On Tue, 07 Jun 2016, Konstantin M. Khankin wrote:
I used to run FreeIPA 3.0 on CentOS 6 but recently upgraded this setup to
FreeIPA 4.2 on CentOS 7.2. And I got 2 my applications failing, because
they were accessing LDAP fields krb* (one by itself, another through
mod_lookup_identity). For the one which makes LDAP requests by its own I
created an account and LDAP happily gives an access to krb* fields once
that app makes simple bind
FreeIPA 4.x has enhanced ACIs but it mostly means there are less
attributes accessible to non-authenticated (anonymous) connections. Once
you are authenticated, most of the attributes which were accessed by
anonymous connections before are now available.
But with the one which relies on mod_lookup_identity I'm having troubles.
Even though SSSD is being authenticated through GSSAPI, LDAP does not give
an access to krb* fields. I tried to create a separate service record for
SSSD - no change. And I couldn't make SSSD do simple bind instead of using
GSSAPI. I tried to setup FreeIPA so that by default it gives an access to
krb* fields, but web interface rejected that change
Could you please help me with this issue? How can I control this behavior
properly, not with ugly hacks?
Can you show your SSSD configuration? host/ principals should be just
fine to access krb* attributes.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project