On Sat, 19 Sep 2015, Jakub Hrozek wrote:


On 18 Sep 2015, at 19:17, Gustavo Mateus <gustavo.mat...@gmail.com> wrote:

That only shows this:

# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=my,dc=domain,dc=com> with scope subtree
# filter: 
(&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
# requesting: ALL
#

# admin, users, compat, my.domain.com
dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com
cn: Administrator
uidNumber: 1742200000
objectClass: posixAccount
objectClass: top
gidNumber: 1742200000
gecos: Administrator
loginShell: /bin/bash
homeDirectory: /home/admin
uid: admin


Since sshPublicKey is not listed here, the ACIs still prevent you from
reading the attribute. You need to either bind as a user who has
permissions to read it or make the public key world-readable (I don't
think making it world-readable would be an issue since it's a pubkey)
Compat tree doesn't have ipaSSHPublicKey.

Why are you pointing to the compat tree instead of the normal one?
You should only use compat tree for two reasons:
- your POSIX client does not understand RFC2307bis
- your POSIX client does not use recent SSSD and you want to have trust to
  Active Directory working.

For the rest of cases you should really point your POSIX clients to the
main subtree, not the compat one.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to