Hi,
the IPA provider has its own set of config options:
- ipa_domain
- ipa_server
- ipa_hostname
in the most simple case only ipa_server is needed. (If we can resolve
service records we wouldn't even need this.)
Behind the scenes the IPA provider is the LDAP identity provider glued
together with the Kerberos authentication/change password provider and
an IPA specific access provider.
The options for the LDAP and Kerberos provider are set to defaults that
will work with an IPAv2 server in a secure way.
As documented in the man page it is possible to set LDAP or Kerberos
specific options to override the defaults set by the IPA provider. While
this makes sense e.g. for the timeout options there are other cases,
especially for the LDAP provider, where is doesn't. So it is possible to
set ldap_id_use_start_tls to true which is kind of useless and has
performance penalties, because the communication is already protected by
GSSAPI. Or it would be possible to disable GSSAPI by setting
ldap_sasl_mech to none.
So the question arises how to handle this situation?
- Shall we keep everything as it is and only update the man page to
underline that the default configuration is secure and you really only
need the ipa_* options?
- Shall we stop parsing ldap_* and krb5_* options and introduce ipa_*
options for timeouts and other useful options?
- Shall we start reading the config from the IPA server only?
- Shall we do sometime completely different?
Comments?
bye,
Sumit