[Freeipa-users] Cross-realm trust with AD and ssh keys management
Jan Cholasta
jcholast at redhat.com
Wed Sep 25 08:28:12 UTC 2013
On 25.9.2013 10:17, Martin Kosek wrote:
> On 09/24/2013 04:40 PM, Alexander Bokovoy wrote:
>> On Tue, 24 Sep 2013, Alexandre Ellert wrote:
>>> Hi,
>>>
>>> I've successfully setup a testing environment with an IPA server (RHEL 6.4)
>>> and a cross realm trust with my Active Directory (Win2008 R2).
>>> Authentication works both with AD passwords and Kerberos GSS-API.
>>>
>>> Now, I'm trying to find the way to manage ssh key which belong to AD
>>> users. It seems that I can do that only with users declared on IPA
>>> domain. Can you confirm that ?
>> Yes. AD users do not exist physically in IPA LDAP, therefore there is no
>> object to assign attributes into.
>>> Does winsync method provide a way to add ssh key to an AD user ?
>> Under winsync AD users would become 'normal' LDAP objects in IPA,
>> therefore you can assign additional values/attributes to them.
>
> Though note that winsync, one would loose all the SSO capabilities...
>
> Alexander, I am just thinking about possibilities. We now have the concept of
> external groups in FreeIPA which one can then use as members of normal POSIX
> groups and use them in HBAC or other policies.
>
> Would it be possible to create "external users", i.e. user entries identified
> by FQDN/SID and then be able to assign selected set of user attributes (like
> SSH public key, home directory, shell...) which could then be leveraged by SSSD?
>
> Martin
>
I think that if you add proper schema to AD, you can have SSSD directly
use SSH public keys stored in AD.
Honza
--
Jan Cholasta
More information about the Freeipa-users
mailing list