Dmitri Pal wrote:
On 03/22/2013 10:20 AM, Jan-Frode Myklebust wrote:
On Fri, Mar 22, 2013 at 09:59:14AM -0400, Dmitri Pal wrote:

Because anonymous binds are rightly turned off by default,
They are? I don't think I've ever explicitly turned on anonymous binds,
and my directories are open to anonymous searches. The confusing thing is
that not all attributes are available when doing anonymous binds. Are
there any way to configure how open we want the directory to be?

I thought you are using IPA or DS and in the latest versions we turned
that off.

We don't disable anonymous binds by default.

We do suppress memberOf for anonymous searches.

The best would have been for apache to support GSSAPI for that matter
but based on the link you sent this is not the case.
IMO you should file and RFE for them to support GSSAPI bind and not only
bind with the password.
Newer apache supports nested groups, and all the needed attributes for
that seems to be available trough anonymous binds.. so no GSSAPI is
needed (for us) there.

IMHO it's seems inconsistent that memberOf attribute is hidden for anonymous
searches on the user, but "member" attribute on groups is not. Same
information, different places in the tree.

Sounds like it does not understand 2307bis schema and assumes only 2307
which is very limiting in group membership aspect.


Freeipa-users mailing list

Reply via email to