On Wed, 19 Jan 2011 16:18:09 +0000
JR Aquino <jr.aqu...@citrix.com> wrote:
> On 1/18/11 4:02 PM, "Simo Sorce" <sso...@redhat.com> wrote:
> >We need to use authenticated lda binds in init scripts as otherwise
> >starting components fails when the option to restrict anonymous
> >access to ldap is set.
> >In order to do that we need to also start the KDC unconditionally, so
> >it has been removed form the list of services retrieved from ldap and
> >always started/stopped/restarted explicitly in the script.
> >This is necessary so the script can obtain kerberos credentials to
> >bind to ds using its keytab.
> >Fixes ticket #795
> >Simo Sorce * Red Hat, Inc * New York
> >Freeipa-devel mailing list
Thanks but Rich pointed me to the docs I couldn't find earlier in order
to use SASL/EXTERNL instead of actual credentials.
So I'll hold on this patch and try to propose an alternative that
does not require SASL/GSSAPI auth. If that will be possible and
satisfactorily I will retire this patch an propose a new one, otherwise
I'll push this one.
Simo Sorce * Red Hat, Inc * New York
Freeipa-devel mailing list