Hi,
we have an IPA 4.6.4 environment with an AD Trust configured and everything's working perfectly.
My question is: Is it possible to configure, that extra AD user attributes are transfered? I would need the AD user attribute "mail" with the users email address.
This question came up, after I tried to connect GitLab to IPA and authentication with an AD users fails, because IPA doesn't have the "mail" attribute of the user, so logging is denied. (Authentication on Linux systems is working).
Thanks in advance!
Regards
Matthias Lenhardt System Administrator
BITMARCK *****************************************************************
Die Information in dieser E-Mail ist vertraulich und ausschließlich für den/die benannten Adressaten bestimmt. Ein Zugriff auf diese E-Mail durch andere Personen als den/die benannten Adressaten ist nicht gestattet. Sollten Sie nicht der benannte Adressat sein, löschen Sie bitte diese E-Mail.
I second this request. We have IPA/IDM configured with a one way trust to AD and it is working well. Yet we would like to have user Auth to LDAP in IPA/IDM and one (among others) fields that cannot be seen via LDAP queries is the AD Email field. This really stops the auth in most cases. There are other fields we need as well but this one is critical.
On Fri, 07 Dec 2018, Lenhardt, Matthias via FreeIPA-users wrote:
Hi,
we have an IPA 4.6.4 environment with an AD Trust configured and everything's working perfectly.
My question is: Is it possible to configure, that extra AD user attributes are transfered? I would need the AD user attribute "mail" with the users email address.
This question came up, after I tried to connect GitLab to IPA and authentication with an AD users fails, because IPA doesn't have the "mail" attribute of the user, so logging is denied. (Authentication on Linux systems is working).
There are so many assumptions in my answer below because you didn't really tell what you do.
I assume you are talking about use of the Compat tree to connect your GitLab instance via LDAP to IPA. I assume you are searching for both AD and IPA users in the cn=compat,$SUFFIX.
If that's correct assumption, there is nothing to help here. Compat tree is populated using two sources:
- for IPA users it picks up details from the cn=accounts,$SUFFIX - for AD users it queries SSSD on IPA master using a specialized API that only returns details of POSIX attributes
There is no such thing as 'mail' in POSIX attributes and we cannot really retrieve it via existing API.
I think a better approach would actually be to get GitLab and similar solutions to move on to use SAML2 or OpenID Connect connectors instead of looking up everything in LDAP directly. This is GitLab EE feature but it is really meant to solve this kind of problem. See https://docs.gitlab.com/ee/integration/saml.html for details. If you'd use Keycloak or Ipsilon with SSSD backend as an IdP, you will get all those details and more available to GitLab.
freeipa-users@lists.fedorahosted.org