On Wed, 19 Jan 2011 16:18:09 +0000
JR Aquino <jr.aqu...@citrix.com> wrote:

> On 1/18/11 4:02 PM, "Simo Sorce" <sso...@redhat.com> wrote:
> 
> >
> >We need to use authenticated lda binds in init scripts as otherwise
> >starting components fails when the option to restrict anonymous
> >access to ldap is set.
> >
> >In order to do that we need to also start the KDC unconditionally, so
> >it has been removed form the list of services retrieved from ldap and
> >always started/stopped/restarted explicitly in the script.
> >This is necessary so the script can obtain kerberos credentials to
> >bind to ds using its keytab.
> >
> >Fixes ticket #795
> >
> >Simo.
> >
> >-- 
> >Simo Sorce * Red Hat, Inc * New York
> >_______________________________________________
> >Freeipa-devel mailing list
> >Freeipa-devel@redhat.com
> >https://www.redhat.com/mailman/listinfo/freeipa-devel
> 
> 
> ACK
> 

Thanks but Rich pointed me to the docs I couldn't find earlier in order
to use SASL/EXTERNL instead of actual credentials.

So I'll hold on this patch and try to propose an alternative that
does not require SASL/GSSAPI auth. If that will be possible and
satisfactorily I will retire this patch an propose a new one, otherwise
I'll push this one.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to