On Thu, 19 Jun 2014, Petr Spacek wrote:
Hello list,

the thread "named's LDAP connection hangs" on freeipa-users list [1] opened question "Why do we use Kerberos for named<->DS connection? Named connects over LDAPI to local DS instance anyway."

Maybe we can get rid of Kerberos for this particular connection and use autobind instead. It would make it more reliable and effective.

As a side effect, named will be able to start even if KDC is down for some reason. It partially solves chicken-egg problem during IPA start-up.

I wasn't around when it bind-dyndb-ldap was designed so I don't know historical reasons.
My primary worry is the fact that any break in named/bind-dyndb-ldap
could be then exploited to have access to all key material. In the case of
GSSAPI you are confined to whatever ACIs allow for dns/ principal.

Samba case goes further -- I specifically added GSSAPI bind to Samba
code LDAP code to allow splitting DCs and file servers while being able
to use the same ipasam module securely, in addition to the usual
ACI limitations.

For named what we could do is to have named+ldapi:// access mapped to
specific DN uidNumber=<named>+gidNumbe=<named>,cn=peercred,cn=external,cn=auth
achieving essentially the same thing, if we would use
  dn: cn=config
  nsslapd-ldapimaptoentries: on
  nsslapd-ldapiuidnumbertype: uidNumber
  nsslapd-ldapigidnumbertype: gidNumber
  nsslapd-ldapientrysearchbase: cn=accounts,$SUFFIX


  dn: krbprincipalname=dns/$master@$REALM,cn=services,cn=accounts,$SUFFIX
  uidNumber: <uid for named>
  gidNumber: <gid for named>

and then define ACIs equal to what we have for DNS service now.

There is an issue of uid/gid being different on different platforms,
though but it is doable.
/ Alexander Bokovoy

Freeipa-devel mailing list

Reply via email to