On Wed, Nov 30, 2011 at 01:20:03PM +0100, Jan Zelený wrote:
On Tue, Nov 22, 2011 at 12:45:14PM +0100, Jan Zelený wrote:
https://fedorahosted.org/sssd/ticket/1075
The only thing is that I'm not sure if 72 is the right default minssf value for IPA provider, as default IPA installation works with 56 as the highest possible value for me. In default SSSD installation, this means that communication with IPA server will be rejected with no information about the reason being min SSF. I think this will be very confusing to SSSD users.
Can anyone give me a hint how to proceed? Lower the default value in SSSD or do the change in IPA?
Thanks Jan
The patch itself looks good to me.
I don't know what's causing the problem, though. I think that the SSF requirement is set in nsslapd-minssf attribute in cn=config on the server side. My (quite recent) IPA server install has the option set to 0, which means "no restrictions".
Rob, is there any other place on the server that sets the SSF values?
Just to clarify, I tested the minssf=56 as working by using ldapsearch, not just SSSD, so the issue is most likely not on our side.
Jan
Looking at OpenLDAP code, the SSF options can also be manipulated using LDAP_OPT_X_SASL_SECPROPS, maybe the two are in conflict?