Bug 825391 - [RFE] Replica installation should provide a means for inheriting nssldap security access settings
Summary: [RFE] Replica installation should provide a means for inheriting nssldap secu...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Martin Bašti
Marc Muehlfeld
Depends On:
TreeView+ depends on / blocked
Reported: 2012-05-25 21:09 UTC by Dmitri Pal
Modified: 2016-11-04 05:43 UTC (History)
5 users (show)

Fixed In Version: ipa-4.4.0-0.el7.1.alpha1
Doc Type: Enhancement
Doc Text:
IdM now supports setting individual Directory Server options during server or replica installation The Identity Management (IdM) "ipa-server-install" and "ipa-replica-install" commands have been enhanced. The new "--dirsrv-config-file" parameter enables the administrator to change default Directory Server settings used during and after the IdM installation. For example, to disable secure LDAP binds in the mentioned situation: Create a text file with the setting in LDIF format: dn: cn=config changetype: modify replace: nsslapd-require-secure-binds nsslapd-require-secure-binds: off Start the IdM server installation by passing the "--dirsrv-config-file" parameter and file to the installation script: # ipa-server-install --dirsrv-config-file filename.ldif
Clone Of:
Last Closed: 2016-11-04 05:43:01 UTC
Target Upstream Version:

Attachments (Terms of Use)
console output with verification steps (23.00 KB, text/plain)
2016-09-15 17:01 UTC, Kaleem
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Dmitri Pal 2012-05-25 21:09:35 UTC
This bug is created as a clone of upstream ticket:

Anonymous access is a setting that makes sense to have a global default during the installation of additional replicas.

Let ipa-replica-prepare add an option in a file that we read in ipa-replica-install.
If the option is present the install will turn off anonymous access during install.

Comment 1 RHEL Program Management 2012-07-10 07:12:52 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 2 RHEL Program Management 2012-07-10 23:27:58 UTC
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 6 Martin Bašti 2015-10-15 18:13:54 UTC
How to use:

# cat update.ldif
dn: cn=config
changetype: modify
replace: nsslapd-allow-unauthenticated-binds
nsslapd-allow-unauthenticated-binds: off
replace: nsslapd-require-secure-binds
nsslapd-require-secure-binds: off
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: off
replace: nsslapd-minssf
nsslapd-minssf: 0

# ipa-{server,replica}-install --dirsrv-config-mods=update.ldif

Comment 7 Martin Bašti 2015-10-19 12:21:56 UTC
Fixed upstream

Option --dirsrv-config-mods  has been renamed to  --dirsrv-config-file

Comment 8 Mike McCune 2016-03-28 23:03:07 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 10 Kaleem 2016-09-15 16:59:31 UTC

IPA Version:
[root@dhcp207-130 ~]# rpm -q ipa-server
[root@dhcp207-130 ~]# 

Please find the attached file for console output of 4 scenarios which have been executed for this.

Comment 11 Kaleem 2016-09-15 17:01:36 UTC
Created attachment 1201323 [details]
console output with verification steps

Comment 16 errata-xmlrpc 2016-11-04 05:43:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.