Simo Sorce wrote:
On Fri, 08 Apr 2011 13:12:22 -0400
Rob Crittenden<rcrit...@redhat.com>  wrote:

JR Aquino wrote:

Does the limitation of autobind with root mean that all of the
tools that use ldapi need to be revisited and turned back to 389?

ipa-host-net-manage and ipa-compat-manage work ok for me with this
patch applied.

NACK
autobind comes into play only when SASL_EXTERNAL auth is used,
the krb5kdc binds as uid=kdc over ldapi w/o any issue.

If these tools are having a problem with ldapi, it is most probably an
underlying bug in our ldap wrappers, as thyese tools should bind as
Directory Manager using simple auth not doing SASL_EXTERNAL auth.

Simo.


The root user cannot use ldapi because of the autobind configuration. Fall back to a standard GSSAPI sasl bind if the external bind fails. With --ldapi a regular user may be trying this as well, catch that and report a reasonable error message.

This also gives priority to the DM password if it is passed in.

Also require the user be root to run the ipa-nis-manage command. We enable/disable and start/stop services which need to be done as root.

Add a new option to ipa-ldap-updater to prompt for the DM password. Remove restriction to be run as root except when doing an upgrade.

Ticket 1157

rob

Attachment: freeipa-rcrit-767-2-nis.patch
Description: application/mbox

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to