On 2015-06-17 18:09, Nathaniel McCallum wrote: > * There is a new permission: Read IPA Masters KDC Proxy. Is this > necessary. Can't the config be world-readable and admin writable? There > is no extra security in hiding this attribute. This also completely > removes the need for a keytab since anonymous binding can be used. This > also, I believe, removes the need for a service.
I brought up your suggestion in today's IPA devel meeting. Simo explained that anonymous binding might not be available. Some customers disable it on their systems. I'd have to find yet another way to authenticate, e.g. using the user account. That would only work locally, though. Let's go ahead with my current approach. It's implemented and I have tested upgrade and refresh installation a couple of times, too. Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code