[Freeipa-users] ldap-filter, LDAP_MATCHING_RULE_IN_CHAIN, apache 2.2
Rob Crittenden
rcritten at redhat.com
Fri Mar 22 15:01:24 UTC 2013
Dmitri Pal wrote:
> On 03/22/2013 10:20 AM, Jan-Frode Myklebust wrote:
>> On Fri, Mar 22, 2013 at 09:59:14AM -0400, Dmitri Pal wrote:
>>
>>> Because anonymous binds are rightly turned off by default,
>> They are? I don't think I've ever explicitly turned on anonymous binds,
>> and my directories are open to anonymous searches. The confusing thing is
>> that not all attributes are available when doing anonymous binds. Are
>> there any way to configure how open we want the directory to be?
>
> I thought you are using IPA or DS and in the latest versions we turned
> that off.
We don't disable anonymous binds by default.
We do suppress memberOf for anonymous searches.
>>
>>> The best would have been for apache to support GSSAPI for that matter
>>> but based on the link you sent this is not the case.
>>> IMO you should file and RFE for them to support GSSAPI bind and not only
>>> bind with the password.
>> Newer apache supports nested groups, and all the needed attributes for
>> that seems to be available trough anonymous binds.. so no GSSAPI is
>> needed (for us) there.
>>
>> IMHO it's seems inconsistent that memberOf attribute is hidden for anonymous
>> searches on the user, but "member" attribute on groups is not. Same
>> information, different places in the tree.
>
> Sounds like it does not understand 2307bis schema and assumes only 2307
> which is very limiting in group membership aspect.
>
>>
>>
>> -jf
>
>
More information about the Freeipa-users
mailing list