On 09/25/2013 10:30 AM, Alexander Bokovoy wrote: > On Wed, 25 Sep 2013, Martin Kosek wrote: >> On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: >>> On Tue, 24 Sep 2013, Alexandre Ellert wrote: >>>> Hi, >>>> >>>> I've successfully setup a testing environment with an IPA server (RHEL 6.4) >>>> and a cross realm trust with my Active Directory (Win2008 R2). >>>> Authentication works both with AD passwords and Kerberos GSS-API. >>>> >>>> Now, I'm trying to find the way to manage ssh key which belong to AD >>>> users. It seems that I can do that only with users declared on IPA >>>> domain. Can you confirm that ? >>> Yes. AD users do not exist physically in IPA LDAP, therefore there is no >>> object to assign attributes into. >>>> Does winsync method provide a way to add ssh key to an AD user ? >>> Under winsync AD users would become 'normal' LDAP objects in IPA, >>> therefore you can assign additional values/attributes to them. >> >> Though note that winsync, one would loose all the SSO capabilities... >> >> Alexander, I am just thinking about possibilities. We now have the concept of >> external groups in FreeIPA which one can then use as members of normal POSIX >> groups and use them in HBAC or other policies. >> >> Would it be possible to create "external users", i.e. user entries identified >> by FQDN/SID and then be able to assign selected set of user attributes (like >> SSH public key, home directory, shell...) which could then be leveraged by >> SSSD? > Not sure it makes sense given that one can manage these attributes in > AD.
True. This may then lead to a RFE for "Services for Identity Management for UNIX Components" AD extension... And when it's there, a similar RFE for SSSD to use the new attributes. Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users