[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Petr Spacek
pspacek at redhat.com
Thu Jun 19 13:40:10 UTC 2014
On 19.6.2014 15:28, Simo Sorce wrote:
> On Thu, 2014-06-19 at 09:43 +0200, Petr Spacek wrote:
>> Hello list,
>>
>> the thread "named's LDAP connection hangs" on freeipa-users list [1] opened
>> question "Why do we use Kerberos for named<->DS connection? Named connects
>> over LDAPI to local DS instance anyway."
>>
>> Maybe we can get rid of Kerberos for this particular connection and use
>> autobind instead. It would make it more reliable and effective.
>>
>> As a side effect, named will be able to start even if KDC is down for some
>> reason. It partially solves chicken-egg problem during IPA start-up.
>>
>> I wasn't around when it bind-dyndb-ldap was designed so I don't know
>> historical reasons.
>>
>> [1] https://www.redhat.com/archives/freeipa-users/2014-June/msg00065.html
>
> I would be in favor if we can make bind run as an unprivileged user
> instead of root, can we do that ?
We already do that :-) The user is called 'named'.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list