I was wondering if anyone noticed while installing FreeIPA on any of their machines, whether or not their SELinux Booleans were affected? I installed this in a test environment and nothing broke. However, when installed in my production environment, an important SEBoolean was changed:
"authlogin_nsswitch_use_ldap --> on"
This particular boolean was changed to off, breaking logins for an application running on the server that required connecting to an ldap server.
i've figured out what broke, now I'm just trying to figure out what caused it to change. Is this something FreeIPA would normally change? I only ask because I've installed this on about 30 systems and only this one was affected, but ldap also isn't used on many of the other servers. Any insight would be appreciated.
Thanks
Eric Scholwin via FreeIPA-users wrote:
I was wondering if anyone noticed while installing FreeIPA on any of their machines, whether or not their SELinux Booleans were affected? I installed this in a test environment and nothing broke. However, when installed in my production environment, an important SEBoolean was changed:
"authlogin_nsswitch_use_ldap --> on"
This particular boolean was changed to off, breaking logins for an application running on the server that required connecting to an ldap server.
i've figured out what broke, now I'm just trying to figure out what caused it to change. Is this something FreeIPA would normally change? I only ask because I've installed this on about 30 systems and only this one was affected, but ldap also isn't used on many of the other servers. Any insight would be appreciated.
It is likely authconfig making the change.
I don't believe ipa-client-install explicitly disables ldap so I'm guessing authconfig is doing it when it enables sssd and sssdauth.
rob
Interesting thought, I figured something had to have changed it, but what would cause this to occur on my production box and not my test box? Both boxes needed to install the exact same packages and dependencies, but this didn't occur on the test box, only the production box. Going to dig further on this either way, thanks for your input.
Eric
On (23/01/18 15:01), Eric Scholwin via FreeIPA-users wrote:
Interesting thought, I figured something had to have changed it, but what would cause this to occur on my production box and not my test box? Both boxes needed to install the exact same packages and dependencies, but this didn't occur on the test box, only the production box. Going to dig further on this either way, thanks for your input.
And few SElinux booleans are changed in scriptlets. Not directly in ipa but required packages
e.g. https://git.centos.org/blob/rpms!bind-dyndb-ldap.git/fd9006926e5457f367ae623...
LS
freeipa-users@lists.fedorahosted.org