Hide Forgot
Description of problem: When SSSD is using enumeration mode, it needs to rely on values present in the RootDSE to operate properly. If users change the minssf option in the 389 DS server to 56 (as advised in the FreeIPA documentation), this can cause issues with SSSD. Version-Release number of selected component (if applicable): ipa-2.2.0-4.el6 How reproducible: Every time Steps to Reproduce: 1. Set nsslapd-minssf = 56 in dse.ldif 2. Perform an online request with SSSD 3. See in SSSD domain log the message "Server is unwilling to perform" Actual results: "Server is unwilling to perform" Expected results: The RootDSE should be available anonymously and unencrypted. Additional info: Related to BZ #803436
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2542
For verifying this see the steps in https://fedorahosted.org/389/ticket/168#comment:8
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/a735420a9ba3d507855a75a1a48f79a2358c7081 ipa-2-2: https://fedorahosted.org/freeipa/changeset/96311d02dd5e068dc2d30a71ee5dbf34bcf29dec
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: IPA did not configure its Directory Server instance to always keep its RootDSE available anonymously and unencrypted. Consequence: When user changes nsslapd-minssf in the Directory Server instance configuration to make higher security demands on connection the the instance, some applications (as SSSD) may stop working as they can no longer read RootDSE for the instance anonymously. Fix: IPA sets nsslapd-minssf-exclude-rootdse option in Directory Server instance configuration Result: Users or applications can access RootDSE in IPA Directory Server instance anonymously even when the instance is configured with increased security demands on incoming connections
# ldapsearch -x -D "cn=Directory Manager" -w mypassword -b "cn=config" | grep minssf nsslapd-minssf: 0 nsslapd-minssf-exclude-rootdse: on version :: ipa-server-2.2.0-11.el6.x86_64
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz803836 IPA needs to set the nsslapd-minssf-exclude-rootdse option by default :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: nsslapd-minssf-exclude-rootdse as expected 'on' :: [ LOG ] :: Duration: 0s :: [ LOG ] :: Assertions: 1 good, 0 bad :: [ PASS ] :: RESULT: bz803836 IPA needs to set the nsslapd-minssf-exclude-rootdse option by default
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html