. RHEV bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=1156577 It contains tcpdumps of RHEV attempting to communicate when minssf is set to 0 I am attaching a tcpdump for RHOS5 when minssf is set to 1.
Is Keystone configured to use LDAPS or TLS? The whole point of minssf is to require integrity (SSF=1) or confidentiality (SSF>=2). Integrity alone is not possible with Keystone, as it only supports the LDAP simple bind operation and doesn't have SASL bind support. This means that encryption is required to have a SSF > 0.
The packet trace shows that the traffic is in the clear, so encryption needs to be enabled for the LDAP connection between Keystone and IPA. This is very highly recommended anyway, as user passwords are transmitted over the wire in the clear for simple bind attempts.