[Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
Alexander Bokovoy
abokovoy at redhat.com
Sat Sep 19 16:47:55 UTC 2015
On Sat, 19 Sep 2015, Jakub Hrozek wrote:
>
>> On 18 Sep 2015, at 19:17, Gustavo Mateus <gustavo.mateus at gmail.com> wrote:
>>
>> That only shows this:
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=compat,dc=my,dc=domain,dc=com> with scope subtree
>> # filter: (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
>> # requesting: ALL
>> #
>>
>> # admin, users, compat, my.domain.com
>> dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com
>> cn: Administrator
>> uidNumber: 1742200000
>> objectClass: posixAccount
>> objectClass: top
>> gidNumber: 1742200000
>> gecos: Administrator
>> loginShell: /bin/bash
>> homeDirectory: /home/admin
>> uid: admin
>>
>
>Since sshPublicKey is not listed here, the ACIs still prevent you from
>reading the attribute. You need to either bind as a user who has
>permissions to read it or make the public key world-readable (I don't
>think making it world-readable would be an issue since it's a pubkey)
Compat tree doesn't have ipaSSHPublicKey.
Why are you pointing to the compat tree instead of the normal one?
You should only use compat tree for two reasons:
- your POSIX client does not understand RFC2307bis
- your POSIX client does not use recent SSSD and you want to have trust to
Active Directory working.
For the rest of cases you should really point your POSIX clients to the
main subtree, not the compat one.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list