Hi Alexander,
That makes sense, is there a simple method to test which
ldap_user_extras_attrs sssd is pulling in on the IPA server side (are we
actually pulling in these attributes), and then test from the client side
dbus (list said attributes)?
Thanks,
Steve
On Tue, Oct 24, 2017 at 9:30 AM, Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
On ti, 24 loka 2017, Steve Dainard via FreeIPA-users wrote:
> Hello,
>
> I'm running a cross-forest trust with RHEL 7 IPA (60 day trial), when I do
> an ldapsearch on the AD user against the IPA server I get very few
> attributes.
>
> It seems like the sssd option 'ldap_user_extras_attrs' should fetch
> additional attributes but I can't seem to get any results. I'm also
> confused which section this option should be added to on IPA server
> sssd.conf. I've tried:
>
> [domain/ipadomain]
> ldap_user_extras_attrs = givenname, sn, displayname
>
> [domain/addomain]
> ldap_user_extras_attrs = givenname, sn, displayname
>
> [domain/ipadomain/addomain]
> ldap_user_extras_attrs = givenname, sn, displayname
>
> Of note, I didn't include the 'mail' attribute as a value above as I
read
> a
> post that said IPA should pull this attribute automatically but I'm not
> seeing it either when doing an ldapsearch. Maybe this points to a bigger
> problem..
>
Yes, a problem of misunderstanding what piece is used for. ;)
SSSD retrieval of extended attributes is used by SSSD info pipe
interface which is available over DBus. There are applications like
Apache or nginx plugins that consume this interface. Schema
compatibility plugin in FreeIPA LDAP server (slapi-nis) is not using
this API and thus is not providing this information in records you see
in 'cn=compat,$SUFFIX' subtree.
--
/ Alexander Bokovoy