[Freeipa-users] Cross-realm trust with AD and ssh keys management

[Sumit Bose]

On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote:
> On 09/24/2013 04:40 PM, Alexander Bokovoy wrote:
> > On Tue, 24 Sep 2013, Alexandre Ellert wrote:
> >> Hi,
> >>
> >> I've successfully setup a testing environment with an IPA server (RHEL 6.4)
> >> and a cross realm trust with my Active Directory (Win2008 R2).
> >> Authentication works both with AD passwords and Kerberos GSS-API.
> >>
> >> Now, I'm trying to find the way to manage ssh key which belong to AD
> >> users. It seems that I can do that only with users declared on IPA
> >> domain.  Can you confirm that ?
> > Yes. AD users do not exist physically in IPA LDAP, therefore there is no
> > object to assign attributes into.
> >> Does winsync method provide a way to add ssh key to an AD user ?
> > Under winsync AD users would become 'normal' LDAP objects in IPA,
> > therefore you can assign additional values/attributes to them.
> 
> Though note that winsync, one would loose all the SSO capabilities...
> 
> Alexander, I am just thinking about possibilities. We now have the concept of
> external groups in FreeIPA which one can then use as members of normal POSIX
> groups and use them in HBAC or other policies.
> 
> Would it be possible to create "external users", i.e. user entries identified
> by FQDN/SID and then be able to assign selected set of user attributes (like
> SSH public key, home directory, shell...) which could then be leveraged by SSSD?

Does anyone know if there is a ssh key management solution for AD? If
yes, I think it would be better to use this and enhance SSSD to fetch
them from AD. The data can then be stored in the sssd cache on the IPA
servers and distributed to the IPA clients with the LDAP exop we already
use to make the AD users available to the clients.

bye,
Sumit

> 
> Martin
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users