On Thu, 19 Jun 2014, Petr Spacek wrote:
the thread "named's LDAP connection hangs" on freeipa-users list 
opened question "Why do we use Kerberos for named<->DS connection?
Named connects over LDAPI to local DS instance anyway."
Maybe we can get rid of Kerberos for this particular connection and
use autobind instead. It would make it more reliable and effective.
As a side effect, named will be able to start even if KDC is down for
some reason. It partially solves chicken-egg problem during IPA
I wasn't around when it bind-dyndb-ldap was designed so I don't know
My primary worry is the fact that any break in named/bind-dyndb-ldap
could be then exploited to have access to all key material. In the case of
GSSAPI you are confined to whatever ACIs allow for dns/ principal.
Samba case goes further -- I specifically added GSSAPI bind to Samba
code LDAP code to allow splitting DCs and file servers while being able
to use the same ipasam module securely, in addition to the usual
For named what we could do is to have named+ldapi:// access mapped to
specific DN uidNumber=<named>+gidNumbe=<named>,cn=peercred,cn=external,cn=auth
achieving essentially the same thing, if we would use
uidNumber: <uid for named>
gidNumber: <gid for named>
and then define ACIs equal to what we have for DNS service now.
There is an issue of uid/gid being different on different platforms,
though but it is doable.
/ Alexander Bokovoy
Freeipa-devel mailing list