On Thu, Mar 11, 2021 at 02:53:27AM -0000, Lachlan Musicman via FreeIPA-users wrote:
Can I please get clarification on a FreeIPA instance (as IdM in
RHEL8.3) and AD's POSIX attributes?
From what I can see, the POSIX attributes - are ignored?
Specifically, when I run
$ id user(a)ad.domain.com
$ id -u user(a)ad.domain.com
$ id -g user(a)ad.domain.com
The POSIX attribute values are not being returned. I am getting a correct list of AD
groups etc, which is great. But no POSIX attributes. Do I need to explicitly request those
I note that there is an article from 2017 (1) "Configuring an Active Directory
Domain with POSIX Attributes" which declares itself deprecated for (2) "Chapter
8. Using ID Views in Active Directory Environments", which is RHEL7. From what I can
see both of these are about direct attachment to AD rather than for use in an IPA instance
(although they reference IdM)
It looks like AD side POSIX attributes are only available to direct integration and even
then only when specifically installed with realm (direct integration) and
FreeIPA currently allows to different idrange types when creating a
trust 'ipa-ad-trust-posix' and 'ipa-ad-trust'. With the first FreeIPA
will use the Posix IDs stored in AD while the latter will automatically
create UIDs and GIDs for AD users and groups.