On 03/22/2013 11:01 AM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 03/22/2013 10:20 AM, Jan-Frode Myklebust wrote: >>> On Fri, Mar 22, 2013 at 09:59:14AM -0400, Dmitri Pal wrote: >>> >>>> Because anonymous binds are rightly turned off by default, >>> They are? I don't think I've ever explicitly turned on anonymous binds, >>> and my directories are open to anonymous searches. The confusing >>> thing is >>> that not all attributes are available when doing anonymous binds. Are >>> there any way to configure how open we want the directory to be? >> >> I thought you are using IPA or DS and in the latest versions we turned >> that off. > > We don't disable anonymous binds by default.
On the new installs? I thought we do. > > We do suppress memberOf for anonymous searches. Interesting. Good to know. > >>> >>>> The best would have been for apache to support GSSAPI for that matter >>>> but based on the link you sent this is not the case. >>>> IMO you should file and RFE for them to support GSSAPI bind and not >>>> only >>>> bind with the password. >>> Newer apache supports nested groups, and all the needed attributes for >>> that seems to be available trough anonymous binds.. so no GSSAPI is >>> needed (for us) there. >>> >>> IMHO it's seems inconsistent that memberOf attribute is hidden for >>> anonymous >>> searches on the user, but "member" attribute on groups is not. Same >>> information, different places in the tree. >> >> Sounds like it does not understand 2307bis schema and assumes only 2307 >> which is very limiting in group membership aspect. >> >>> >>> >>> -jf >> >> > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users