I did not try that setup because the config-redhat-sssd-before-1-9 because
its description says it works with version 1.5 - 1.8, and Amazon linux has
1.2

    config-redhat-sssd-before-1-9        : Instructions for configuring a
system

                                           with an old version of SSSD
(1.5-1.8)

                                           as a IPA client. This set of

                                           instructions is targeted for

                                           platforms that include the
authconfig

                                           utility, which are all Red Hat
based

                                           platforms.


It is good to know that it works. I'll give it a try.


Thanks,
Gustavo

On Mon, Sep 14, 2015 at 7:01 AM, Pawel Fiuto <pawel.fi...@mixrad.io> wrote:

> Hi Gustavo,
>
> Using settings from  'ipa-advise config-redhat-sssd-before-1-9' with below
> modifications seems to work quite well:
>
> - on ipa server add permisson to read ipaSshPubKey anonymously:
>
> [ipa-server]# ipa permission-add 'Read ipaSshPubKey' --type=user
> --attrs=ipaSshPubKey --bindtype=anonymous --permissions=read
>
> [ipa-client]# diff /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig
> 2c2
> < services = nss, pam, ssh
> ---
> > services = nss, pam
> 12c12
> < ldap_search_base = cn=accounts,dc=example,dc=org
> ---
> > ldap_search_base = cn=compat,dc=example,dc=org
> 14d13
> < ldap_user_ssh_public_key = ipaSshPubKey
>
>
>
> ------------------------------
> *From:* freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com>
> on behalf of Gustavo Mateus <gustavo.mat...@gmail.com>
> *Sent:* 11 September 2015 00:30
> *To:* freeipa-users@redhat.com
> *Subject:* [Freeipa-users] AuthorizedKeysCommand for clients using
> nss-pam-ldapd
>
> Hi,
>
> I'm trying to setup my Amazon Linux instances to be able to fetch the IPA
> users public ssh key.
>
> Do I have to setup a binddn and bindpw in the ldap.conf file and use
> /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it?
>
> Thanks,
> Gustavo
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to