On 05/16/2013 07:32 PM, Natxo Asenjo wrote:
> On Thu, May 16, 2013 at 6:48 PM, William Muriithi <william.murii...@gmail.com
> <mailto:william.murii...@gmail.com>> wrote:
>     Afternoon,
>     Got a question, I know FreeIPA does not allow anonymous binding so if one
>     need to create an account to query for such information. I did this during
>     the sudo setup.
> unless you have changed it yourself (or stuff has changed in the standard
> installation since v2.2 when I installed my ipa servers) anonymous binding is
> allowed. But you cannot query group membership of the users IIRC anonymously.

Correct. To disable anonymous binds, you can check:

>     I am trying to get git to use FreeIPA today and I trying to figure where
>     the bind user should be created under. This got to be a system account, so
>     I am not sure it should go under the normal user dn below. And even if I
>     created it as normal user, I am not sure it would have permission to
>     transverse the tree looking for the group user details
>     dn: uid=william,cn=users,cn= compat,dc=example,dc=com
> system accounts like sudo are in cn=sysaccounts,cn=etc,dc=domain,dc=tld ; but
> you can create them wherever you like I think. If you create a normal ipa
> account with the ipa tools, you can always modify the krbPasswordExpiration
> attribute manually and have it expire in the year 3000 so it does not get
> disabled until then ;-)

I am currently not familiar with how the git+LDAP works, but you could also add
service for it like "git/your.host.with.git@YOUR.REALM", get a keytab for it
and then let git use it to authenticate to FreeIPA.


Freeipa-users mailing list

Reply via email to