diff options
author | Rob Crittenden <rcritten@redhat.com> | 2012-03-22 17:19:01 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-03-26 14:26:10 +0200 |
commit | a735420a9ba3d507855a75a1a48f79a2358c7081 (patch) | |
tree | b063bea16f4af55832c9ee794efb50a3b2e300a5 | |
parent | 00ce15b7442914be859c9e0912d0d02a836fe649 (diff) | |
download | freeipa-a735420a9ba3d507855a75a1a48f79a2358c7081.tar.gz freeipa-a735420a9ba3d507855a75a1a48f79a2358c7081.tar.xz freeipa-a735420a9ba3d507855a75a1a48f79a2358c7081.zip |
Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available.
If minssf is set in configuration and this is not set then clients won't
be able to detect the available namingContexts, defaultNamingContext,
capabilities, etc.
https://fedorahosted.org/freeipa/ticket/2542
-rw-r--r-- | install/updates/10-config.update | 4 | ||||
-rw-r--r-- | ipaserver/ipaldap.py | 2 |
2 files changed, 5 insertions, 1 deletions
diff --git a/install/updates/10-config.update b/install/updates/10-config.update index 97fbdef2d..ecddb812f 100644 --- a/install/updates/10-config.update +++ b/install/updates/10-config.update @@ -38,3 +38,7 @@ only:nsslapd-anonlimitsdn:'cn=anonymous-limits,cn=etc,$SUFFIX' # doesn't support it generates a non-fatal error. dn: cn=config add:nsslapd-defaultNamingContext:'$SUFFIX' + +# Allow the root DSE to be searched even with minssf set +dn: cn=config +only:nsslapd-minssf-exclude-rootdse:on diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py index 8703b5e4b..7174072a6 100644 --- a/ipaserver/ipaldap.py +++ b/ipaserver/ipaldap.py @@ -540,7 +540,7 @@ class IPAdmin(IPAEntryLDAPObject): # Some attributes, like those in cn=config, need to be replaced # not deleted/added. - FORCE_REPLACE_ON_UPDATE_ATTRS = ('nsslapd-ssl-check-hostname', 'nsslapd-lookthroughlimit', 'nsslapd-idlistscanlimit', 'nsslapd-anonlimitsdn') + FORCE_REPLACE_ON_UPDATE_ATTRS = ('nsslapd-ssl-check-hostname', 'nsslapd-lookthroughlimit', 'nsslapd-idlistscanlimit', 'nsslapd-anonlimitsdn', 'nsslapd-minssf-exclude-rootdse') modlist = [] old_entry = ipautil.CIDict(old_entry) |