On Apr 8, 2011, at 8:56 AM, "JR Aquino" <jr.aqu...@citrix.com> wrote:

> On Apr 8, 2011, at 8:53 AM, "Rob Crittenden" <rcrit...@redhat.com> wrote:
> 
>> JR Aquino wrote:
>>> 
>>> On Apr 8, 2011, at 8:03 AM, Rob Crittenden wrote:
>>> 
>>>>> On Apr 8, 2011, at 7:24 AM, "Rob Crittenden"<rcrit...@redhat.com>   wrote:
>>>>> 
>>>>>> ipa-nis-manage was failing because root has very limited capabilities 
>>>>>> when binding over ldapi because of autobind. So don't use ldapi.
>>>>>> 
>>>>>> Also force this to be run as root since we start/stop and 
>>>>>> configure/unconfigure services.
>>>>>> 
>>>>>> ticket 1157
>>>>>> 
>>>>>> rob
>>>>>> <freeipa-rcrit-767-nis.patch>
>>> 
>>>> JR Aquino wrote:
>>>>> Does this imply the use of ldap with tls now or just standard ldap?
>>>>> 
>>>>> There was a previous ticket that changed this and many other tools such 
>>>>> that they used ldapi to accommodate FreeIPA with a minssf set.
>>>> 
>>>> It uses 389, no TLS.
>>>> 
>>>> rob
>>> 
>>> Is there a way to solve both problems?
>>> 
>>> #1 Autobind limits root ->  ldapi
>>> #2 IPA Tools should not fail when 389ds:dse.ldif has minssf set?
>>> 
>>> -Fixed the top posting. sorry about that.-
>> 
>> Maybe, I also want to apply an appropriate level of effort. In reality this 
>> command is going to be run 1 or 2 times in the lifetime of an IPA server.
>> 
>> rob
> 
> Fair enough. The minssf gate should apply to the pieces that have a higher 
> usage frequency.
> 
Does the limitation of autobind with root mean that all of the tools that use 
ldapi need to be revisited and turned back to 389?

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to