Hello,
I'm running a cross-forest trust with RHEL 7 IPA (60 day trial), when I do
an ldapsearch on the AD user against the IPA server I get very few
attributes.
It seems like the sssd option 'ldap_user_extras_attrs' should fetch
additional attributes but I can't seem to get any results. I'm also
confused which section this option should be added to on IPA server
sssd.conf. I've tried:
[domain/ipadomain]
ldap_user_extras_attrs = givenname, sn, displayname
[domain/addomain]
ldap_user_extras_attrs = givenname, sn, displayname
[domain/ipadomain/addomain]
ldap_user_extras_attrs = givenname, sn, displayname
Of note, I didn't include the 'mail' attribute as a value above as I read a
post that said IPA should pull this attribute automatically but I'm not
seeing it either when doing an ldapsearch. Maybe this points to a bigger
problem..
Here are the value's I'm receiving:
# steve.dainard(a)addomain.com, users, compat,
ipadomain.com
dn: uid=steve.dainard(a)addomain.com,cn=users,cn=compat,dc=ipadomain,dc=com
objectClass: posixAccount
objectClass: top
gecos: Steve Dainard
cn: Steve Dainard
uidNumber: 1587
gidNumber: 1028
loginShell: /bin/sh
homeDirectory: /home/addomain.com/steve.dainard
uid: steve.dainard(a)addomain.com
The uidNumber/gidNumber are coming from AD, but the loginShell in AD is set
to /bin/bash.
I've also seen mention of using the [ifp] section to populate attributes
for applications such as manageiq
http://manageiq.org/docs/reference/euwe/auth/ipa_ad_trust but if I add that
option my client hosts can't id users. I'm not entirely sure if the [ifp]
entry should be server side, client side, or both.
Thanks,
Steve