On Thu, Nov 03, 2016 at 04:35:30PM +0200, Taras Drach wrote:
> Hello everyone!
> 
> I want to implement next scheme:
> 
> 1. Use AD as place for user management
> 2. Store ssh public keys in AD
> 3. Use FreeIPA as sudo/hbac provider for AD groups for authentication and 
> authorisation on the linux hosts
> 4. Use trusts roadmap (do not want to synchronise)
> 
> My configuration is:
> AD domain - test.loc - windows server 2012 r2
> IPA domain - ipa.test.loc - ipa-server 4.2.0 on centos 7 (ipa-server.x86_64   
>      4.2.0-15.0.1.el7.centos.19  @updates)
> 
> At this moment everything fine except SSH public keys.
> 
> I tried to use override and it works fine (I can login to linux host with AD 
> user with public key), but I have to create view in ipa for each user from 
> AD. It is not my goal and its also create inconveniences.
> 
> I found that there are several ways to achieve desired configuration:
> 1. Extend AD scheme with sshPublicKey attribute
> 2. Use altSecurityIdentities attribute from AD
> 
> At this moment I can obtain ssh public key from ipa  for user by
> sss_ssh_authorizedkeys -d ipa.test.loc user or
> sss_ssh_authorizedkeys user, because ipa.test.loc is default domain
> 
> But I can’t receive key for AD user using this command
> sss_ssh_authorizedkeys -d test.loc
> 
> At this moment I try to obtain key via altSecurityIdentities, and I see this 
> key in sssd debug log when I run sss_ssh_authorizedkeys, but I can not see 
> public key on stdout
> Here is the part if log
> -
...
> 
> 
> Here is my sssd.conf for ipa domain
> 
> domain/ipa.test.loc]
> debug_level = 0xfff0
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa.test.loc
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa42.ipa.test.loc
> chpass_provider = ipa
> ipa_server = ipa42.ipa.test.loc
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> create_homedir = True
> ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities

SSH public keys must must be stored with the attribute name 'sshPublicKey' in 
SSSD's cache, please try

ldap_user_extra_attrs = sshPublicKey:altSecurityIdentities

> ldap_user_ssh_public_key = altSecurityIdentities
> ldap_id_mapping = False
> 
> 
> 

HTH

bye,
Sumit

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to