[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Simo Sorce
simo at redhat.com
Thu Jun 19 14:16:15 UTC 2014
On Thu, 2014-06-19 at 17:10 +0300, Alexander Bokovoy wrote:
> On Thu, 19 Jun 2014, Simo Sorce wrote:
> >> >> and named successfully started, with 389-ds showing autobind to the same
> >> >> krprincipalname=dns/... in the logs.
> >> >
> >> >why do we need to associate bind to dns/whatever ??
> >> Because we already have ACIs given to dns/hostname to handle DNS
> >> entries.
> >
> >Which are easy to change on upgrade.
> >
> >> >we can have a sysaccount called named, like we did for kerberos before
> >> >we had the ipa-kdb driver.
> >> A modification of DNS service with 'ipa service-mod' is all what we
> >> need for single node case, I tried it.
> >
> >I do not like it at all, plus each server has a different object and
> >they would all be duplicates. I prefer very much a single, passwordless
> >special user in sysconfig, added to the same group that control access
> >for the DNS tree.
> autobind needs uidNumber=<uid>+gidNumber=<gid> search to resolve to a
> single entry. Given that replicas might be running on machines where
> 'named' user could deviate (think Fedora, RHEL, and Debian), there will
> still be multiple 'named' sysaccounts and the whole story will break. I
> don't see how this helps compared to having DNS/hostname principal
> object extended to cover uidNumber/gidNumber.
This is not really a huge issue.
We need to allow access to the DNS tree to a group, so all we need is
for install/upgrade script to check what is the named user on the system
and create a corresponding system account.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list