Thanks Dimitri for the feedback.

I made the modifications you asked for. Including a disclaimer regarding enumerate. I wasn't aware of this issue by the way. So thank you.

From what I can made out of the logs I was given to read, I think SSSD actually fetch the ssh public key during the enumerate phase along with all the others LDAP fields.

BTW, please refer to the version I linked here and not the one on mentel.com. Because this is the one I'll keep updating on a long term basis. The company webmaster won't like having updates each times I'll find a neat trick to refine the config. And I do hope to include further tips on my blog as I'll keep working with SSSD (For example, I intend to take a look at the kerberos integration some time in the future).

Mathieu.


2013/4/11 Dmitri Pal <dpal@redhat.com>
On 04/11/2013 02:04 PM, Mathieu Lemoine wrote:
Hello,

Me again. As promised, here is the link to the blog post: http://blog.mlemoine.name/2013/04/11/centralizing-server-access.html

Enjoy! (Feedback is welcome and will be appreciated.)

Thank you for the pointer. Several commends

s/SSSd/SSSD

Please remove enumeration. We ask people not to use enumeration up until it is really needed. So if you "really need it" please say that your case is somewhat odd.
The enumeration creates a lot of burden on the server. The enumeration is needed only in the case when the servers you access run unattended for a long period of time with noone *ever* logging into them. If this is the case then enumeration is probably the right thing to do as this is the only way to sync up data and make it available before outage for the case of outage.
However in most cases people log into the systems periodically. In this case the data is cached and the enumeration is really not needed.
Can you please augment it in the article? It is really important because people start to use enumerate = true and get into delays when they really do not need to use enumeration.
Also I am not sure that enumeration really affects the data that is needed for SSH integration. Can someone confirm that please?

"to read about this match, " did you mean "patch"?


Thanks
Dmitri


Mathieu.


2013/3/25 Dmitri Pal <dpal@redhat.com>
On 03/19/2013 01:52 PM, Mathieu Lemoine wrote:
Hello,

I have sssd 1.9.4 (from https://launchpad.net/~nicholas-hatch/+archive/auth/+packages) configured on an OpenLDAP server.
getent passwd, getent group, authentication and cache is working great.

My issue now lies with the SSH public key.

My user has the ldapPublicKey objectClass, and the key is in the sshPublicKey attribute.

sss_ssh_authorizedkeys is still returning "Error looking up public keys".
An inquiry on the #sssd chan directed me to this mailing-list and more precisely to jcholast, I tried to check out the commits, but nothing seems to get out of it...

If any of you had informations regarding that, it'd be greatly appreciated.,
Mathieu.

See the slide deck attached.
I suspect the implimatation assumes ipa schema not the one you mention. And the reason is that we have found other schemata limiting.

HTH




_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/