Bug 803836 - IPA needs to set the nsslapd-minssf-exclude-rootdse option by default
IPA needs to set the nsslapd-minssf-exclude-rootdse option by default
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.3
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Rob Crittenden
IDM QE LIST
:
Depends On: 768086
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-15 14:08 EDT by Stephen Gallagher
Modified: 2013-05-22 14:50 EDT (History)
2 users (show)

See Also:
Fixed In Version: ipa-2.2.0-6.el6
Doc Type: Bug Fix
Doc Text:
Cause: IPA did not configure its Directory Server instance to always keep its RootDSE available anonymously and unencrypted. Consequence: When user changes nsslapd-minssf in the Directory Server instance configuration to make higher security demands on connection the the instance, some applications (as SSSD) may stop working as they can no longer read RootDSE for the instance anonymously. Fix: IPA sets nsslapd-minssf-exclude-rootdse option in Directory Server instance configuration Result: Users or applications can access RootDSE in IPA Directory Server instance anonymously even when the instance is configured with increased security demands on incoming connections
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-20 09:21:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stephen Gallagher 2012-03-15 14:08:39 EDT
Description of problem:
When SSSD is using enumeration mode, it needs to rely on values present in the RootDSE to operate properly. If users change the minssf option in the 389 DS server to 56 (as advised in the FreeIPA documentation), this can cause issues with SSSD.

Version-Release number of selected component (if applicable):
ipa-2.2.0-4.el6

How reproducible:
Every time

Steps to Reproduce:
1. Set nsslapd-minssf = 56 in dse.ldif
2. Perform an online request with SSSD
3. See in SSSD domain log the message "Server is unwilling to perform"
  
Actual results:
"Server is unwilling to perform"

Expected results:
The RootDSE should be available anonymously and unencrypted.

Additional info:
Related to BZ #803436
Comment 2 Dmitri Pal 2012-03-16 17:57:42 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2542
Comment 3 Rob Crittenden 2012-03-22 17:18:07 EDT
For verifying this see the steps in https://fedorahosted.org/389/ticket/168#comment:8
Comment 7 Martin Kosek 2012-04-25 05:17:30 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: IPA did not configure its Directory Server instance to always keep its RootDSE available anonymously and unencrypted.
Consequence: When user changes nsslapd-minssf in the Directory Server instance configuration to make higher security demands on connection the the instance, some applications (as SSSD) may stop working as they can no longer read RootDSE for the instance anonymously.
Fix: IPA sets nsslapd-minssf-exclude-rootdse option in Directory Server instance configuration
Result: Users or applications can access RootDSE in IPA Directory Server instance anonymously even when the instance is configured with increased security demands on incoming connections
Comment 8 Jenny Galipeau 2012-04-27 13:48:42 EDT
# ldapsearch -x -D "cn=Directory Manager" -w mypassword -b "cn=config" | grep minssf
nsslapd-minssf: 0
nsslapd-minssf-exclude-rootdse: on

version ::

ipa-server-2.2.0-11.el6.x86_64
Comment 9 Jenny Galipeau 2012-04-27 13:57:47 EDT
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz803836 IPA needs to set the nsslapd-minssf-exclude-rootdse option by default
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: nsslapd-minssf-exclude-rootdse as expected 'on'
:: [   LOG    ] :: Duration: 0s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: bz803836 IPA needs to set the nsslapd-minssf-exclude-rootdse option by default
Comment 11 errata-xmlrpc 2012-06-20 09:21:21 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.