Issue #3468: ipa-ldap-updater can fail if minssf is > 0 - freeipa

freeipa

#3468 ipa-ldap-updater can fail if minssf is > 0

Closed: Fixed None Opened 11 years ago by rcritten.

If the minssf is > 0 and you try to run ipa-ldap-updater with a password it will fail.

# ldapmodify -x -D 'cn=directory manager' -w password 
dn: cn=config
changetype: modify
replace: nsslapd-minssf
nsslapd-minssf: 56

# ipa-ldap-updater install/updates/55-pbacmemberof.update 
Directory Manager password:

Unexpected error - see /var/log/ipaupgrade.log for details:
DatabaseError: Server is unwilling to perform: Minimum SSF not met. arguments: base="cn=config,cn=ldbm database,cn=plugins,cn=config", scope=0, filterstr="(objectclass=*)"

At a minimum we should not do a simple bind using DM password on a non-secure connection.

abbra commented 9 years ago

It is actually valid error that needs to be fixed as hardening is recommended. Without attached patch schema update was failing for me as it was missing the passthrough of ldapi value.

abbra commented 9 years ago

attachment
0001-ipa-ldap-updater-make-possible-to-use-LDAPI-with-aut.patch

mkosek commented 9 years ago

master:

a9fe37e ipa-ldap-updater: make possible to use LDAPI with autobind in case of hardened LDAP configuration

Metadata Update from @rcritten:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.0 GA

7 years ago

Metadata

Assignee

abbra

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.0 GA

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Upgrade

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#3468 ipa-ldap-updater can fail if minssf is > 0 Closed: Fixed None Opened 11 years ago by rcritten.

Metadata

#3468 ipa-ldap-updater can fail if minssf is > 0

Closed: Fixed None Opened 11 years ago by rcritten.