https://bugzilla.redhat.com/show_bug.cgi?id=746758
Description of problem: LDAP Standard requires that rootdse be always available anonymously and unencrypted. 389 DS prevents the lookup when minssf is set and an unencrypted query for rootdse is performed. How reproducible: Always Steps to Reproduce: 1. Set minssf in dse.ldif 2. ldapsearch -x -H ldap://`hostname` -s base -b "" 3. ldap_bind: Server is unwilling to perform (53) additional info: Minimum SSF not met. Actual results: ldap_bind: Server is unwilling to perform (53) additional info: Minimum SSF not met. Expected results: To return results for rootdse Additional info:
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=768086
batch move to milestone 1.2.10.a7
git patch file (master) 0001-Trac-Ticket-168-minssf-should-not-apply-to-rootdse.patch
Fix description: This patch is for supporting a request to allow accessing rootdse with lower ssf than minssf configuration setting. . introduced a on/off type config parameter: nsslapd-minssf-exclude-rootdse. . by default, the value is off. . when it is off, the server's behavior remains intact. . when it is on, the server allows to access rootdse even if the ssf value is less than nsslapd-minssf value.
Reviewed by Rich (Thank you!!)
Pushed to master.
$ git merge trac168 Updating ed87077..48e99c1 Fast-forward ldap/servers/slapd/bind.c | 13 +++++++++++-- ldap/servers/slapd/connection.c | 10 +++++++++- ldap/servers/slapd/libglobs.c | 35 +++++++++++++++++++++++++++++++++++ ldap/servers/slapd/modify.c | 22 ++++++++++++++++++++++ ldap/servers/slapd/proto-slap.h | 2 ++ ldap/servers/slapd/search.c | 29 ++++++++++++++++++++++++++++- ldap/servers/slapd/slap.h | 2 ++ 7 files changed, 109 insertions(+), 4 deletions(-)
$ git push Counting objects: 23, done. Delta compression using up to 4 threads. Compressing objects: 100% (12/12), done. Writing objects: 100% (12/12), 2.92 KiB, done. Total 12 (delta 10), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git ed87077..48e99c1 master -> master
Steps to verify: 1. minssf-exclude-minssf: off In cn=config, set the following parameters (assume server is down) and start the server. nsslapd-allow-anonymous-access: on nsslapd-minssf: 10 nsslapd-minssf-exclude-rootdse: off 1-1. Simple auth search (-x) by any user against any base dn fails with "Minimum SSF not met". $ ldapsearch -LLLx -h localhost -p <port> -b "" -s base dn ldap_bind: Server is unwilling to perform (53) additional info: Minimum SSF not met. $ ldapsearch -LLLx -h localhost -p <port> -b "dc=example,dc=com" dn ldap_bind: Server is unwilling to perform (53) additional info: Minimum SSF not met. $ ldapsearch -LLLx -h localhost -p <port> -D 'cn=directory manager' -w <pw> -b "" -s base dn ldap_bind: Server is unwilling to perform (53) additional info: Minimum SSF not met. $ ldapsearch -LLLx -h localhost -p <port> -D 'cn=directory manager' -w <pw> -b "dc=example,dc=com" dn ldap_bind: Server is unwilling to perform (53) additional info: Minimum SSF not met.
Added initial screened field value.
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.2.10.a7
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/168
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.