[Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
Jakub Hrozek
jhrozek at redhat.com
Sun Sep 20 15:51:39 UTC 2015
On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote:
> On Sat, 19 Sep 2015, Jakub Hrozek wrote:
> >
> >>On 18 Sep 2015, at 19:17, Gustavo Mateus <gustavo.mateus at gmail.com> wrote:
> >>
> >>That only shows this:
> >>
> >># extended LDIF
> >>#
> >># LDAPv3
> >># base <cn=compat,dc=my,dc=domain,dc=com> with scope subtree
> >># filter: (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
> >># requesting: ALL
> >>#
> >>
> >># admin, users, compat, my.domain.com
> >>dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com
> >>cn: Administrator
> >>uidNumber: 1742200000
> >>objectClass: posixAccount
> >>objectClass: top
> >>gidNumber: 1742200000
> >>gecos: Administrator
> >>loginShell: /bin/bash
> >>homeDirectory: /home/admin
> >>uid: admin
> >>
> >
> >Since sshPublicKey is not listed here, the ACIs still prevent you from
> >reading the attribute. You need to either bind as a user who has
> >permissions to read it or make the public key world-readable (I don't
> >think making it world-readable would be an issue since it's a pubkey)
> Compat tree doesn't have ipaSSHPublicKey.
Oops, good catch. I totally missed the search base is compat.
>
> Why are you pointing to the compat tree instead of the normal one?
> You should only use compat tree for two reasons:
> - your POSIX client does not understand RFC2307bis
> - your POSIX client does not use recent SSSD and you want to have trust to
> Active Directory working.
>
> For the rest of cases you should really point your POSIX clients to the
> main subtree, not the compat one.
> --
> / Alexander Bokovoy
More information about the Freeipa-users
mailing list