[Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

Gustavo Mateus gustavo.mateus at gmail.com
Mon Sep 14 17:01:57 UTC 2015 

I did not try that setup because the config-redhat-sssd-before-1-9 because
its description says it works with version 1.5 - 1.8, and Amazon linux has
1.2

    config-redhat-sssd-before-1-9        : Instructions for configuring a
system

                                           with an old version of SSSD
(1.5-1.8)

                                           as a IPA client. This set of

                                           instructions is targeted for

                                           platforms that include the
authconfig

                                           utility, which are all Red Hat
based

                                           platforms.


It is good to know that it works. I'll give it a try.


Thanks,
Gustavo

On Mon, Sep 14, 2015 at 7:01 AM, Pawel Fiuto <pawel.fiuto at mixrad.io> wrote:

> Hi Gustavo,
>
> Using settings from  'ipa-advise config-redhat-sssd-before-1-9' with below
> modifications seems to work quite well:
>
> - on ipa server add permisson to read ipaSshPubKey anonymously:
>
> [ipa-server]# ipa permission-add 'Read ipaSshPubKey' --type=user
> --attrs=ipaSshPubKey --bindtype=anonymous --permissions=read
>
> [ipa-client]# diff /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig
> 2c2
> < services = nss, pam, ssh
> ---
> > services = nss, pam
> 12c12
> < ldap_search_base = cn=accounts,dc=example,dc=org
> ---
> > ldap_search_base = cn=compat,dc=example,dc=org
> 14d13
> < ldap_user_ssh_public_key = ipaSshPubKey
>
>
>
> ------------------------------
> *From:* freeipa-users-bounces at redhat.com <freeipa-users-bounces at redhat.com>
> on behalf of Gustavo Mateus <gustavo.mateus at gmail.com>
> *Sent:* 11 September 2015 00:30
> *To:* freeipa-users at redhat.com
> *Subject:* [Freeipa-users] AuthorizedKeysCommand for clients using
> nss-pam-ldapd
>
> Hi,
>
> I'm trying to setup my Amazon Linux instances to be able to fetch the IPA
> users public ssh key.
>
> Do I have to setup a binddn and bindpw in the ldap.conf file and use
> /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it?
>
> Thanks,
> Gustavo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150914/c61e0524/attachment.htm>

More information about the Freeipa-users mailing list