[Freeipa-devel] [PATCH] 767 fix ipa-nis-manage
Rob Crittenden
rcritten at redhat.com
Mon Apr 11 17:51:31 UTC 2011
Simo Sorce wrote:
> On Fri, 08 Apr 2011 13:12:22 -0400
> Rob Crittenden<rcritten at redhat.com> wrote:
>
>> JR Aquino wrote:
>
>>> Does the limitation of autobind with root mean that all of the
>>> tools that use ldapi need to be revisited and turned back to 389?
>>
>> ipa-host-net-manage and ipa-compat-manage work ok for me with this
>> patch applied.
>
> NACK
> autobind comes into play only when SASL_EXTERNAL auth is used,
> the krb5kdc binds as uid=kdc over ldapi w/o any issue.
>
> If these tools are having a problem with ldapi, it is most probably an
> underlying bug in our ldap wrappers, as thyese tools should bind as
> Directory Manager using simple auth not doing SASL_EXTERNAL auth.
>
> Simo.
>
The root user cannot use ldapi because of the autobind configuration.
Fall back to a standard GSSAPI sasl bind if the external bind fails.
With --ldapi a regular user may be trying this as well, catch that and
report a reasonable error message.
This also gives priority to the DM password if it is passed in.
Also require the user be root to run the ipa-nis-manage command. We
enable/disable and start/stop services which need to be done as root.
Add a new option to ipa-ldap-updater to prompt for the DM password.
Remove restriction to be run as root except when doing an upgrade.
Ticket 1157
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-767-2-nis.patch
Type: application/mbox
Size: 7698 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110411/755c1b50/attachment.mbox>
More information about the Freeipa-devel
mailing list