[Freeipa-devel] [PATCH] 911 ensure confidential minssf
Rob Crittenden
rcritten at redhat.com
Mon Feb 6 17:11:16 UTC 2012
Martin Kosek wrote:
> On Tue, 2011-12-06 at 18:18 -0500, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Ensure that we always use at least 56 for minssf when communicating with
>>> 389-ds. This will prevent someone from modifying /etc/openldap/ldap.conf
>>> in a way to put all communication in the clear.
>>>
>>> See the ticket for testing information.
>>>
>>> rob
>>
>> Note that it should be setting minssf to 56 and not 1 here. I hadn't
>> committed that change yet, I'll fix before pushing if acked.
>>
>> rob
>>
>
> If you mean changing these 2 lines:
> + if minssf<= 0:
> + minssf = 1
>
> to
>
> + if minssf< 56:
> + minssf = 56
>
> then its ACK. With this change my "ipa passwd" worked fine even with
> misconfigured ssf settings in ldap.conf.
>
> Martin
>
Yes, that's what I meant. Pushed to master and ipa-2-2
rob
More information about the Freeipa-devel
mailing list