[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Sumit Bose
sbose at redhat.com
Thu Jun 19 08:01:10 UTC 2014
On Thu, Jun 19, 2014 at 09:43:06AM +0200, Petr Spacek wrote:
> Hello list,
>
> the thread "named's LDAP connection hangs" on freeipa-users list [1] opened
> question "Why do we use Kerberos for named<->DS connection? Named connects
> over LDAPI to local DS instance anyway."
>
> Maybe we can get rid of Kerberos for this particular connection and use
> autobind instead. It would make it more reliable and effective.
>
> As a side effect, named will be able to start even if KDC is down for some
> reason. It partially solves chicken-egg problem during IPA start-up.
>
> I wasn't around when it bind-dyndb-ldap was designed so I don't know
> historical reasons.
I think there are two differences:
# ldapexop -H 'ldapi://%2fvar%2frun%2fslapd-IPA20-DEVEL.socket' whoami
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=Directory Manager
# ldapexop -H 'ldapi://%2fvar%2frun%2fslapd-IPA20-DEVEL.socket' whoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: DNS/ipa20-devel.ipa20.devel at IPA20.DEVEL
SASL SSF: 56
SASL data security layer installed.
dn: krbprincipalname=dns/ipa20-devel.ipa20.devel at ipa20.devel,cn=services,cn=accounts,dc=ipa20,dc=devel
With Kerberos you bind with a specific DN and all access control rule
can be applied for the connection. Additionally you have an SSF level. I
think most of our plugin which requires a secure connection check not
only SSF but check if the connection is coming via the ldapi socket as
well but there might some which miss this check.
We use LDAPI+Kerberos in samba as well to access the IPA DS, but I agree
that samba is not that important for IPA and there is no chicken-egg
problem.
bye,
Sumit
>
> [1] https://www.redhat.com/archives/freeipa-users/2014-June/msg00065.html
>
> --
> Petr^2 Spacek
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list