On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote: > On Sat, 19 Sep 2015, Jakub Hrozek wrote: > > > >>On 18 Sep 2015, at 19:17, Gustavo Mateus <gustavo.mat...@gmail.com> wrote: > >> > >>That only shows this: > >> > >># extended LDIF > >># > >># LDAPv3 > >># base <cn=compat,dc=my,dc=domain,dc=com> with scope subtree > >># filter: > >>(&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) > >># requesting: ALL > >># > >> > >># admin, users, compat, my.domain.com > >>dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com > >>cn: Administrator > >>uidNumber: 1742200000 > >>objectClass: posixAccount > >>objectClass: top > >>gidNumber: 1742200000 > >>gecos: Administrator > >>loginShell: /bin/bash > >>homeDirectory: /home/admin > >>uid: admin > >> > > > >Since sshPublicKey is not listed here, the ACIs still prevent you from > >reading the attribute. You need to either bind as a user who has > >permissions to read it or make the public key world-readable (I don't > >think making it world-readable would be an issue since it's a pubkey) > Compat tree doesn't have ipaSSHPublicKey.
Oops, good catch. I totally missed the search base is compat. > > Why are you pointing to the compat tree instead of the normal one? > You should only use compat tree for two reasons: > - your POSIX client does not understand RFC2307bis > - your POSIX client does not use recent SSSD and you want to have trust to > Active Directory working. > > For the rest of cases you should really point your POSIX clients to the > main subtree, not the compat one. > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project