Simo Sorce wrote:
On Fri, 08 Apr 2011 13:12:22 -0400 Rob Crittenden<rcrit...@redhat.com> wrote:JR Aquino wrote:Does the limitation of autobind with root mean that all of the tools that use ldapi need to be revisited and turned back to 389?ipa-host-net-manage and ipa-compat-manage work ok for me with this patch applied.NACK autobind comes into play only when SASL_EXTERNAL auth is used, the krb5kdc binds as uid=kdc over ldapi w/o any issue. If these tools are having a problem with ldapi, it is most probably an underlying bug in our ldap wrappers, as thyese tools should bind as Directory Manager using simple auth not doing SASL_EXTERNAL auth. Simo.
The root user cannot use ldapi because of the autobind configuration. Fall back to a standard GSSAPI sasl bind if the external bind fails. With --ldapi a regular user may be trying this as well, catch that and report a reasonable error message.
This also gives priority to the DM password if it is passed in.Also require the user be root to run the ipa-nis-manage command. We enable/disable and start/stop services which need to be done as root.
Add a new option to ipa-ldap-updater to prompt for the DM password. Remove restriction to be run as root except when doing an upgrade.
Ticket 1157 rob
_______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel