On pe, 23 elo 2019, Ronald Wimmer wrote:
On 23.08.19 18:03, Alexander Bokovoy wrote:
>[...] Is this Keycloak installation done separate from IPA master?
>If yes,
>then you need to have ldap_user_extra_attrs on both IPA client where
>Keycloak runs and on IPA masters that SSSD would talk to to obtain
>information about AD users.
>
Keycloak runs on a separate machine (as an ipa client). What you are
saying is that all IPA masters would need to have sssd.conf tweaked
accordingly?
Yes. Remember that SSSD on IPA client talks to IPA master to query
information about AD users. That request (coming by way of a specialized
LDAP query to IPA LDAP server) is routed to SSSD running on IPA master.
So SSSD on IPA master filters out attributes that aren't allowed in its
config.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland