Bug 803836 - IPA needs to set the nsslapd-minssf-exclude-rootdse option by default
Summary: IPA needs to set the nsslapd-minssf-exclude-rootdse option by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.3
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On: 768086
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-15 18:08 UTC by Stephen Gallagher
Modified: 2013-05-22 18:50 UTC (History)
2 users (show)

Fixed In Version: ipa-2.2.0-6.el6
Doc Type: Bug Fix
Doc Text:
Cause: IPA did not configure its Directory Server instance to always keep its RootDSE available anonymously and unencrypted. Consequence: When user changes nsslapd-minssf in the Directory Server instance configuration to make higher security demands on connection the the instance, some applications (as SSSD) may stop working as they can no longer read RootDSE for the instance anonymously. Fix: IPA sets nsslapd-minssf-exclude-rootdse option in Directory Server instance configuration Result: Users or applications can access RootDSE in IPA Directory Server instance anonymously even when the instance is configured with increased security demands on incoming connections
Clone Of:
Environment:
Last Closed: 2012-06-20 13:21:21 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Stephen Gallagher 2012-03-15 18:08:39 UTC
Description of problem:
When SSSD is using enumeration mode, it needs to rely on values present in the RootDSE to operate properly. If users change the minssf option in the 389 DS server to 56 (as advised in the FreeIPA documentation), this can cause issues with SSSD.

Version-Release number of selected component (if applicable):
ipa-2.2.0-4.el6

How reproducible:
Every time

Steps to Reproduce:
1. Set nsslapd-minssf = 56 in dse.ldif
2. Perform an online request with SSSD
3. See in SSSD domain log the message "Server is unwilling to perform"
  
Actual results:
"Server is unwilling to perform"

Expected results:
The RootDSE should be available anonymously and unencrypted.

Additional info:
Related to BZ #803436

Comment 2 Dmitri Pal 2012-03-16 21:57:42 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2542

Comment 3 Rob Crittenden 2012-03-22 21:18:07 UTC
For verifying this see the steps in https://fedorahosted.org/389/ticket/168#comment:8

Comment 7 Martin Kosek 2012-04-25 09:17:30 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: IPA did not configure its Directory Server instance to always keep its RootDSE available anonymously and unencrypted.
Consequence: When user changes nsslapd-minssf in the Directory Server instance configuration to make higher security demands on connection the the instance, some applications (as SSSD) may stop working as they can no longer read RootDSE for the instance anonymously.
Fix: IPA sets nsslapd-minssf-exclude-rootdse option in Directory Server instance configuration
Result: Users or applications can access RootDSE in IPA Directory Server instance anonymously even when the instance is configured with increased security demands on incoming connections

Comment 8 Jenny Severance 2012-04-27 17:48:42 UTC
# ldapsearch -x -D "cn=Directory Manager" -w mypassword -b "cn=config" | grep minssf
nsslapd-minssf: 0
nsslapd-minssf-exclude-rootdse: on

version ::

ipa-server-2.2.0-11.el6.x86_64

Comment 9 Jenny Severance 2012-04-27 17:57:47 UTC
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz803836 IPA needs to set the nsslapd-minssf-exclude-rootdse option by default
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: nsslapd-minssf-exclude-rootdse as expected 'on'
:: [   LOG    ] :: Duration: 0s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: bz803836 IPA needs to set the nsslapd-minssf-exclude-rootdse option by default

Comment 11 errata-xmlrpc 2012-06-20 13:21:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html


Note You need to log in before you can comment on or make changes to this bug.