From 96311d02dd5e068dc2d30a71ee5dbf34bcf29dec Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mar 26 2012 12:26:20 +0000 Subject: Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available. If minssf is set in configuration and this is not set then clients won't be able to detect the available namingContexts, defaultNamingContext, capabilities, etc. https://fedorahosted.org/freeipa/ticket/2542 --- diff --git a/install/updates/10-config.update b/install/updates/10-config.update index 97fbdef..ecddb81 100644 --- a/install/updates/10-config.update +++ b/install/updates/10-config.update @@ -38,3 +38,7 @@ only:nsslapd-anonlimitsdn:'cn=anonymous-limits,cn=etc,$SUFFIX' # doesn't support it generates a non-fatal error. dn: cn=config add:nsslapd-defaultNamingContext:'$SUFFIX' + +# Allow the root DSE to be searched even with minssf set +dn: cn=config +only:nsslapd-minssf-exclude-rootdse:on diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py index 9a8d9e1..58b1b92 100644 --- a/ipaserver/ipaldap.py +++ b/ipaserver/ipaldap.py @@ -540,7 +540,7 @@ class IPAdmin(IPAEntryLDAPObject): # Some attributes, like those in cn=config, need to be replaced # not deleted/added. - FORCE_REPLACE_ON_UPDATE_ATTRS = ('nsslapd-ssl-check-hostname', 'nsslapd-lookthroughlimit', 'nsslapd-idlistscanlimit', 'nsslapd-anonlimitsdn') + FORCE_REPLACE_ON_UPDATE_ATTRS = ('nsslapd-ssl-check-hostname', 'nsslapd-lookthroughlimit', 'nsslapd-idlistscanlimit', 'nsslapd-anonlimitsdn', 'nsslapd-minssf-exclude-rootdse') modlist = [] old_entry = ipautil.CIDict(old_entry)