[Freeipa-devel] [PATCH] 0061 Use authenticated binds in init scripts
Simo Sorce
ssorce at redhat.com
Wed Jan 19 23:30:14 UTC 2011
On Wed, 19 Jan 2011 12:20:25 -0500
Simo Sorce <ssorce at redhat.com> wrote:
> On Wed, 19 Jan 2011 16:18:09 +0000
> JR Aquino <JR.Aquino at citrix.com> wrote:
>
> > On 1/18/11 4:02 PM, "Simo Sorce" <ssorce at redhat.com> wrote:
> >
> > >
> > >We need to use authenticated lda binds in init scripts as otherwise
> > >starting components fails when the option to restrict anonymous
> > >access to ldap is set.
> > >
> > >In order to do that we need to also start the KDC unconditionally,
> > >so it has been removed form the list of services retrieved from
> > >ldap and always started/stopped/restarted explicitly in the script.
> > >This is necessary so the script can obtain kerberos credentials to
> > >bind to ds using its keytab.
> > >
> > >Fixes ticket #795
> > >
> > >Simo.
> > >
> > >--
> > >Simo Sorce * Red Hat, Inc * New York
> > >_______________________________________________
> > >Freeipa-devel mailing list
> > >Freeipa-devel at redhat.com
> > >https://www.redhat.com/mailman/listinfo/freeipa-devel
> >
> >
> > ACK
> >
>
> Thanks but Rich pointed me to the docs I couldn't find earlier in
> order to use SASL/EXTERNL instead of actual credentials.
>
> So I'll hold on this patch and try to propose an alternative that
> does not require SASL/GSSAPI auth. If that will be possible and
> satisfactorily I will retire this patch an propose a new one,
> otherwise I'll push this one.
>
> Simo.
>
Ok I am retiring this patch and sending an alternative one.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list