I used compat because that is what ipa-advise provided me. I did not pay
attention to that part.
And yes, that did the trick :)

Thank you very much
Gustavo

On Sun, Sep 20, 2015 at 8:51 AM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote:
> > On Sat, 19 Sep 2015, Jakub Hrozek wrote:
> > >
> > >>On 18 Sep 2015, at 19:17, Gustavo Mateus <gustavo.mat...@gmail.com>
> wrote:
> > >>
> > >>That only shows this:
> > >>
> > >># extended LDIF
> > >>#
> > >># LDAPv3
> > >># base <cn=compat,dc=my,dc=domain,dc=com> with scope subtree
> > >># filter:
> (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
> > >># requesting: ALL
> > >>#
> > >>
> > >># admin, users, compat, my.domain.com
> > >>dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com
> > >>cn: Administrator
> > >>uidNumber: 1742200000
> > >>objectClass: posixAccount
> > >>objectClass: top
> > >>gidNumber: 1742200000
> > >>gecos: Administrator
> > >>loginShell: /bin/bash
> > >>homeDirectory: /home/admin
> > >>uid: admin
> > >>
> > >
> > >Since sshPublicKey is not listed here, the ACIs still prevent you from
> > >reading the attribute. You need to either bind as a user who has
> > >permissions to read it or make the public key world-readable (I don't
> > >think making it world-readable would be an issue since it's a pubkey)
> > Compat tree doesn't have ipaSSHPublicKey.
>
> Oops, good catch. I totally missed the search base is compat.
>
> >
> > Why are you pointing to the compat tree instead of the normal one?
> > You should only use compat tree for two reasons:
> > - your POSIX client does not understand RFC2307bis
> > - your POSIX client does not use recent SSSD and you want to have trust
> to
> >   Active Directory working.
> >
> > For the rest of cases you should really point your POSIX clients to the
> > main subtree, not the compat one.
> > --
> > / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to