[SSSD] [sssd PR#472][comment] Remove the 'sshPublicKey' attribute from the cache when it's removed from IPA

Wed, 03 Jan 2018 06:12:09 -0800 

  URL: https://github.com/SSSD/sssd/pull/472
Title: #472: Remove the 'sshPublicKey' attribute from the cache when it's 
removed from IPA

fidencio commented:
"""
@sumit-bose, thanks for the suggestion.

Just for the record, what I've done in order to set an override using IPA was:
- change id_provider to ldap
- change auth_provider to ldap
- change access_provider to permit

After that I've fired a ldapsearch and found out that the ssh key set on IPA is 
not exposed with the changes mentioned above:
```
[root@client7 ~]# ldapsearch -x -h ipa.ad.ff -b dc=ipa,dc=ad,dc=ff uid=ipauser00
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=ad,dc=ff> with scope subtree
# filter: uid=ipauser00
# requesting: ALL
#

# ipauser00, users, compat, ipa.ad.ff
dn: uid=ipauser00,cn=users,cn=compat,dc=ipa,dc=ad,dc=ff
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: ipa user
cn: ipa user
uidNumber: 959600004
gidNumber: 959600004
loginShell: /bin/sh
homeDirectory: /home/ipauser00
ipaAnchorUUID:: OklQQTppcGEuYWQuZmY6MDhjZTYzZWUtZGE5MC0xMWU3LWJhNWUtNTI1NDAwY2
 JjNmUw
uid: ipauser00

# ipauser00, users, accounts, ipa.ad.ff
dn: uid=ipauser00,cn=users,cn=accounts,dc=ipa,dc=ad,dc=ff
displayName: ipa user
uid: ipauser00
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
loginShell: /bin/sh
initials: iu
gecos: ipa user
sn: user
homeDirectory: /home/ipauser00
givenName: ipa
cn: ipa user
uidNumber: 959600004
gidNumber: 959600004
ipaNTSecurityIdentifier: S-1-5-21-2101524027-932507593-2874626180-1004

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
```

Apart from that, sss_override does **not** allow to set a ssh key.

Considering those steps, I'm concluding that this issue is **not** possible to 
reproduce with ``ssh sss_override + sss_ssh_authorizedkeys``.

I'm removing the "Changes Requested" label as this patch set is ready for 
review.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/472#issuecomment-355020664

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to