On Thu, 2014-06-19 at 09:43 +0200, Petr Spacek wrote: > Hello list, > > the thread "named's LDAP connection hangs" on freeipa-users list [1] opened > question "Why do we use Kerberos for named<->DS connection? Named connects > over LDAPI to local DS instance anyway." > > Maybe we can get rid of Kerberos for this particular connection and use > autobind instead. It would make it more reliable and effective. > > As a side effect, named will be able to start even if KDC is down for some > reason. It partially solves chicken-egg problem during IPA start-up. > > I wasn't around when it bind-dyndb-ldap was designed so I don't know > historical reasons. > > [1] https://www.redhat.com/archives/freeipa-users/2014-June/msg00065.html
I would be in favor if we can make bind run as an unprivileged user instead of root, can we do that ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
