On Wed, 19 Jan 2011 12:20:25 -0500
Simo Sorce <sso...@redhat.com> wrote:

> On Wed, 19 Jan 2011 16:18:09 +0000
> JR Aquino <jr.aqu...@citrix.com> wrote:
> 
> > On 1/18/11 4:02 PM, "Simo Sorce" <sso...@redhat.com> wrote:
> > 
> > >
> > >We need to use authenticated lda binds in init scripts as otherwise
> > >starting components fails when the option to restrict anonymous
> > >access to ldap is set.
> > >
> > >In order to do that we need to also start the KDC unconditionally,
> > >so it has been removed form the list of services retrieved from
> > >ldap and always started/stopped/restarted explicitly in the script.
> > >This is necessary so the script can obtain kerberos credentials to
> > >bind to ds using its keytab.
> > >
> > >Fixes ticket #795
> > >
> > >Simo.
> > >
> > >-- 
> > >Simo Sorce * Red Hat, Inc * New York
> > >_______________________________________________
> > >Freeipa-devel mailing list
> > >Freeipa-devel@redhat.com
> > >https://www.redhat.com/mailman/listinfo/freeipa-devel
> > 
> > 
> > ACK
> > 
> 
> Thanks but Rich pointed me to the docs I couldn't find earlier in
> order to use SASL/EXTERNL instead of actual credentials.
> 
> So I'll hold on this patch and try to propose an alternative that
> does not require SASL/GSSAPI auth. If that will be possible and
> satisfactorily I will retire this patch an propose a new one,
> otherwise I'll push this one.
> 
> Simo.
> 

Ok I am retiring this patch and sending an alternative one.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to