On ke, 16 helmi 2022, Ruslan Valikhanov via FreeIPA-users wrote:
I cannot get memberof attribute for external users from one-way trust with AD.
This is by design. FreeIPA is not an LDAP proxy.
I have an external group ad_grafana_external with users [email protected] and [email protected] from AD. This group is a member of group ad_grafana: ldapsearch -W -D "uid=admin,cn=users,cn=accounts,dc=mytest,dc=local" '(cn=ad_grafana)' | grep member member: cn=ad_grafana_external,cn=groups,cn=accounts,dc=mytest,dc=local
This is a group membership for a normal IPA group.
I can see that AD users are members of ad_grafana group: getent group ad_grafana ad_grafana:*:105800310:[email protected],[email protected]
This is membership information produced by SSSD on the client directly (whether this client is IPA server or a other IPA-enrolled client). This information is what SSSD derives by processing SIDs and group membership from various LDAP sources.
But I cannot get memberof attribute for this external users: # ldapsearch -W -D "uid=admin,cn=users,cn=accounts,dc=mytest,dc=local" '([email protected])' # extended LDIF # # LDAPv3 # base <dc=mytest,dc=local> (default) with scope subtree # filter: ([email protected]) # requesting: ALL # # [email protected], users, compat, m.mcs.im dn: [email protected],cn=users,cn=compat,dc=mytest,dc=local objectClass: posixAccount objectClass: ipaOverrideTarget objectClass: top gecos: adtest2 adtest2 cn: adtest2 adtest2 uidNumber: 140601109 gidNumber: 140601109 homeDirectory: /home/adtest.local/adtest2 ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0yNjExMDg4Ny0yODU2MDIzNTY0LTI5MTIyOTUzNjYtMT EwOQ== uid: [email protected]
This is an entry in the compat tree. This entry only provided to model RFC2307 LDAP schema for legacy LDAP clients. RFC2307 schema does not have memberOf attribute. It has memberUid which is just a name, not a DN. And it is part of a group entry, not of the user object one.
Is it possible to add memberof attrubutes to external users?
No, it is not possible.
This is needed to authenticate them in web applications such as Grafana and Gitlab in my case.
I'd suggest to rethink how you are integrating web applications with FreeIPA. A better approach is to use OIDC connectors and use IdPs that are aware of SSSD integration. For example, Ipsilon or Keycloak. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
