[Freeipa-devel] [PATCH] 767 fix ipa-nis-manage
Rob Crittenden
rcritten at redhat.com
Fri Apr 8 17:12:22 UTC 2011
JR Aquino wrote:
>
> On Apr 8, 2011, at 8:56 AM, "JR Aquino"<JR.Aquino at citrix.com> wrote:
>
>> On Apr 8, 2011, at 8:53 AM, "Rob Crittenden"<rcritten at redhat.com> wrote:
>>
>>> JR Aquino wrote:
>>>>
>>>> On Apr 8, 2011, at 8:03 AM, Rob Crittenden wrote:
>>>>
>>>>>> On Apr 8, 2011, at 7:24 AM, "Rob Crittenden"<rcritten at redhat.com> wrote:
>>>>>>
>>>>>>> ipa-nis-manage was failing because root has very limited capabilities when binding over ldapi because of autobind. So don't use ldapi.
>>>>>>>
>>>>>>> Also force this to be run as root since we start/stop and configure/unconfigure services.
>>>>>>>
>>>>>>> ticket 1157
>>>>>>>
>>>>>>> rob
>>>>>>> <freeipa-rcrit-767-nis.patch>
>>>>
>>>>> JR Aquino wrote:
>>>>>> Does this imply the use of ldap with tls now or just standard ldap?
>>>>>>
>>>>>> There was a previous ticket that changed this and many other tools such that they used ldapi to accommodate FreeIPA with a minssf set.
>>>>>
>>>>> It uses 389, no TLS.
>>>>>
>>>>> rob
>>>>
>>>> Is there a way to solve both problems?
>>>>
>>>> #1 Autobind limits root -> ldapi
>>>> #2 IPA Tools should not fail when 389ds:dse.ldif has minssf set?
>>>>
>>>> -Fixed the top posting. sorry about that.-
>>>
>>> Maybe, I also want to apply an appropriate level of effort. In reality this command is going to be run 1 or 2 times in the lifetime of an IPA server.
>>>
>>> rob
>>
>> Fair enough. The minssf gate should apply to the pieces that have a higher usage frequency.
>>
> Does the limitation of autobind with root mean that all of the tools that use ldapi need to be revisited and turned back to 389?
ipa-host-net-manage and ipa-compat-manage work ok for me with this patch
applied.
rob
More information about the Freeipa-devel
mailing list