[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Alexander Bokovoy
abokovoy at redhat.com
Thu Jun 19 14:24:12 UTC 2014
On Thu, 19 Jun 2014, Simo Sorce wrote:
>On Thu, 2014-06-19 at 17:10 +0300, Alexander Bokovoy wrote:
>> On Thu, 19 Jun 2014, Simo Sorce wrote:
>> >> >> and named successfully started, with 389-ds showing autobind to the same
>> >> >> krprincipalname=dns/... in the logs.
>> >> >
>> >> >why do we need to associate bind to dns/whatever ??
>> >> Because we already have ACIs given to dns/hostname to handle DNS
>> >> entries.
>> >
>> >Which are easy to change on upgrade.
>> >
>> >> >we can have a sysaccount called named, like we did for kerberos before
>> >> >we had the ipa-kdb driver.
>> >> A modification of DNS service with 'ipa service-mod' is all what we
>> >> need for single node case, I tried it.
>> >
>> >I do not like it at all, plus each server has a different object and
>> >they would all be duplicates. I prefer very much a single, passwordless
>> >special user in sysconfig, added to the same group that control access
>> >for the DNS tree.
>> autobind needs uidNumber=<uid>+gidNumber=<gid> search to resolve to a
>> single entry. Given that replicas might be running on machines where
>> 'named' user could deviate (think Fedora, RHEL, and Debian), there will
>> still be multiple 'named' sysaccounts and the whole story will break. I
>> don't see how this helps compared to having DNS/hostname principal
>> object extended to cover uidNumber/gidNumber.
>
>This is not really a huge issue.
>We need to allow access to the DNS tree to a group, so all we need is
>for install/upgrade script to check what is the named user on the system
>and create a corresponding system account.
So, now we'll have to manage multiple named accounts named what,
'named1', 'named2', ... ? How to manage them?
One solution could be to have multi-value uidNumber/gidNumber
attributes...
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list