On Wed, Sep 25, 2013 at 12:01:38PM +0300, Alexander Bokovoy wrote: > On Wed, 25 Sep 2013, Sumit Bose wrote: > >On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote: > >>On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: > >>> On Tue, 24 Sep 2013, Alexandre Ellert wrote: > >>>> Hi, > >>>> > >>>> I've successfully setup a testing environment with an IPA server (RHEL > >>>> 6.4) > >>>> and a cross realm trust with my Active Directory (Win2008 R2). > >>>> Authentication works both with AD passwords and Kerberos GSS-API. > >>>> > >>>> Now, I'm trying to find the way to manage ssh key which belong to AD > >>>> users. It seems that I can do that only with users declared on IPA > >>>> domain. Can you confirm that ? > >>> Yes. AD users do not exist physically in IPA LDAP, therefore there is no > >>> object to assign attributes into. > >>>> Does winsync method provide a way to add ssh key to an AD user ? > >>> Under winsync AD users would become 'normal' LDAP objects in IPA, > >>> therefore you can assign additional values/attributes to them. > >> > >>Though note that winsync, one would loose all the SSO capabilities... > >> > >>Alexander, I am just thinking about possibilities. We now have the concept > >>of > >>external groups in FreeIPA which one can then use as members of normal POSIX > >>groups and use them in HBAC or other policies. > >> > >>Would it be possible to create "external users", i.e. user entries > >>identified > >>by FQDN/SID and then be able to assign selected set of user attributes (like > >>SSH public key, home directory, shell...) which could then be leveraged by > >>SSSD? > > > >Does anyone know if there is a ssh key management solution for AD? If > >yes, I think it would be better to use this and enhance SSSD to fetch > >them from AD. The data can then be stored in the sssd cache on the IPA > >servers and distributed to the IPA clients with the LDAP exop we already > >use to make the AD users available to the clients. > Yes, there are few commercial solutions. Many of them use their own > schemes so supporting them would need to work on multiple different > schemes. > > http://tools.ietf.org/html/draft-ylonen-sshkeybcp-01 describes recommended > practices.
Thank you for the details. So it looks that this might be an interesting RFE. bye, Sumit > > > -- > / Alexander Bokovoy _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users