On 03/22/2013 10:20 AM, Jan-Frode Myklebust wrote:
> On Fri, Mar 22, 2013 at 09:59:14AM -0400, Dmitri Pal wrote:
>> Because anonymous binds are rightly turned off by default,
> They are? I don't think I've ever explicitly turned on anonymous binds,
> and my directories are open to anonymous searches. The confusing thing is
> that not all attributes are available when doing anonymous binds. Are
> there any way to configure how open we want the directory to be?

I thought you are using IPA or DS and in the latest versions we turned
that off.

>> The best would have been for apache to support GSSAPI for that matter
>> but based on the link you sent this is not the case.
>> IMO you should file and RFE for them to support GSSAPI bind and not only
>> bind with the password.
> Newer apache supports nested groups, and all the needed attributes for
> that seems to be available trough anonymous binds.. so no GSSAPI is
> needed (for us) there.
> IMHO it's seems inconsistent that memberOf attribute is hidden for anonymous
> searches on the user, but "member" attribute on groups is not. Same
> information, different places in the tree.

Sounds like it does not understand 2307bis schema and assumes only 2307
which is very limiting in group membership aspect.

>   -jf

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to