On Wed, Sep 21, 2016 at 09:47:12AM +0200, Jan Karásek wrote:
> I have a question about the IPA-AD trust scenario where POSIX attributes are
> store in AD.
Although I describe some possible solution below I wonder if using IPA
overrides which allow to add public ssh keys for AD user would work for
you as well?
> I would like to know if it's possible to store public SSH user key in Active
> Directory in some user's object attribute - the same way as uidNumber or
> loginShell. I can't find any suitable attribute for ssh in AD schema but the
> uidNumber,gidNumber and others are already presented (win2012).
In general it is possible either extend the schema or use an existing
attribute, see e.g.
But given the recent activities in areas of Powershell and OpenSSH for
Windows I wonder if there might be some "official" attributes coming
sooner or later. Currently I'm not aware of any plans here but maybe
other readers on the list have more insight here?
> So is there any chance to extend AD schema and let the IPA server get public
> ssh user's key from AD the same way as other POSIX attributes ? Is it IPA
> ready for that and how that attribute should be named in AD ?
You have to configure SSSD on the IPA server to read the attribute and
forward it to the clients, for this you need (at least) to add
ldap_user_extra_attrs = adAttributeName:sshPublicKey
(see sssd-ldap man page for details)
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project