825391 – [RFE] Replica installation should provide a means for inheriting nssldap security access settings

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 825391 - [RFE] Replica installation should provide a means for inheriting nssldap security access settings

Summary: [RFE] Replica installation should provide a means for inheriting nssldap secu...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Bašti
QA Contact:	IDM QE LIST
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-05-25 21:09 UTC by Dmitri Pal
Modified:	2016-11-04 05:43 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-4.4.0-0.el7.1.alpha1
Doc Type:	Enhancement
Doc Text:	IdM now supports setting individual Directory Server options during server or replica installation The Identity Management (IdM) "ipa-server-install" and "ipa-replica-install" commands have been enhanced. The new "--dirsrv-config-file" parameter enables the administrator to change default Directory Server settings used during and after the IdM installation. For example, to disable secure LDAP binds in the mentioned situation: Create a text file with the setting in LDIF format: dn: cn=config changetype: modify replace: nsslapd-require-secure-binds nsslapd-require-secure-binds: off Start the IdM server installation by passing the "--dirsrv-config-file" parameter and file to the installation script: # ipa-server-install --dirsrv-config-file filename.ldif
Clone Of:
Environment:
Last Closed:	2016-11-04 05:43:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
console output with verification steps (23.00 KB, text/plain) 2016-09-15 17:01 UTC, Kaleem	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2404	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2016-11-03 13:56:18 UTC

Description Dmitri Pal 2012-05-25 21:09:35 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/1930

Anonymous access is a setting that makes sense to have a global default during the installation of additional replicas.

Let ipa-replica-prepare add an option in a file that we read in ipa-replica-install.
If the option is present the install will turn off anonymous access during install.

Comment 1 RHEL Program Management 2012-07-10 07:12:52 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 2 RHEL Program Management 2012-07-10 23:27:58 UTC

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 5 Martin Bašti 2015-10-15 18:13:13 UTC

Settings are not inherited, but a user can specify modifications in ldif file that will be used during and after server/replica installation

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/63638ac9a32b528677694b438b276812e75917c4
https://fedorahosted.org/freeipa/changeset/65c89cc711331e5ae97f95b1f39190be1e9fdc3c
https://fedorahosted.org/freeipa/changeset/ae23432ef520850de820aff099679f3f639d1d2f
https://fedorahosted.org/freeipa/changeset/5233165ce7062bb7aa649bf95a029103c375207b

Comment 6 Martin Bašti 2015-10-15 18:13:54 UTC

How to use:

# cat update.ldif
dn: cn=config
changetype: modify
replace: nsslapd-allow-unauthenticated-binds
nsslapd-allow-unauthenticated-binds: off
-
replace: nsslapd-require-secure-binds
nsslapd-require-secure-binds: off
-
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: off
-
replace: nsslapd-minssf
nsslapd-minssf: 0

# ipa-{server,replica}-install --dirsrv-config-mods=update.ldif

Comment 7 Martin Bašti 2015-10-19 12:21:56 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f4c8c93e7092b341c3ed2e04553dd5afbcc44dc5


Option --dirsrv-config-mods  has been renamed to  --dirsrv-config-file

Comment 8 Mike McCune 2016-03-28 23:03:07 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 10 Kaleem 2016-09-15 16:59:31 UTC

Verified.

IPA Version:
============
[root@dhcp207-130 ~]# rpm -q ipa-server
ipa-server-4.4.0-11.el7.x86_64
[root@dhcp207-130 ~]# 

Please find the attached file for console output of 4 scenarios which have been executed for this.

Comment 11 Kaleem 2016-09-15 17:01:36 UTC

Created attachment 1201323 [details]
console output with verification steps

Comment 16 errata-xmlrpc 2016-11-04 05:43:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.