On 05/16/2013 07:32 PM, Natxo Asenjo wrote: > On Thu, May 16, 2013 at 6:48 PM, William Muriithi <[email protected] > <mailto:[email protected]>> wrote: > > Afternoon, > > Got a question, I know FreeIPA does not allow anonymous binding so if one > need to create an account to query for such information. I did this during > the sudo setup. > > unless you have changed it yourself (or stuff has changed in the standard > installation since v2.2 when I installed my ipa servers) anonymous binding is > allowed. But you cannot query group membership of the users IIRC anonymously.
Correct. To disable anonymous binds, you can check: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/disabling-anon-binds.html > > I am trying to get git to use FreeIPA today and I trying to figure where > the bind user should be created under. This got to be a system account, so > I am not sure it should go under the normal user dn below. And even if I > created it as normal user, I am not sure it would have permission to > transverse the tree looking for the group user details > > dn: uid=william,cn=users,cn= compat,dc=example,dc=com > > system accounts like sudo are in cn=sysaccounts,cn=etc,dc=domain,dc=tld ; but > you can create them wherever you like I think. If you create a normal ipa > account with the ipa tools, you can always modify the krbPasswordExpiration > attribute manually and have it expire in the year 3000 so it does not get > disabled until then ;-) I am currently not familiar with how the git+LDAP works, but you could also add service for it like "git/[email protected]", get a keytab for it and then let git use it to authenticate to FreeIPA. Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
