On 04/11/2013 02:44 PM, Mathieu Lemoine wrote:
Thanks Dimitri for the feedback.
I made the modifications you asked for. Including a disclaimer
regarding enumerate. I wasn't aware of this issue by the way. So thank
you.
From what I can made out of the logs I was given to read, I think SSSD
actually fetch the ssh public key during the enumerate phase along
with all the others LDAP fields.
BTW, please refer to the version I linked here and not the one on
mentel.com <
http://mentel.com>. Because this is the one I'll keep
updating on a long term basis. The company webmaster won't like having
updates each times I'll find a neat trick to refine the config. And I
do hope to include further tips on my blog as I'll keep working with
SSSD (For example, I intend to take a look at the kerberos integration
some time in the future).
Yes. Thank you. Looks good.
Couple questions:
1) Are you planning to consider FreeIPA?
2) Is there any chance you can blog about the SSSD test day?
http://fedoraproject.org/wiki/QA/Fedora_19_test_days
Currently there are three test days on the list that we will be running.
Next week there will be an IPA one. We already started to prepare test
cases for it
http://fedoraproject.org/wiki/Test_Day:2013-04-18
There will be a similar page created for SSSD. The date is 2013-05-09
and the focus is "SSSD Improve and AD Integration"
And then later in early June we will try out the FreeIPA with a native
OTP support!
Thanks
Dmitri
Mathieu.
2013/4/11 Dmitri Pal <dpal(a)redhat.com <mailto:dpal@redhat.com>>
On 04/11/2013 02:04 PM, Mathieu Lemoine wrote:
> Hello,
>
> Me again. As promised, here is the link to the blog post:
>
http://blog.mlemoine.name/2013/04/11/centralizing-server-access.html
>
> Enjoy! (Feedback is welcome and will be appreciated.)
>
Thank you for the pointer. Several commends
s/SSSd/SSSD
Please remove enumeration. We ask people not to use enumeration up
until it is really needed. So if you "really need it" please say
that your case is somewhat odd.
The enumeration creates a lot of burden on the server. The
enumeration is needed only in the case when the servers you access
run unattended for a long period of time with noone *ever* logging
into them. If this is the case then enumeration is probably the
right thing to do as this is the only way to sync up data and make
it available before outage for the case of outage.
However in most cases people log into the systems periodically. In
this case the data is cached and the enumeration is really not
needed.
Can you please augment it in the article? It is really important
because people start to use enumerate = true and get into delays
when they really do not need to use enumeration.
Also I am not sure that enumeration really affects the data that
is needed for SSH integration. Can someone confirm that please?
"to read about this match, " did you mean "patch"?
Thanks
Dmitri
> Mathieu.
>
>
> 2013/3/25 Dmitri Pal <dpal(a)redhat.com <mailto:dpal@redhat.com>>
>
> On 03/19/2013 01:52 PM, Mathieu Lemoine wrote:
>> Hello,
>>
>> I have sssd 1.9.4 (from
>>
https://launchpad.net/~nicholas-hatch/+archive/auth/+packages
<
https://launchpad.net/%7Enicholas-hatch/+archive/auth/+packages>)
>> configured on an OpenLDAP server.
>> getent passwd, getent group, authentication and cache is
>> working great.
>>
>> My issue now lies with the SSH public key.
>>
>> My user has the ldapPublicKey objectClass, and the key is in
>> the sshPublicKey attribute.
>>
>> sss_ssh_authorizedkeys is still returning "Error looking up
>> public keys".
>> An inquiry on the #sssd chan directed me to this
>> mailing-list and more precisely to jcholast, I tried to
>> check out the commits, but nothing seems to get out of it...
>>
>> If any of you had informations regarding that, it'd be
>> greatly appreciated.,
>> Mathieu.
>
> See the slide deck attached.
> I suspect the implimatation assumes ipa schema not the one
> you mention. And the reason is that we have found other
> schemata limiting.
>
> HTH
>
>
>>
>>
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users(a)lists.fedorahosted.org
<mailto:sssd-users@lists.fedorahosted.org>
>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
>
www.redhat.com/carveoutcosts/ <
http://www.redhat.com/carveoutcosts/>
>
>
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
> <mailto:sssd-users@lists.fedorahosted.org>
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/ <
http://www.redhat.com/carveoutcosts/>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/