[Freeipa-devel] LDAP binds, service principals, etc.
John Dennis
jdennis at redhat.com
Fri Oct 26 21:08:38 UTC 2007
I would like to confirm how we're binding to the LDAP server. Am I
correct that it will always be kerberos via sasl?
If so I also presume ldap_sasl_bind() will be the mechanism, right?
Do we have a mechanism yet to create and distribute keytabs for service
principals?
If a service which needs to perform an LDAP bind is not sasl enabled I
presume the only bind credentials one could use would be password based,
but we are not going to distribute any passwords for service accounts,
right? So does that mean if a service which is not currently sasl
enabled and needs to perform a bind then it's out of luck and it needs
to be modified to be sasl capabble, right?
Just to put these questions in context, the service in question is
radius and it's going to need to be able to bind to our LDAP instance to
perform ldap searches on per user/group radius attributes.
I'm thinking I'm going to need to add support for ldap_sasl_bind() to
the ldap radius module, because there isn't another viable bind option
and at the same time I'm wondering how I get the keytab radiusd will use
for the bind (we don't currently have a mechanism in IPA to generate
keytab's yet, right?).
--
John Dennis <jdennis at redhat.com>
More information about the Freeipa-devel
mailing list