On pe, 23 elo 2019, Ronald Wimmer wrote:
On 23.08.19 18:03, Alexander Bokovoy wrote:
[...] Is this Keycloak installation done separate from IPA master?
If yes,
then you need to have ldap_user_extra_attrs on both IPA client where
Keycloak runs and on IPA masters that SSSD would talk to to obtain
information about AD users.
Keycloak runs on a separate machine (as an ipa client). What you are
saying is that all IPA masters would need to have sssd.conf tweaked
accordingly?
Yes. Remember that SSSD on IPA client talks to IPA master to query
information about AD users. That request (coming by way of a specialized
LDAP query to IPA LDAP server) is routed to SSSD running on IPA master.
So SSSD on IPA master filters out attributes that aren't allowed in its
config.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
