[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Petr Spacek
pspacek at redhat.com
Thu Jun 19 07:43:06 UTC 2014
Hello list,
the thread "named's LDAP connection hangs" on freeipa-users list [1] opened
question "Why do we use Kerberos for named<->DS connection? Named connects
over LDAPI to local DS instance anyway."
Maybe we can get rid of Kerberos for this particular connection and use
autobind instead. It would make it more reliable and effective.
As a side effect, named will be able to start even if KDC is down for some
reason. It partially solves chicken-egg problem during IPA start-up.
I wasn't around when it bind-dyndb-ldap was designed so I don't know
historical reasons.
[1] https://www.redhat.com/archives/freeipa-users/2014-June/msg00065.html
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list