On Thu, Mar 11, 2021 at 02:53:27AM -0000, Lachlan Musicman via FreeIPA-users 
wrote:
> Can I please get clarification on a FreeIPA instance (as IdM in RHEL8.3) and 
> AD's POSIX attributes?
> 
> From what I can see, the POSIX attributes - are ignored?
> 
> Specifically, when I run 
> 
> $ id u...@ad.domain.com
> $ id -u u...@ad.domain.com
> $ id -g u...@ad.domain.com
> 
> The POSIX attribute values are not being returned. I am getting a correct 
> list of AD groups etc, which is great. But no POSIX attributes. Do I need to 
> explicitly request those attributes?
> 
> I note that there is an article from 2017 (1) "Configuring an Active 
> Directory Domain with POSIX Attributes" which declares itself deprecated for 
> (2) "Chapter 8. Using ID Views in Active Directory Environments", which is 
> RHEL7. From what I can see both of these are about direct attachment to AD 
> rather than for use in an IPA instance (although they reference IdM) 
> 
> It looks like AD side POSIX attributes are only available to direct 
> integration and even then only when specifically installed with realm (direct 
> integration) and  --automatic-id-mapping=no (3)

Hi,

FreeIPA currently allows to different idrange types when creating a
trust 'ipa-ad-trust-posix' and 'ipa-ad-trust'. With the first FreeIPA
will use the Posix IDs stored in AD while the latter will automatically
create UIDs and GIDs for AD users and groups.

HTH

bye,
Sumit

> 
> 
> (1) https://access.redhat.com/articles/3023821
> (2) 
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/id-views
> (3) 
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory#using-posix-attributes-defined-in-active-directory_connecting-directly-to-ad
> 
> 
> Cheers
> L.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to