On Wed, 03 Sep 2014, Rob Crittenden wrote:
ipa-advise would then need to refer to some common system account +
it's
password it would bind with. Should we file RFE? Is this a right move?
Yes, we need to file RFE and make recommendations to always have
BINDDN/BINDPW or
GSSAPI_SIGN/GSSAPI_ENCRYPT/SASL_AUTH_ID/KRB5_CCNAME/USE_SASL
(see sudoers.ldap and ldap.conf manpages).
Ok, please file the ticket then.
Will do.
Remember that most of the NIS/legacy systems that would actually use
this are non-Linux so keep that in mind as you tighten things up.
ipa-advise doesn't cover the cases of AIX, Solaris and HP/ux.
Yep. However:
- NIS doesn't require LDAP access from client side and nis plugin will
work fine as it uses slapi_*_internal_*() calls which are not subject
to ACI evaluation.
- LDAP with any non-anonymous bind will work, including simple bind over
SSL.
I've fixed recently cyrus-sasl bug with GSSAPI mech that was
preventing GSSAPI authentication from AIX. Unfortunately, cyrus-sasl
developers are not responsive, no answers from upstream for a month.
Fedora/RHEL packages are not yet updated but I'm going to do that
soon. This affects only server-side, so by fixing it we'll get GSSAPI
working for old LDAP clients that support it.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
