On Thu, 19 Jun 2014, Simo Sorce wrote:
On Thu, 2014-06-19 at 09:43 +0200, Petr Spacek wrote:
the thread "named's LDAP connection hangs" on freeipa-users list  opened
question "Why do we use Kerberos for named<->DS connection? Named connects
over LDAPI to local DS instance anyway."
Maybe we can get rid of Kerberos for this particular connection and use
autobind instead. It would make it more reliable and effective.
As a side effect, named will be able to start even if KDC is down for some
reason. It partially solves chicken-egg problem during IPA start-up.
I wasn't around when it bind-dyndb-ldap was designed so I don't know
I would be in favor if we can make bind run as an unprivileged user
instead of root, can we do that ?
It already runs as 'named' user, see my other mail with actual
/ Alexander Bokovoy
Freeipa-devel mailing list