[Freeipa-devel] [PATCH] #1881 client install when anonymous access is prevented
Martin Kosek
mkosek at redhat.com
Fri Sep 30 07:26:14 UTC 2011
On Thu, 2011-09-29 at 12:11 -0400, Simo Sorce wrote:
> On Thu, 2011-09-29 at 17:56 +0200, Martin Kosek wrote:
> > I read every word of it :-) My point was that you can have more
> > databases (basedns, suffixes) configured on the server and when the
> > anonymous access is disabled we cannot check which one is for IPA.
> > That's what my patch 130 fixes. Before it, we just took the first
> > suffix.
>
> Ok, in that case we can compare the suffix with the realm.
> It is 100% guaranteed that suffix and realm must match as we create the
> suffix out of the realm.
> Can you add code to check against REALM if anonymous is turned on ?
>
> In case REALM is missing (DNS discovery failed) we have 2 options, use
> domain.upper() or require a --relam= option to be passed by the user,
> what do you think ?
In the last version (3) of my patch 130 I just grabbed the realm you got
from domain.upper() and generated a suffix from it. So far, it works
fine.
Martin
More information about the Freeipa-devel
mailing list