On 03/22/2013 10:20 AM, Jan-Frode Myklebust wrote: > On Fri, Mar 22, 2013 at 09:59:14AM -0400, Dmitri Pal wrote: > >> Because anonymous binds are rightly turned off by default, > They are? I don't think I've ever explicitly turned on anonymous binds, > and my directories are open to anonymous searches. The confusing thing is > that not all attributes are available when doing anonymous binds. Are > there any way to configure how open we want the directory to be?
I thought you are using IPA or DS and in the latest versions we turned that off. > >> The best would have been for apache to support GSSAPI for that matter >> but based on the link you sent this is not the case. >> IMO you should file and RFE for them to support GSSAPI bind and not only >> bind with the password. > Newer apache supports nested groups, and all the needed attributes for > that seems to be available trough anonymous binds.. so no GSSAPI is > needed (for us) there. > > IMHO it's seems inconsistent that memberOf attribute is hidden for anonymous > searches on the user, but "member" attribute on groups is not. Same > information, different places in the tree. Sounds like it does not understand 2307bis schema and assumes only 2307 which is very limiting in group membership aspect. > > > -jf -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users