[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Alexander Bokovoy
abokovoy at redhat.com
Thu Jun 19 14:47:02 UTC 2014
On Thu, 19 Jun 2014, Simo Sorce wrote:
>> I may need to revive my sysaccounts module...
>
>There is one more issue though, and this one really concerns me.
>If you need to put there multiple accounts because different servers
>have different local accounts, then you open up access to unrelated
>services. Because all these uids are shared on all systems.
>
>I think this kills my own proposal of sticking these entries in
>cn=sysaccounts.
>
>However we could have something in cn=config maybe ?
>So that each server can:
>A) use the same name/DN
>B) have ids that match exactly the local named account no matter how
>many different variants we have
>C) no management issues when the server is killed from the
>infrastructure as cn=config is local to that server and goes away with
>it.
>
>What do you think ?
This is what Petr proposed too.
389-ds autobind code searches starting from a base defined in cn=config.
IPA defines it to be $SUFFIX. If we move these entries to cn=config,
they will not be found by the code in
ds/ldap/servers/slapd/daemon.c:slapd_bind_local_user(). If we change a
search base to something in cn=config, we wouldn't be able to use user
accounts for autobind -- something which is possible right now.
I'm not really concerned about user accounts' autobind but this is
actually a behavior change for IPA.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list