[Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts)
Natxo Asenjo
natxo.asenjo at gmail.com
Tue Jun 19 17:48:21 UTC 2012
On Tue, Jun 19, 2012 at 6:54 PM, Simo Sorce <simo at redhat.com> wrote:
> Yes with IPA you can use service principals to initiate context w/o
> problems. That's why I suggested you use a service principal.
> AD has a limitation that you must use an actual user to initiate a
> context, that may be where the suggestion is coming from.
>
>
I was just wondering how to to use a service principal coupled to a host in
the case of a webapp. We all know those, applications that require binding
to a database with a login/pass combo in a file. And was assuming that
creating a service principal and then creating a postgresql role with the
name of the principal would not work, that I could not login postgresql
with that kerberos principal.
It turns out it does work! I can create service principals and have them
connect to our postgresql servers. Awesome!
I need to test this more thouroughly, but this is looking great security
wise.
Thanks for the tip! :-)
--
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120619/7680eace/attachment.htm>
More information about the Freeipa-users
mailing list