[Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
Jakub Hrozek
jhrozek at redhat.com
Thu Sep 17 07:25:15 UTC 2015
On Wed, Sep 16, 2015 at 11:28:49AM -0700, Gustavo Mateus wrote:
> Hi,
>
> I have an IPA server running on redhat and I'm trying find the best way to
> get my amazon linux instances to use it for authentication, ssh key
> management and sudo rules.
>
> I'm now trying to use SSSD to achieve those goals. Authentication is
> working but I'm having problems to get the user public ssh keys using
> /usr/bin/sss_ssh_authorizedkeys.
>
>
> This is my sssd.conf:
>
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> domains = default
> re_expression = (?P<name>.+)
>
> [domain/default]
> debug_level = 8
> cache_credentials = True
> id_provider = ldap
> auth_provider = ldap
> ldap_uri = ldap://ipa.my.domain.com
> ldap_search_base = cn=compat,dc=my,dc=domain,dc=com
> ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
> ldap_user_ssh_public_key = ipaSshPubKey
>
>
> The original configuration was done using ipa-advise ipa-advise
> config-redhat-sssd-before-1-9.
Is there any particular reason do keep doing this versus joining the
client to the domain and using id_provider=ipa ?
> I just hanged the services parameter to
> include "ssh, sudo" and "ldap_user_ssh_public_key"
I don't think sudo would work unless you authenticate the LDAP
connection.
>
> When I run it on the client I get no response or error. Even running it in
> debug mode:
>
> /usr/bin/sss_ssh_authorizedkeys admin --debug 10
I would check if:
- debug_level in the [ssh] section reveals anything. Is the ssh
responder being contacted, are there any errors?
- check with ldbsearch (ldb-tools package) if there ssh key
attribute is really fetched from IPA LDAP and is stored along the
user entry
More information about the Freeipa-users
mailing list