On Fri, 07 Dec 2018, Lenhardt, Matthias via FreeIPA-users wrote:
Hi,
we have an IPA 4.6.4 environment with an AD Trust configured and everything's
working perfectly.
My question is: Is it possible to configure, that extra AD user
attributes are transfered? I would need the AD user attribute "mail"
with the users email address.
This question came up, after I tried to connect GitLab to IPA and
authentication with an AD users fails, because IPA doesn't have the
"mail" attribute of the user, so logging is denied. (Authentication on
Linux systems is working).
There are so many assumptions in my answer below because you didn't
really tell what you do.
I assume you are talking about use of the Compat tree to connect your
GitLab instance via LDAP to IPA. I assume you are searching for both AD
and IPA users in the cn=compat,$SUFFIX.
If that's correct assumption, there is nothing to help here. Compat tree
is populated using two sources:
- for IPA users it picks up details from the cn=accounts,$SUFFIX
- for AD users it queries SSSD on IPA master using a specialized API
that only returns details of POSIX attributes
There is no such thing as 'mail' in POSIX attributes and we cannot
really retrieve it via existing API.
I think a better approach would actually be to get GitLab and similar
solutions to move on to use SAML2 or OpenID Connect connectors instead
of looking up everything in LDAP directly. This is GitLab EE feature but
it is really meant to solve this kind of problem. See
https://docs.gitlab.com/ee/integration/saml.html for details. If you'd
use Keycloak or Ipsilon with SSSD backend as an IdP, you will get all
those details and more available to GitLab.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
