On 03/22/2013 11:01 AM, Rob Crittenden wrote:
> Dmitri Pal wrote:
>> On 03/22/2013 10:20 AM, Jan-Frode Myklebust wrote:
>>> On Fri, Mar 22, 2013 at 09:59:14AM -0400, Dmitri Pal wrote:
>>>> Because anonymous binds are rightly turned off by default,
>>> They are? I don't think I've ever explicitly turned on anonymous binds,
>>> and my directories are open to anonymous searches. The confusing
>>> thing is
>>> that not all attributes are available when doing anonymous binds. Are
>>> there any way to configure how open we want the directory to be?
>> I thought you are using IPA or DS and in the latest versions we turned
>> that off.
> We don't disable anonymous binds by default.

On the new installs? I thought we do.

> We do suppress memberOf for anonymous searches.

Interesting. Good to know.

>>>> The best would have been for apache to support GSSAPI for that matter
>>>> but based on the link you sent this is not the case.
>>>> IMO you should file and RFE for them to support GSSAPI bind and not
>>>> only
>>>> bind with the password.
>>> Newer apache supports nested groups, and all the needed attributes for
>>> that seems to be available trough anonymous binds.. so no GSSAPI is
>>> needed (for us) there.
>>> IMHO it's seems inconsistent that memberOf attribute is hidden for
>>> anonymous
>>> searches on the user, but "member" attribute on groups is not. Same
>>> information, different places in the tree.
>> Sounds like it does not understand 2307bis schema and assumes only 2307
>> which is very limiting in group membership aspect.
>>>    -jf

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to