I used compat because that is what ipa-advise provided me. I did not pay attention to that part. And yes, that did the trick :)
Thank you very much Gustavo On Sun, Sep 20, 2015 at 8:51 AM, Jakub Hrozek <[email protected]> wrote: > On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote: > > On Sat, 19 Sep 2015, Jakub Hrozek wrote: > > > > > >>On 18 Sep 2015, at 19:17, Gustavo Mateus <[email protected]> > wrote: > > >> > > >>That only shows this: > > >> > > >># extended LDIF > > >># > > >># LDAPv3 > > >># base <cn=compat,dc=my,dc=domain,dc=com> with scope subtree > > >># filter: > (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) > > >># requesting: ALL > > >># > > >> > > >># admin, users, compat, my.domain.com > > >>dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com > > >>cn: Administrator > > >>uidNumber: 1742200000 > > >>objectClass: posixAccount > > >>objectClass: top > > >>gidNumber: 1742200000 > > >>gecos: Administrator > > >>loginShell: /bin/bash > > >>homeDirectory: /home/admin > > >>uid: admin > > >> > > > > > >Since sshPublicKey is not listed here, the ACIs still prevent you from > > >reading the attribute. You need to either bind as a user who has > > >permissions to read it or make the public key world-readable (I don't > > >think making it world-readable would be an issue since it's a pubkey) > > Compat tree doesn't have ipaSSHPublicKey. > > Oops, good catch. I totally missed the search base is compat. > > > > > Why are you pointing to the compat tree instead of the normal one? > > You should only use compat tree for two reasons: > > - your POSIX client does not understand RFC2307bis > > - your POSIX client does not use recent SSSD and you want to have trust > to > > Active Directory working. > > > > For the rest of cases you should really point your POSIX clients to the > > main subtree, not the compat one. > > -- > > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
