On 12/01/2017 10:59, hirofumi.morik...@accenture.com wrote:
Let me further clarify the question that is asked by Niraj below.
Currently, we have 1 master FreeIPA server and 1 client server.
Evaluating your product for production deployment
Master and client connectivity is established and when creating the
user in the web console, it is indeed creating the user in the client
machine
However, When we add public key through the web console below, this
key is not created(or transfered) to the client machine
That's correct: it doesn't copy them anywhere, nor is it supposed to.
Instead, the keys sit in the FreeIPA LDAP database. When you install the
ipa-client package on a host, it configures sshd so it communicates via
sssd to query the authorized keys in LDAP. You will find:
# /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
# /etc/sssd/sssd.conf
[sssd]
services = nss, pam, ssh, sudo
That means you have central control of your authorized_keys with
FreeIPA, without copying them onto every hosts' filesystem.
You also have central control of your user accounts, group memberships,
uid and gid mappings, sudo policy, host access policy (i.e. which users
are allowed to login to which hosts), ... All this is done via sssd and
LDAP as well.
HTH,
Brian.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project