On Thu, 2014-06-19 at 09:43 +0200, Petr Spacek wrote:
> Hello list,
> the thread "named's LDAP connection hangs" on freeipa-users list  opened
> question "Why do we use Kerberos for named<->DS connection? Named connects
> over LDAPI to local DS instance anyway."
> Maybe we can get rid of Kerberos for this particular connection and use
> autobind instead. It would make it more reliable and effective.
> As a side effect, named will be able to start even if KDC is down for some
> reason. It partially solves chicken-egg problem during IPA start-up.
> I wasn't around when it bind-dyndb-ldap was designed so I don't know
> historical reasons.
>  https://www.redhat.com/archives/freeipa-users/2014-June/msg00065.html
I would be in favor if we can make bind run as an unprivileged user
instead of root, can we do that ?
Simo Sorce * Red Hat, Inc * New York
Freeipa-devel mailing list