[Freeipa-users] ldap-filter, LDAP_MATCHING_RULE_IN_CHAIN, apache 2.2
Dmitri Pal
dpal at redhat.com
Fri Mar 22 13:59:14 UTC 2013
On 03/22/2013 09:12 AM, Jan-Frode Myklebust wrote:
> This works:
>
> Require ldap-attribute memberof="cn=cactiaccess,cn=groups,cn=accounts,dc=example,dc=net"
>
> but only if I also provide a username/password for apache
> to bind as. Doesn't work with unauthenticated binds.
>
>
> -jf
Because anonymous binds are rightly turned off by default, you can turn
them on on the server but this is a security risk as well as storing
passwords in the file. You need to assess what is the least of two evils
for your environment.
The best would have been for apache to support GSSAPI for that matter
but based on the link you sent this is not the case.
IMO you should file and RFE for them to support GSSAPI bind and not only
bind with the password.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list