Bug 1362272

Summary: [RFE] Addition of email attribute to IDM LDAP compat tree
Product: Red Hat Enterprise Linux 7 Reporter: kludhwan
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED DEFERRED QA Contact: Kaleem <ksiddiqu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.4CC: abokovoy, afarley, ekeck, ernie.mikulic, hkhot, ldelouw, mkosek, pasik, pvoborni, rcritten
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-16 13:54:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description kludhwan 2016-08-01 19:15:07 UTC 
Description of problem:

There is no email attribute available for users (objectClass=posixAccount) in the LDAP compat tree for IDM which limits ability to use compat tree as authentication endpoint for many web services.   We require use of compat tree to be able to authenticate AD users in trusted AD domain with 2FA support (see Case #01674258 for background information on PCI-DSS 3.2 and 2FA).  Is it possible for email attribute to be added to compat tree?  There is some discussion on https://www.redhat.com/archives/freeipa-users/2015-June/msg00538.html.  Are there plans to add this in an upcoming AD release?
Comment 2 Petr Vobornik 2016-08-12 13:39:34 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6208
Comment 3 Petr Vobornik 2016-08-12 13:47:11 UTC 
this RFE may depend o/greatly benefit form Global Catalog RFE
Comment 6 Alexander Bokovoy 2018-11-12 12:14:40 UTC 
The question is *where* to get that email information. We don't have
means so far to get it from SSSD via standard POSIX API we use. Since
there is no place to retrieve emails for AD users from, there is no
support for this.

Such support theoretically could be added but it will further complicate
slapi-nis code. We are in a process of refactoring the latter for other
means and will at some point be able to add such support after changing
how slapi-nis stores its database information. Current code is very
fragile in terms of adding new sources of information with unpredictable
latency (SSSD has D-Bus interface for extended attributes).

Adding this information would also require us to rethink access controls
to the compat tree. Right now information about POSIX attribute is
available without authentication because you'd get it from your POSIX
system without authentication anyway. Adding emails would mean a need to
change that. A change like this is not easy for existing deployments.

This work is currently not planned for RHEL 7.
Comment 9 Ernie Mikulic (SD) 2019-02-08 21:36:38 UTC 
As a customer, I can understand the technical challenges. In our use case in our corporate world our 77 linux engineering users need both SSSD/ssh login and LDAP auth login mapping equivaency so their web services act exactly like the linux hosts systems using SSSD. 

This is key to sharing same source including group mappings and RBAC all defined in IDM. Having IDM groups map to AD groups but an LDAP service cannot see the same poses barriers, poses strong operational issues trying to realize IDM as the go between  gateway for LINUX <--> AD identity.

Not being able to map and translate all user attributes and group memberships through LDAP -> IDM -> AD causes a real disconnect in group management on both planes.
Comment 10 Alexander Bokovoy 2019-02-09 07:51:22 UTC 
Please note that Compat tree is not exposing any RBAC rules by itself. It is not supposed to be used for those use cases which go outside of serving an nsswitch support on legacy clients (systems that cannot use SSSD for identity and access control) and as such is limited to RFC2307 objectclasses and attributes for most.

If you need to expose RBAC information to web services, I strongly suggest looking into integrating IdM with an IdP system, like RH SSO (Keycloak upstream) and then using SAML2 or OpenID Connect to provide all required details to those web services via assertions given by the IdP. When SSSD is used as a backend to RH SSO, it provides both the details you need and applies RBAC rules you need.

Compat tree is simply a wrong place to apply these decisions.
Comment 11 Amy Farley 2019-08-16 13:54:52 UTC 
The current Global Catalog work will help this to be possible. Deferring until that work is complete.

Closing this for now.
Comment 12 Ernie Mikulic (SD) 2022-03-22 18:55:18 UTC 
Still a very significant issue in our deployment where IDM is a Kerberos trusted domain/realm from AD. Email/Mail attribute exists in active directory today, but that attribute does not get passed through to IDM. So any regular application service can lookup users in IDM via LDAP but when the application wants to send the user mail (i.e. initial logon, password reset) it tries to send mail to the IDM domain, which has none. So instead of mailto://<user>@ActiveDirectory.com it sends to mailto://<user>@IDMDomain.com which never arrives anywhere.

There are ways to do lookups and alter MTA aliases in IDM might work-around but they are all hard to manage at scale, and break the basic model.
Comment 13 Alexander Bokovoy 2022-03-24 12:41:54 UTC 
Ernie, as I said in comments 6 and 10, use of compat tree is not designed for what you are wanting to achieve. This is not going to change. If anything, compat tree support might disappear in future releases.