[Freeipa-users] Cross-realm trust with AD and ssh keys management
Martin Kosek
mkosek at redhat.com
Wed Sep 25 08:32:29 UTC 2013
On 09/25/2013 10:30 AM, Alexander Bokovoy wrote:
> On Wed, 25 Sep 2013, Martin Kosek wrote:
>> On 09/24/2013 04:40 PM, Alexander Bokovoy wrote:
>>> On Tue, 24 Sep 2013, Alexandre Ellert wrote:
>>>> Hi,
>>>>
>>>> I've successfully setup a testing environment with an IPA server (RHEL 6.4)
>>>> and a cross realm trust with my Active Directory (Win2008 R2).
>>>> Authentication works both with AD passwords and Kerberos GSS-API.
>>>>
>>>> Now, I'm trying to find the way to manage ssh key which belong to AD
>>>> users. It seems that I can do that only with users declared on IPA
>>>> domain. Can you confirm that ?
>>> Yes. AD users do not exist physically in IPA LDAP, therefore there is no
>>> object to assign attributes into.
>>>> Does winsync method provide a way to add ssh key to an AD user ?
>>> Under winsync AD users would become 'normal' LDAP objects in IPA,
>>> therefore you can assign additional values/attributes to them.
>>
>> Though note that winsync, one would loose all the SSO capabilities...
>>
>> Alexander, I am just thinking about possibilities. We now have the concept of
>> external groups in FreeIPA which one can then use as members of normal POSIX
>> groups and use them in HBAC or other policies.
>>
>> Would it be possible to create "external users", i.e. user entries identified
>> by FQDN/SID and then be able to assign selected set of user attributes (like
>> SSH public key, home directory, shell...) which could then be leveraged by SSSD?
> Not sure it makes sense given that one can manage these attributes in
> AD.
True. This may then lead to a RFE for "Services for Identity Management for
UNIX Components" AD extension... And when it's there, a similar RFE for SSSD to
use the new attributes.
Martin
More information about the Freeipa-users
mailing list