[Freeipa-devel] Compat tree permissions
Alexander Bokovoy
abokovoy at redhat.com
Wed Sep 3 13:33:25 UTC 2014
On Wed, 03 Sep 2014, Rob Crittenden wrote:
>>>>> ipa-advise would then need to refer to some common system account +
>>>>> it's
>>>>> password it would bind with. Should we file RFE? Is this a right move?
>>>> Yes, we need to file RFE and make recommendations to always have
>>>> BINDDN/BINDPW or
>>>> GSSAPI_SIGN/GSSAPI_ENCRYPT/SASL_AUTH_ID/KRB5_CCNAME/USE_SASL
>>>> (see sudoers.ldap and ldap.conf manpages).
>>>
>>> Ok, please file the ticket then.
>> Will do.
>>
>
>Remember that most of the NIS/legacy systems that would actually use
>this are non-Linux so keep that in mind as you tighten things up.
>ipa-advise doesn't cover the cases of AIX, Solaris and HP/ux.
Yep. However:
- NIS doesn't require LDAP access from client side and nis plugin will
work fine as it uses slapi_*_internal_*() calls which are not subject
to ACI evaluation.
- LDAP with any non-anonymous bind will work, including simple bind over
SSL.
I've fixed recently cyrus-sasl bug with GSSAPI mech that was
preventing GSSAPI authentication from AIX. Unfortunately, cyrus-sasl
developers are not responsive, no answers from upstream for a month.
Fedora/RHEL packages are not yet updated but I'm going to do that
soon. This affects only server-side, so by fixing it we'll get GSSAPI
working for old LDAP clients that support it.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list