[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Simo Sorce
simo at redhat.com
Thu Jun 19 13:28:12 UTC 2014
On Thu, 2014-06-19 at 09:43 +0200, Petr Spacek wrote:
> Hello list,
>
> the thread "named's LDAP connection hangs" on freeipa-users list [1] opened
> question "Why do we use Kerberos for named<->DS connection? Named connects
> over LDAPI to local DS instance anyway."
>
> Maybe we can get rid of Kerberos for this particular connection and use
> autobind instead. It would make it more reliable and effective.
>
> As a side effect, named will be able to start even if KDC is down for some
> reason. It partially solves chicken-egg problem during IPA start-up.
>
> I wasn't around when it bind-dyndb-ldap was designed so I don't know
> historical reasons.
>
> [1] https://www.redhat.com/archives/freeipa-users/2014-June/msg00065.html
I would be in favor if we can make bind run as an unprivileged user
instead of root, can we do that ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list