[Freeipa-users] FreeIPA gitolite intergration
Martin Kosek
mkosek at redhat.com
Fri May 17 07:17:32 UTC 2013
On 05/16/2013 07:32 PM, Natxo Asenjo wrote:
> On Thu, May 16, 2013 at 6:48 PM, William Muriithi <william.muriithi at gmail.com
> <mailto:william.muriithi at gmail.com>> wrote:
>
> Afternoon,
>
> Got a question, I know FreeIPA does not allow anonymous binding so if one
> need to create an account to query for such information. I did this during
> the sudo setup.
>
> unless you have changed it yourself (or stuff has changed in the standard
> installation since v2.2 when I installed my ipa servers) anonymous binding is
> allowed. But you cannot query group membership of the users IIRC anonymously.
Correct. To disable anonymous binds, you can check:
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/disabling-anon-binds.html
>
> I am trying to get git to use FreeIPA today and I trying to figure where
> the bind user should be created under. This got to be a system account, so
> I am not sure it should go under the normal user dn below. And even if I
> created it as normal user, I am not sure it would have permission to
> transverse the tree looking for the group user details
>
> dn: uid=william,cn=users,cn= compat,dc=example,dc=com
>
> system accounts like sudo are in cn=sysaccounts,cn=etc,dc=domain,dc=tld ; but
> you can create them wherever you like I think. If you create a normal ipa
> account with the ipa tools, you can always modify the krbPasswordExpiration
> attribute manually and have it expire in the year 3000 so it does not get
> disabled until then ;-)
I am currently not familiar with how the git+LDAP works, but you could also add
service for it like "git/your.host.with.git at YOUR.REALM", get a keytab for it
and then let git use it to authenticate to FreeIPA.
Martin
More information about the Freeipa-users
mailing list