Hi Alexander, That makes sense, is there a simple method to test which ldap_user_extras_attrs sssd is pulling in on the IPA server side (are we actually pulling in these attributes), and then test from the client side dbus (list said attributes)?
Thanks, Steve On Tue, Oct 24, 2017 at 9:30 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On ti, 24 loka 2017, Steve Dainard via FreeIPA-users wrote: > >> Hello, >> >> I'm running a cross-forest trust with RHEL 7 IPA (60 day trial), when I do >> an ldapsearch on the AD user against the IPA server I get very few >> attributes. >> >> It seems like the sssd option 'ldap_user_extras_attrs' should fetch >> additional attributes but I can't seem to get any results. I'm also >> confused which section this option should be added to on IPA server >> sssd.conf. I've tried: >> >> [domain/ipadomain] >> ldap_user_extras_attrs = givenname, sn, displayname >> >> [domain/addomain] >> ldap_user_extras_attrs = givenname, sn, displayname >> >> [domain/ipadomain/addomain] >> ldap_user_extras_attrs = givenname, sn, displayname >> >> Of note, I didn't include the 'mail' attribute as a value above as I read >> a >> post that said IPA should pull this attribute automatically but I'm not >> seeing it either when doing an ldapsearch. Maybe this points to a bigger >> problem.. >> > Yes, a problem of misunderstanding what piece is used for. ;) > > SSSD retrieval of extended attributes is used by SSSD info pipe > interface which is available over DBus. There are applications like > Apache or nginx plugins that consume this interface. Schema > compatibility plugin in FreeIPA LDAP server (slapi-nis) is not using > this API and thus is not providing this information in records you see > in 'cn=compat,$SUFFIX' subtree. > > > > -- > / Alexander Bokovoy >
_______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org