[Freeipa-users] ldap-filter, LDAP_MATCHING_RULE_IN_CHAIN, apache 2.2
Jan-Frode Myklebust
janfrode at tanso.net
Fri Mar 22 14:20:09 UTC 2013
On Fri, Mar 22, 2013 at 09:59:14AM -0400, Dmitri Pal wrote:
> Because anonymous binds are rightly turned off by default,
They are? I don't think I've ever explicitly turned on anonymous binds,
and my directories are open to anonymous searches. The confusing thing is
that not all attributes are available when doing anonymous binds. Are
there any way to configure how open we want the directory to be?
> The best would have been for apache to support GSSAPI for that matter
> but based on the link you sent this is not the case.
> IMO you should file and RFE for them to support GSSAPI bind and not only
> bind with the password.
Newer apache supports nested groups, and all the needed attributes for
that seems to be available trough anonymous binds.. so no GSSAPI is
needed (for us) there.
IMHO it's seems inconsistent that memberOf attribute is hidden for anonymous
searches on the user, but "member" attribute on groups is not. Same
information, different places in the tree.
-jf
More information about the Freeipa-users
mailing list