[Freeipa-users] Re: ipa command always takes 30 seconds

Thu, 11 Oct 2018 22:55:29 -0700 

On to, 11 loka 2018, Perry Smith wrote:




On Oct 11, 2018, at 12:51 AM, Alexander Bokovoy via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:

On ke, 10 loka 2018, Perry Smith via FreeIPA-users wrote:

Two questions for this group:

1) Is there a way to get it to not look for the SRV record in the first place?

2) On a completely different topic, how do I install the “memberof” plug-in?
At least, I think that’s what I need / want.  I need to do LDAP filter for 
members
of a group and currently my LDAP records do not have memberof but instead have
memberUid (and that is only in compat and not in accounts)

I hope its ok to mix two questions into one email.

It would be if you'd provide more details to allow helping you. How are
you inferring that there is no 'memberof' plugin enabled? FreeIPA does
not allow to retrieve membership information for non-authenticated
connections from the primary subtree (cn=accounts,$SUFFIX). If you are
checking without authentication, that's your problem.


The DNS issue was hard to solve but I finally managed to get the bind9 and 
freeipa code
from ppa:freeipa/staging so the DNS is working and the ipa command line 
commands no
longer pause 30 seconds.

The LDAP question was solved as Alexander suggested — by authenticating first.  
I’m
curious what the reason is for this?  From the compat entries, one can deduce 
the
members of the groups.

Compat subtree is for legacy clients that do not understand anythin but
RFC2307. One can close down access to the compat tree too but since
entries there are dynamic (they are generated based on a request), it
wasn't big issue.

Primary tree follows an approach taken by many other LDAP deployments.
For example. Active Directory's default behavior is to limit group
membership information to authenticated users as well.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






















					Reply via email to