[Freeipa-devel] LDAP binds, service principals, etc.

[John Dennis]

I would like to confirm how we're binding to the LDAP server. Am I 
correct that it will always be kerberos via sasl?

If so I also presume ldap_sasl_bind() will be the mechanism, right?

Do we have a mechanism yet to create and distribute keytabs for service 
principals?

If a service which needs to perform an LDAP bind is not sasl enabled I 
presume the only bind credentials one could use would be password based, 
but we are not going to distribute any passwords for service accounts, 
right? So does that mean if a service which is not currently sasl 
enabled and needs to perform a bind then it's out of luck and it needs 
to be modified to be sasl capabble, right?

Just to put these questions in context, the service in question is 
radius and it's going to need to be able to bind to our LDAP instance to 
perform ldap searches on per user/group radius attributes.

I'm thinking I'm going to need to add support for ldap_sasl_bind() to 
the ldap radius module, because there isn't another viable bind option 
and at the same time I'm wondering how I get the keytab radiusd will use 
for the bind (we don't currently have a mechanism in IPA to generate 
keytab's yet, right?).
-- 
John Dennis <jdennis at redhat.com>