Hi, the IPA provider has its own set of config options:
- ipa_domain - ipa_server - ipa_hostname in the most simple case only ipa_server is needed. (If we can resolve service records we wouldn't even need this.) Behind the scenes the IPA provider is the LDAP identity provider glued together with the Kerberos authentication/change password provider and an IPA specific access provider. The options for the LDAP and Kerberos provider are set to defaults that will work with an IPAv2 server in a secure way. As documented in the man page it is possible to set LDAP or Kerberos specific options to override the defaults set by the IPA provider. While this makes sense e.g. for the timeout options there are other cases, especially for the LDAP provider, where is doesn't. So it is possible to set ldap_id_use_start_tls to true which is kind of useless and has performance penalties, because the communication is already protected by GSSAPI. Or it would be possible to disable GSSAPI by setting ldap_sasl_mech to none. So the question arises how to handle this situation? - Shall we keep everything as it is and only update the man page to underline that the default configuration is secure and you really only need the ipa_* options? - Shall we stop parsing ldap_* and krb5_* options and introduce ipa_* options for timeouts and other useful options? - Shall we start reading the config from the IPA server only? - Shall we do sometime completely different? Comments? bye, Sumit _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
