[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Alexander Bokovoy
abokovoy at redhat.com
Thu Jun 19 14:10:24 UTC 2014
On Thu, 19 Jun 2014, Simo Sorce wrote:
>> >> and named successfully started, with 389-ds showing autobind to the same
>> >> krprincipalname=dns/... in the logs.
>> >
>> >why do we need to associate bind to dns/whatever ??
>> Because we already have ACIs given to dns/hostname to handle DNS
>> entries.
>
>Which are easy to change on upgrade.
>
>> >we can have a sysaccount called named, like we did for kerberos before
>> >we had the ipa-kdb driver.
>> A modification of DNS service with 'ipa service-mod' is all what we
>> need for single node case, I tried it.
>
>I do not like it at all, plus each server has a different object and
>they would all be duplicates. I prefer very much a single, passwordless
>special user in sysconfig, added to the same group that control access
>for the DNS tree.
autobind needs uidNumber=<uid>+gidNumber=<gid> search to resolve to a
single entry. Given that replicas might be running on machines where
'named' user could deviate (think Fedora, RHEL, and Debian), there will
still be multiple 'named' sysaccounts and the whole story will break. I
don't see how this helps compared to having DNS/hostname principal
object extended to cover uidNumber/gidNumber.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list