Bug 825391 - [RFE] Replica installation should provide a means for inheriting nssldap security access settings
Summary: [RFE] Replica installation should provide a means for inheriting nssldap secu...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Martin Bašti
QA Contact: IDM QE LIST
Marc Muehlfeld
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-25 21:09 UTC by Dmitri Pal
Modified: 2016-11-04 05:43 UTC (History)
5 users (show)

(edit)
IdM now supports setting individual Directory Server options during server or replica installation

The Identity Management (IdM) "ipa-server-install" and "ipa-replica-install" commands have been enhanced. The new "--dirsrv-config-file" parameter enables the administrator to change default Directory Server settings used during and after the IdM installation. For example, to disable secure LDAP binds in the mentioned situation:

Create a text file with the setting in LDIF format:

   dn: cn=config
   changetype: modify
   replace: nsslapd-require-secure-binds
   nsslapd-require-secure-binds: off

Start the IdM server installation by passing the "--dirsrv-config-file" parameter and file to the installation script:

   # ipa-server-install --dirsrv-config-file filename.ldif
Clone Of:
(edit)
Last Closed: 2016-11-04 05:43:01 UTC


Attachments (Terms of Use)
console output with verification steps (23.00 KB, text/plain)
2016-09-15 17:01 UTC, Kaleem
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Dmitri Pal 2012-05-25 21:09:35 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/1930

Anonymous access is a setting that makes sense to have a global default during the installation of additional replicas.

Let ipa-replica-prepare add an option in a file that we read in ipa-replica-install.
If the option is present the install will turn off anonymous access during install.

Comment 1 RHEL Product and Program Management 2012-07-10 07:12:52 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 2 RHEL Product and Program Management 2012-07-10 23:27:58 UTC
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 6 Martin Bašti 2015-10-15 18:13:54 UTC
How to use:

# cat update.ldif
dn: cn=config
changetype: modify
replace: nsslapd-allow-unauthenticated-binds
nsslapd-allow-unauthenticated-binds: off
-
replace: nsslapd-require-secure-binds
nsslapd-require-secure-binds: off
-
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: off
-
replace: nsslapd-minssf
nsslapd-minssf: 0

# ipa-{server,replica}-install --dirsrv-config-mods=update.ldif

Comment 7 Martin Bašti 2015-10-19 12:21:56 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f4c8c93e7092b341c3ed2e04553dd5afbcc44dc5


Option --dirsrv-config-mods  has been renamed to  --dirsrv-config-file

Comment 8 Mike McCune 2016-03-28 23:03:07 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 10 Kaleem 2016-09-15 16:59:31 UTC
Verified.

IPA Version:
============
[root@dhcp207-130 ~]# rpm -q ipa-server
ipa-server-4.4.0-11.el7.x86_64
[root@dhcp207-130 ~]# 

Please find the attached file for console output of 4 scenarios which have been executed for this.

Comment 11 Kaleem 2016-09-15 17:01 UTC
Created attachment 1201323 [details]
console output with verification steps

Comment 16 errata-xmlrpc 2016-11-04 05:43:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.