[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Alexander Bokovoy
abokovoy at redhat.com
Thu Jun 19 14:58:50 UTC 2014
On Thu, 19 Jun 2014, Simo Sorce wrote:
>On Thu, 2014-06-19 at 17:47 +0300, Alexander Bokovoy wrote:
>> On Thu, 19 Jun 2014, Simo Sorce wrote:
>> >> I may need to revive my sysaccounts module...
>> >
>> >There is one more issue though, and this one really concerns me.
>> >If you need to put there multiple accounts because different servers
>> >have different local accounts, then you open up access to unrelated
>> >services. Because all these uids are shared on all systems.
>> >
>> >I think this kills my own proposal of sticking these entries in
>> >cn=sysaccounts.
>> >
>> >However we could have something in cn=config maybe ?
>> >So that each server can:
>> >A) use the same name/DN
>> >B) have ids that match exactly the local named account no matter how
>> >many different variants we have
>> >C) no management issues when the server is killed from the
>> >infrastructure as cn=config is local to that server and goes away with
>> >it.
>> >
>> >What do you think ?
>> This is what Petr proposed too.
>>
>> 389-ds autobind code searches starting from a base defined in cn=config.
>> IPA defines it to be $SUFFIX. If we move these entries to cn=config,
>> they will not be found by the code in
>> ds/ldap/servers/slapd/daemon.c:slapd_bind_local_user(). If we change a
>> search base to something in cn=config, we wouldn't be able to use user
>> accounts for autobind -- something which is possible right now.
>>
>> I'm not really concerned about user accounts' autobind but this is
>> actually a behavior change for IPA.
>
>And I guess we can't list multiple bases for now ?
>We do not use autobind for anything now though, and I do not see it as
>useful for "normal" users on an IPA server, so I would be ok with the
>change, even if it breaks backward compatibility on masters themselves.
The only thing we use is root autobind which is handled by a separate
mechanism, I think.
Thus, it suits me.
Petr, can you please make a ticket?
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list