803836 – IPA needs to set the nsslapd-minssf-exclude-rootdse option by default

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 803836 - IPA needs to set the nsslapd-minssf-exclude-rootdse option by default

Summary: IPA needs to set the nsslapd-minssf-exclude-rootdse option by default

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:	768086
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-15 18:08 UTC by Stephen Gallagher
Modified:	2013-05-22 18:50 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ipa-2.2.0-6.el6
Doc Type:	Bug Fix
Doc Text:	Cause: IPA did not configure its Directory Server instance to always keep its RootDSE available anonymously and unencrypted. Consequence: When user changes nsslapd-minssf in the Directory Server instance configuration to make higher security demands on connection the the instance, some applications (as SSSD) may stop working as they can no longer read RootDSE for the instance anonymously. Fix: IPA sets nsslapd-minssf-exclude-rootdse option in Directory Server instance configuration Result: Users or applications can access RootDSE in IPA Directory Server instance anonymously even when the instance is configured with increased security demands on incoming connections
Clone Of:
Environment:
Last Closed:	2012-06-20 13:21:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0819	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2012-06-19 20:34:17 UTC

Description Stephen Gallagher 2012-03-15 18:08:39 UTC

Description of problem:
When SSSD is using enumeration mode, it needs to rely on values present in the RootDSE to operate properly. If users change the minssf option in the 389 DS server to 56 (as advised in the FreeIPA documentation), this can cause issues with SSSD.

Version-Release number of selected component (if applicable):
ipa-2.2.0-4.el6

How reproducible:
Every time

Steps to Reproduce:
1. Set nsslapd-minssf = 56 in dse.ldif
2. Perform an online request with SSSD
3. See in SSSD domain log the message "Server is unwilling to perform"
  
Actual results:
"Server is unwilling to perform"

Expected results:
The RootDSE should be available anonymously and unencrypted.

Additional info:
Related to BZ #803436

Comment 2 Dmitri Pal 2012-03-16 21:57:42 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2542

Comment 3 Rob Crittenden 2012-03-22 21:18:07 UTC

For verifying this see the steps in https://fedorahosted.org/389/ticket/168#comment:8

Comment 4 Martin Kosek 2012-03-26 12:28:07 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/a735420a9ba3d507855a75a1a48f79a2358c7081
ipa-2-2: https://fedorahosted.org/freeipa/changeset/96311d02dd5e068dc2d30a71ee5dbf34bcf29dec

Comment 7 Martin Kosek 2012-04-25 09:17:30 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: IPA did not configure its Directory Server instance to always keep its RootDSE available anonymously and unencrypted.
Consequence: When user changes nsslapd-minssf in the Directory Server instance configuration to make higher security demands on connection the the instance, some applications (as SSSD) may stop working as they can no longer read RootDSE for the instance anonymously.
Fix: IPA sets nsslapd-minssf-exclude-rootdse option in Directory Server instance configuration
Result: Users or applications can access RootDSE in IPA Directory Server instance anonymously even when the instance is configured with increased security demands on incoming connections

Comment 8 Jenny Severance 2012-04-27 17:48:42 UTC

# ldapsearch -x -D "cn=Directory Manager" -w mypassword -b "cn=config" | grep minssf
nsslapd-minssf: 0
nsslapd-minssf-exclude-rootdse: on

version ::

ipa-server-2.2.0-11.el6.x86_64

Comment 9 Jenny Severance 2012-04-27 17:57:47 UTC

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz803836 IPA needs to set the nsslapd-minssf-exclude-rootdse option by default
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: nsslapd-minssf-exclude-rootdse as expected 'on'
:: [   LOG    ] :: Duration: 0s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: bz803836 IPA needs to set the nsslapd-minssf-exclude-rootdse option by default

Comment 11 errata-xmlrpc 2012-06-20 13:21:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.