On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote:
> On Sat, 19 Sep 2015, Jakub Hrozek wrote:
> >
> >>On 18 Sep 2015, at 19:17, Gustavo Mateus <gustavo.mat...@gmail.com> wrote:
> >>
> >>That only shows this:
> >>
> >># extended LDIF
> >>#
> >># LDAPv3
> >># base <cn=compat,dc=my,dc=domain,dc=com> with scope subtree
> >># filter: 
> >>(&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
> >># requesting: ALL
> >>#
> >>
> >># admin, users, compat, my.domain.com
> >>dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com
> >>cn: Administrator
> >>uidNumber: 1742200000
> >>objectClass: posixAccount
> >>objectClass: top
> >>gidNumber: 1742200000
> >>gecos: Administrator
> >>loginShell: /bin/bash
> >>homeDirectory: /home/admin
> >>uid: admin
> >>
> >
> >Since sshPublicKey is not listed here, the ACIs still prevent you from
> >reading the attribute. You need to either bind as a user who has
> >permissions to read it or make the public key world-readable (I don't
> >think making it world-readable would be an issue since it's a pubkey)
> Compat tree doesn't have ipaSSHPublicKey.

Oops, good catch. I totally missed the search base is compat.

> 
> Why are you pointing to the compat tree instead of the normal one?
> You should only use compat tree for two reasons:
> - your POSIX client does not understand RFC2307bis
> - your POSIX client does not use recent SSSD and you want to have trust to
>   Active Directory working.
> 
> For the rest of cases you should really point your POSIX clients to the
> main subtree, not the compat one.
> -- 
> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to