[Freeipa-devel] [PATCH] 0061 Use authenticated binds in init scripts
Simo Sorce
ssorce at redhat.com
Wed Jan 19 17:20:25 UTC 2011
On Wed, 19 Jan 2011 16:18:09 +0000
JR Aquino <JR.Aquino at citrix.com> wrote:
> On 1/18/11 4:02 PM, "Simo Sorce" <ssorce at redhat.com> wrote:
>
> >
> >We need to use authenticated lda binds in init scripts as otherwise
> >starting components fails when the option to restrict anonymous
> >access to ldap is set.
> >
> >In order to do that we need to also start the KDC unconditionally, so
> >it has been removed form the list of services retrieved from ldap and
> >always started/stopped/restarted explicitly in the script.
> >This is necessary so the script can obtain kerberos credentials to
> >bind to ds using its keytab.
> >
> >Fixes ticket #795
> >
> >Simo.
> >
> >--
> >Simo Sorce * Red Hat, Inc * New York
> >_______________________________________________
> >Freeipa-devel mailing list
> >Freeipa-devel at redhat.com
> >https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
> ACK
>
Thanks but Rich pointed me to the docs I couldn't find earlier in order
to use SASL/EXTERNL instead of actual credentials.
So I'll hold on this patch and try to propose an alternative that
does not require SASL/GSSAPI auth. If that will be possible and
satisfactorily I will retire this patch an propose a new one, otherwise
I'll push this one.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list