<div dir="ltr">I did not try that setup because the config-redhat-sssd-before-1-9 because its description says it works with version 1.5 - 1.8, and Amazon linux has 1.2 <div><br></div><div>







<p class=""><span class="">    config-redhat-sssd-before-1-9        : Instructions for configuring a system</span></p>
<p class=""><span class="">                                           with an old version of SSSD (1.5-1.8)</span></p>
<p class=""><span class="">                                           as a IPA client. This set of</span></p>
<p class=""><span class="">                                           instructions is targeted for</span></p>
<p class=""><span class="">                                           platforms that include the authconfig</span></p>
<p class=""><span class="">                                           utility, which are all Red Hat based</span></p>
<p class=""><span class="">                                           platforms.</span></p><p class=""><span class=""><br></span></p><p class=""><span class="">It is good to know that it works. I'll give it a try.</span></p><p class=""><span class=""><br>Thanks,<br>Gustavo</span></p></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 14, 2015 at 7:01 AM, Pawel Fiuto <span dir="ltr"><<a href="mailto:pawel.fiuto@mixrad.io" target="_blank">pawel.fiuto@mixrad.io</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div dir="ltr">
<div style="font-size:12pt;color:#000000;background-color:#ffffff;font-family:Calibri,Arial,Helvetica,sans-serif">
Hi Gustavo,<br>
<div>
<div><br>
Using settings from  'ipa-advise config-redhat-sssd-before-1-9' with below modifications seems to work quite well:<br>
<br>
- on ipa server add permisson to read ipaSshPubKey anonymously:<br>
<br>
[ipa-server]# ipa permission-add 'Read ipaSshPubKey' --type=user --attrs=ipaSshPubKey --bindtype=anonymous --permissions=read<br>
<br>
</div>
<div>[ipa-client]<span style="font-size:12pt"># diff /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig</span>
<div>
<div>2c2</div>
<div>< services = nss, pam, ssh</div>
<div>---</div>
<div>> services = nss, pam</div>
<div>12c12</div>
<div>< ldap_search_base = cn=accounts,dc=example,dc=org</div>
<div>---</div>
<div>> ldap_search_base = cn=compat,dc=example,dc=org<br>
</div>
<div>14d13</div>
<div>< ldap_user_ssh_public_key = ipaSshPubKey<br>
</div>
<br>
<br>
</div>
<br>
</div>
</div>
<div>
<div style="color:rgb(0,0,0)">
<hr style="display:inline-block;width:98%">
<div dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> <a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a> <<a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a>> on behalf of Gustavo Mateus <<a href="mailto:gustavo.mateus@gmail.com" target="_blank">gustavo.mateus@gmail.com</a>><br>
<b>Sent:</b> 11 September 2015 00:30<br>
<b>To:</b> <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a><br>
<b>Subject:</b> [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd</font>
<div> </div>
</div><div><div class="h5">
<div>
<div dir="ltr">Hi,
<div><br>
</div>
<div>I'm trying to setup my Amazon Linux instances to be able to fetch the IPA users public ssh key.<br>
<br>
Do I have to setup a binddn and bindpw in the ldap.conf file and use /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Gustavo</div>
</div>
</div>
</div></div></div>
</div>
</div>
</div>

</blockquote></div><br></div>