On 09/25/2013 11:15 AM, Sumit Bose wrote: > On Wed, Sep 25, 2013 at 12:01:38PM +0300, Alexander Bokovoy wrote: >> On Wed, 25 Sep 2013, Sumit Bose wrote: >>> On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote: >>>> On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: >>>>> On Tue, 24 Sep 2013, Alexandre Ellert wrote: >>>>>> Hi, >>>>>> >>>>>> I've successfully setup a testing environment with an IPA server (RHEL >>>>>> 6.4) >>>>>> and a cross realm trust with my Active Directory (Win2008 R2). >>>>>> Authentication works both with AD passwords and Kerberos GSS-API. >>>>>> >>>>>> Now, I'm trying to find the way to manage ssh key which belong to AD >>>>>> users. It seems that I can do that only with users declared on IPA >>>>>> domain. Can you confirm that ? >>>>> Yes. AD users do not exist physically in IPA LDAP, therefore there is no >>>>> object to assign attributes into. >>>>>> Does winsync method provide a way to add ssh key to an AD user ? >>>>> Under winsync AD users would become 'normal' LDAP objects in IPA, >>>>> therefore you can assign additional values/attributes to them. >>>> >>>> Though note that winsync, one would loose all the SSO capabilities... >>>> >>>> Alexander, I am just thinking about possibilities. We now have the concept >>>> of >>>> external groups in FreeIPA which one can then use as members of normal >>>> POSIX >>>> groups and use them in HBAC or other policies. >>>> >>>> Would it be possible to create "external users", i.e. user entries >>>> identified >>>> by FQDN/SID and then be able to assign selected set of user attributes >>>> (like >>>> SSH public key, home directory, shell...) which could then be leveraged by >>>> SSSD? >>> >>> Does anyone know if there is a ssh key management solution for AD? If >>> yes, I think it would be better to use this and enhance SSSD to fetch >>> them from AD. The data can then be stored in the sssd cache on the IPA >>> servers and distributed to the IPA clients with the LDAP exop we already >>> use to make the AD users available to the clients. >> Yes, there are few commercial solutions. Many of them use their own >> schemes so supporting them would need to work on multiple different >> schemes. >> >> http://tools.ietf.org/html/draft-ylonen-sshkeybcp-01 describes recommended >> practices. > > Thank you for the details. So it looks that this might be an interesting > RFE. > > bye, > Sumit
Agreed. I filed a RFE ticket: https://fedorahosted.org/sssd/ticket/2099 Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
