Hello all,
I've been trying (and failing) to configure sssd to use LDAP to retrieve hosts' public SSH keys. I'd like to ask if this is possible with LDAP at all, or this feature is only supported with FreeIPA.
If yes, what search filter does sssd use to lookup keys in LDAP? I'm using the sshPublicKey attribute for both people and machines in my LDAP schema, but I can't figure out what attribute is checked to determine the hostname.
User ssh public key retrieval works fine in my configuration. I'm using sssd 1.15 which ships with debian stretch.
Thanks!
BR, George
On Sat, Dec 08, 2018 at 08:09:09PM +0200, George Diamantopoulos wrote:
Hello all,
I've been trying (and failing) to configure sssd to use LDAP to retrieve hosts' public SSH keys. I'd like to ask if this is possible with LDAP at all, or this feature is only supported with FreeIPA.
If yes, what search filter does sssd use to lookup keys in LDAP? I'm using the sshPublicKey attribute for both people and machines in my LDAP schema, but I can't figure out what attribute is checked to determine the hostname.
For the hostname the attribute 'fqdn' is used, please see the ldap_host_* options described in man sssd-ldap for details.
You can find the search filters and search bases in the domain log if you add 'debug_level=6' (or higher) to the [domain/...] section of sssd.conf.
HTH
bye, Sumit
User ssh public key retrieval works fine in my configuration. I'm using sssd 1.15 which ships with debian stretch.
Thanks!
BR, George
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Sat, Dec 08, 2018 at 08:09:09PM +0200, George Diamantopoulos wrote:
User ssh public key retrieval works fine in my configuration. I'm using sssd 1.15 which ships with debian stretch.
I'm afraid the commit that exposed the host key lookup to the LDAP provider is only present in 1.16.1 and newer.
Thanks for the reply Jakub.
Does this mean that there is no support in 1.15 at all, or that the attribute name is hardcoded as "fqdn" but still useable if the schema complies?
On Mon, Dec 10, 2018 at 01:19:33PM -0000, George Diamantopoulos wrote:
Thanks for the reply Jakub.
Does this mean that there is no support in 1.15 at all, or that the attribute name is hardcoded as "fqdn" but still useable if the schema complies?
There is no support at all, the sss_ssh_knownhosts proxy has no 'handler' on the sssd_be side to talk to.
Cool, thanks. I backported 1.16.1 to stretch and it works!
BTW, I can't seem to find any "standard" schemas out there with the "fqdn" attribute. Only FreeIPA seems to ship it.
I'm using the "host" attribute for now from the "hostObject" objectClass, although I believe this is not what it's meant for...
On 12/11/18 9:14 PM, George Diamantopoulos wrote:
I'm using the "host" attribute for now from the "hostObject" objectClass, although I believe this is not what it's meant for...
IMO this is perfectly fine: https://tools.ietf.org/html/rfc4524#section-2.14
Ciao, Michael.
sssd-users@lists.fedorahosted.org