[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Simo Sorce
simo at redhat.com
Thu Jun 19 14:26:09 UTC 2014
On Thu, 2014-06-19 at 17:24 +0300, Alexander Bokovoy wrote:
> On Thu, 19 Jun 2014, Simo Sorce wrote:
> >On Thu, 2014-06-19 at 17:10 +0300, Alexander Bokovoy wrote:
> >> On Thu, 19 Jun 2014, Simo Sorce wrote:
> >> >> >> and named successfully started, with 389-ds showing autobind to the same
> >> >> >> krprincipalname=dns/... in the logs.
> >> >> >
> >> >> >why do we need to associate bind to dns/whatever ??
> >> >> Because we already have ACIs given to dns/hostname to handle DNS
> >> >> entries.
> >> >
> >> >Which are easy to change on upgrade.
> >> >
> >> >> >we can have a sysaccount called named, like we did for kerberos before
> >> >> >we had the ipa-kdb driver.
> >> >> A modification of DNS service with 'ipa service-mod' is all what we
> >> >> need for single node case, I tried it.
> >> >
> >> >I do not like it at all, plus each server has a different object and
> >> >they would all be duplicates. I prefer very much a single, passwordless
> >> >special user in sysconfig, added to the same group that control access
> >> >for the DNS tree.
> >> autobind needs uidNumber=<uid>+gidNumber=<gid> search to resolve to a
> >> single entry. Given that replicas might be running on machines where
> >> 'named' user could deviate (think Fedora, RHEL, and Debian), there will
> >> still be multiple 'named' sysaccounts and the whole story will break. I
> >> don't see how this helps compared to having DNS/hostname principal
> >> object extended to cover uidNumber/gidNumber.
> >
> >This is not really a huge issue.
> >We need to allow access to the DNS tree to a group, so all we need is
> >for install/upgrade script to check what is the named user on the system
> >and create a corresponding system account.
> So, now we'll have to manage multiple named accounts named what,
> 'named1', 'named2', ... ? How to manage them?
what is there to manage ?
> One solution could be to have multi-value uidNumber/gidNumber
> attributes...
nope, you just need to create a new object only if one does not exist
with the same uidNumber, and add it to the group we use for ACIs on DNS.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list