Simo Sorce wrote:
On Fri, 08 Apr 2011 13:12:22 -0400
Rob Crittenden<>  wrote:

JR Aquino wrote:

Does the limitation of autobind with root mean that all of the
tools that use ldapi need to be revisited and turned back to 389?

ipa-host-net-manage and ipa-compat-manage work ok for me with this
patch applied.

autobind comes into play only when SASL_EXTERNAL auth is used,
the krb5kdc binds as uid=kdc over ldapi w/o any issue.

If these tools are having a problem with ldapi, it is most probably an
underlying bug in our ldap wrappers, as thyese tools should bind as
Directory Manager using simple auth not doing SASL_EXTERNAL auth.


The root user cannot use ldapi because of the autobind configuration. Fall back to a standard GSSAPI sasl bind if the external bind fails. With --ldapi a regular user may be trying this as well, catch that and report a reasonable error message.

This also gives priority to the DM password if it is passed in.

Also require the user be root to run the ipa-nis-manage command. We enable/disable and start/stop services which need to be done as root.

Add a new option to ipa-ldap-updater to prompt for the DM password. Remove restriction to be run as root except when doing an upgrade.

Ticket 1157


Attachment: freeipa-rcrit-767-2-nis.patch
Description: application/mbox

Freeipa-devel mailing list

Reply via email to