[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Alexander Bokovoy
abokovoy at redhat.com
Thu Jun 19 13:42:32 UTC 2014
On Thu, 19 Jun 2014, Simo Sorce wrote:
>On Thu, 2014-06-19 at 09:43 +0200, Petr Spacek wrote:
>> Hello list,
>>
>> the thread "named's LDAP connection hangs" on freeipa-users list [1] opened
>> question "Why do we use Kerberos for named<->DS connection? Named connects
>> over LDAPI to local DS instance anyway."
>>
>> Maybe we can get rid of Kerberos for this particular connection and use
>> autobind instead. It would make it more reliable and effective.
>>
>> As a side effect, named will be able to start even if KDC is down for some
>> reason. It partially solves chicken-egg problem during IPA start-up.
>>
>> I wasn't around when it bind-dyndb-ldap was designed so I don't know
>> historical reasons.
>>
>> [1] https://www.redhat.com/archives/freeipa-users/2014-June/msg00065.html
>
>I would be in favor if we can make bind run as an unprivileged user
>instead of root, can we do that ?
It already runs as 'named' user, see my other mail with actual
experiment results.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list