On Tue, 12 Aug 2014, Erinn Looney-Triggs wrote:
I guess the part I don't get here, is that this setting does not
disable anonymous access to rootdse it just requires, as far as
I understand, that TLS or some security be used for the
connection.
I currently have minssf set to 56 and am able to anonymously bind
and obtain the rootdse.
This assumes you have CA certificate available so that you can
successfully verify TLS handshake. When you are enrolling a client,
you don't have the certificate yet.
However, this does bring up one more question in mind, why would the
initial installer care?
I mean that if the intial connection for ipa-client-install is going
to be cleartext to what is basically an untrusted source at that point
why not just ignore CA issues and use a TLS connection anyway? Kind of
in the vein of the first ssh connection to a new host, the host
presents its keys and you can choose whether to trust them or not. In
the installers case trusting them for an anonymous bind would be just
as safe as doing an anonymous bind without tls.
Does that make sense?
We need to support old clients which don't have chance to get updated to
support this logic. I think we pretty much stuck with existing approach,
given that now we have ability to serve the certificate through LDAP
connection already (it is stored at cn=CACert,cn=ipa,cn=etc,$SUFFIX) and
then the client does use it after downloading to perform actual join
operation against LDAP over TLS.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
