If the minssf is > 0 and you try to run ipa-ldap-updater with a password it will fail.
# ldapmodify -x -D 'cn=directory manager' -w password dn: cn=config changetype: modify replace: nsslapd-minssf nsslapd-minssf: 56 # ipa-ldap-updater install/updates/55-pbacmemberof.update Directory Manager password: Unexpected error - see /var/log/ipaupgrade.log for details: DatabaseError: Server is unwilling to perform: Minimum SSF not met. arguments: base="cn=config,cn=ldbm database,cn=plugins,cn=config", scope=0, filterstr="(objectclass=*)"
At a minimum we should not do a simple bind using DM password on a non-secure connection.
It is actually valid error that needs to be fixed as hardening is recommended. Without attached patch schema update was failing for me as it was missing the passthrough of ldapi value.
attachment 0001-ipa-ldap-updater-make-possible-to-use-LDAPI-with-aut.patch
master:
Metadata Update from @rcritten: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.0 GA
Login to comment on this ticket.