Hello, I'm running a cross-forest trust with RHEL 7 IPA (60 day trial), when I do an ldapsearch on the AD user against the IPA server I get very few attributes.
It seems like the sssd option 'ldap_user_extras_attrs' should fetch additional attributes but I can't seem to get any results. I'm also confused which section this option should be added to on IPA server sssd.conf. I've tried: [domain/ipadomain] ldap_user_extras_attrs = givenname, sn, displayname [domain/addomain] ldap_user_extras_attrs = givenname, sn, displayname [domain/ipadomain/addomain] ldap_user_extras_attrs = givenname, sn, displayname Of note, I didn't include the 'mail' attribute as a value above as I read a post that said IPA should pull this attribute automatically but I'm not seeing it either when doing an ldapsearch. Maybe this points to a bigger problem.. Here are the value's I'm receiving: # steve.dain...@addomain.com, users, compat, ipadomain.com dn: uid=steve.dain...@addomain.com,cn=users,cn=compat,dc=ipadomain,dc=com objectClass: posixAccount objectClass: top gecos: Steve Dainard cn: Steve Dainard uidNumber: 1587 gidNumber: 1028 loginShell: /bin/sh homeDirectory: /home/addomain.com/steve.dainard uid: steve.dain...@addomain.com The uidNumber/gidNumber are coming from AD, but the loginShell in AD is set to /bin/bash. I've also seen mention of using the [ifp] section to populate attributes for applications such as manageiq http://manageiq.org/docs/reference/euwe/auth/ipa_ad_trust but if I add that option my client hosts can't id users. I'm not entirely sure if the [ifp] entry should be server side, client side, or both. Thanks, Steve
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org