On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 09:43 +0200, Petr Spacek wrote:
Hello list,

the thread "named's LDAP connection hangs" on freeipa-users list [1] opened
question "Why do we use Kerberos for named<->DS connection? Named connects
over LDAPI to local DS instance anyway."

Maybe we can get rid of Kerberos for this particular connection and use
autobind instead. It would make it more reliable and effective.

As a side effect, named will be able to start even if KDC is down for some
reason. It partially solves chicken-egg problem during IPA start-up.

I wasn't around when it bind-dyndb-ldap was designed so I don't know
historical reasons.

[1] https://www.redhat.com/archives/freeipa-users/2014-June/msg00065.html

I would be in favor if we can make bind run as an unprivileged user
instead of root, can we do that ?
It already runs as 'named' user, see my other mail with actual
experiment results.

/ Alexander Bokovoy

Freeipa-devel mailing list

Reply via email to