On Wed, Sep 21, 2016 at 09:47:12AM +0200, Jan Karásek wrote: > Hi, > > I have a question about the IPA-AD trust scenario where POSIX attributes are > store in AD.
Although I describe some possible solution below I wonder if using IPA overrides which allow to add public ssh keys for AD user would work for you as well? > > I would like to know if it's possible to store public SSH user key in Active > Directory in some user's object attribute - the same way as uidNumber or > loginShell. I can't find any suitable attribute for ssh in AD schema but the > uidNumber,gidNumber and others are already presented (win2012). In general it is possible either extend the schema or use an existing attribute, see e.g. https://social.technet.microsoft.com/Forums/en-US/8aa28e34-2007-49fe-a689-e28e19b2757b/is-there-a-way-to-link-ssh-key-in-ad?forum=winserverDS for details. But given the recent activities in areas of Powershell and OpenSSH for Windows I wonder if there might be some "official" attributes coming sooner or later. Currently I'm not aware of any plans here but maybe other readers on the list have more insight here? > > So is there any chance to extend AD schema and let the IPA server get public > ssh user's key from AD the same way as other POSIX attributes ? Is it IPA > ready for that and how that attribute should be named in AD ? You have to configure SSSD on the IPA server to read the attribute and forward it to the clients, for this you need (at least) to add [domain/EXAMPLE] ldap_user_extra_attrs = adAttributeName:sshPublicKey (see sssd-ldap man page for details) bye, Sumit > > Thanks, > > Jan > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project