On 12/01/2017 10:59, hirofumi.morik...@accenture.com wrote:


Let me further clarify the question that is asked by Niraj below.

Currently, we have 1 master FreeIPA server and 1 client server. Evaluating your product for production deployment

Master and client connectivity is established and when creating the user in the web console, it is indeed creating the user in the client machine

However, When we add public key through the web console below, this key is not created(or transfered) to the client machine


That's correct: it doesn't copy them anywhere, nor is it supposed to.

Instead, the keys sit in the FreeIPA LDAP database. When you install the ipa-client package on a host, it configures sshd so it communicates via sssd to query the authorized keys in LDAP. You will find:

# /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

# /etc/sssd/sssd.conf
[sssd]
services = nss, pam, ssh, sudo

That means you have central control of your authorized_keys with FreeIPA, without copying them onto every hosts' filesystem.

You also have central control of your user accounts, group memberships, uid and gid mappings, sudo policy, host access policy (i.e. which users are allowed to login to which hosts), ... All this is done via sssd and LDAP as well.

HTH,

Brian.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to