Alexander Bokovoy writes:

> On ti, 31 loka 2017, Gordon Messmer via FreeIPA-users wrote:
>> On 10/31/2017 03:44 PM, Andrew Meyer via FreeIPA-users wrote:
>>
>>> I've been following this website:
>>> FreeIPA: Giving permissions to service accounts. — Firstyear's 
>>> blog-a-log 
>>> <http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html>
>>
>> None of that is particularly relevant unless you're specifically
>> supporting MSCHAPv2 authentication.

... which you shouldn't do because it's broken:
https://www.schneier.com/blog/archives/2012/08/breaking_micros.html

>>The easiest solution for authenticating MySQL using FreeIPA is 
>>probably to join the MySQL server to the IPA domain and then use PAM 
>>authentication:
>>
>>https://dev.mysql.com/doc/refman/5.5/en/pam-pluggable-authentication.html
>
> If you are using MariaDB instead of MySQL, it is possible to configure
> GSSAPI (Kerberos) to authenticate. You'd still need to create users in
> MariaDB database first so that it knows these are valid ones:
> https://mariadb.com/kb/en/library/authentication-plugin-gssapi/

For interest: GSSAPI encryption is forthcoming, but stalled on mariadb
growing a proper plugin API.

Thanks,
--Robbie

Attachment: signature.asc
Description: PGP signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to