#1930 [RFE] Replica installation should provide a means for inheriting nssldap security access settings
Closed: Fixed None Opened 10 years ago by jraquino.

Anonymous access is a setting that makes sense to have a global default during the installation of additional replicas.

Let ipa-replica-prepare add an option in a file that we read in ipa-replica-install.
If the option is present the install will turn off anonymous access during install.

JR would you be able to pull it off in Oct for 3.0?

Simo had originally asked me to open this ticket for him as he was working on something connected.

JR we are considering deferring this till later. Are you OK with this?

JR, we defer it until you have time to do the work.

Moving to next month iteration.

I work on similar ticket #4949 that also resolves this ticket.
I'm taking ownership of this ticket.

The patchset allows to update configuration of DS at the start of directory server install.


  • 63638ac Make offline LDIF modify more robust
  • 65c89cc Add method to read changes from LDIF
  • ae23432 Add option to specify LDIF file that contains DS configuration changes
  • 5233165 CI: installation with customized DS config

How to use:

# cat update.ldif
dn: cn=config
changetype: modify
replace: nsslapd-allow-unauthenticated-binds
nsslapd-allow-unauthenticated-binds: off
replace: nsslapd-require-secure-binds
nsslapd-require-secure-binds: off
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: off
replace: nsslapd-minssf
nsslapd-minssf: 0

# ipa-{server,replica}-install --dirsrv-config-file=update.ldif


  • f4c8c93 Rename option --dirsrv-config-mods to --dirsrv-config-file

Metadata Update from @jraquino:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.3

5 years ago

Login to comment on this ticket.