On Thu, 2014-06-19 at 09:43 +0200, Petr Spacek wrote:
> Hello list,
> the thread "named's LDAP connection hangs" on freeipa-users list [1] opened 
> question "Why do we use Kerberos for named<->DS connection? Named connects 
> over LDAPI to local DS instance anyway."
> Maybe we can get rid of Kerberos for this particular connection and use 
> autobind instead. It would make it more reliable and effective.
> As a side effect, named will be able to start even if KDC is down for some 
> reason. It partially solves chicken-egg problem during IPA start-up.
> I wasn't around when it bind-dyndb-ldap was designed so I don't know 
> historical reasons.
> [1] https://www.redhat.com/archives/freeipa-users/2014-June/msg00065.html

I would be in favor if we can make bind run as an unprivileged user
instead of root, can we do that ?


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to