On 05/16/2013 07:32 PM, Natxo Asenjo wrote:
> On Thu, May 16, 2013 at 6:48 PM, William Muriithi <william.murii...@gmail.com
> <mailto:william.murii...@gmail.com>> wrote:
> 
>     Afternoon,
> 
>     Got a question, I know FreeIPA does not allow anonymous binding so if one
>     need to create an account to query for such information. I did this during
>     the sudo setup.
> 
> unless you have changed it yourself (or stuff has changed in the standard
> installation since v2.2 when I installed my ipa servers) anonymous binding is
> allowed. But you cannot query group membership of the users IIRC anonymously.

Correct. To disable anonymous binds, you can check:
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/disabling-anon-binds.html

> 
>     I am trying to get git to use FreeIPA today and I trying to figure where
>     the bind user should be created under. This got to be a system account, so
>     I am not sure it should go under the normal user dn below. And even if I
>     created it as normal user, I am not sure it would have permission to
>     transverse the tree looking for the group user details
> 
>     dn: uid=william,cn=users,cn= compat,dc=example,dc=com
> 
> system accounts like sudo are in cn=sysaccounts,cn=etc,dc=domain,dc=tld ; but
> you can create them wherever you like I think. If you create a normal ipa
> account with the ipa tools, you can always modify the krbPasswordExpiration
> attribute manually and have it expire in the year 3000 so it does not get
> disabled until then ;-)

I am currently not familiar with how the git+LDAP works, but you could also add
service for it like "git/your.host.with.git@YOUR.REALM", get a keytab for it
and then let git use it to authenticate to FreeIPA.

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to