Description of problem:
There is no email attribute available for users (objectClass=posixAccount) in the LDAP compat tree for IDM which limits ability to use compat tree as authentication endpoint for many web services. We require use of compat tree to be able to authenticate AD users in trusted AD domain with 2FA support (see Case #01674258 for background information on PCI-DSS 3.2 and 2FA). Is it possible for email attribute to be added to compat tree? There is some discussion on https://www.redhat.com/archives/freeipa-users/2015-June/msg00538.html. Are there plans to add this in an upcoming AD release?
this RFE may depend o/greatly benefit form Global Catalog RFE
The question is *where* to get that email information. We don't have
means so far to get it from SSSD via standard POSIX API we use. Since
there is no place to retrieve emails for AD users from, there is no
support for this.
Such support theoretically could be added but it will further complicate
slapi-nis code. We are in a process of refactoring the latter for other
means and will at some point be able to add such support after changing
how slapi-nis stores its database information. Current code is very
fragile in terms of adding new sources of information with unpredictable
latency (SSSD has D-Bus interface for extended attributes).
Adding this information would also require us to rethink access controls
to the compat tree. Right now information about POSIX attribute is
available without authentication because you'd get it from your POSIX
system without authentication anyway. Adding emails would mean a need to
change that. A change like this is not easy for existing deployments.
This work is currently not planned for RHEL 7.
As a customer, I can understand the technical challenges. In our use case in our corporate world our 77 linux engineering users need both SSSD/ssh login and LDAP auth login mapping equivaency so their web services act exactly like the linux hosts systems using SSSD.
This is key to sharing same source including group mappings and RBAC all defined in IDM. Having IDM groups map to AD groups but an LDAP service cannot see the same poses barriers, poses strong operational issues trying to realize IDM as the go between gateway for LINUX <--> AD identity.
Not being able to map and translate all user attributes and group memberships through LDAP -> IDM -> AD causes a real disconnect in group management on both planes.
Please note that Compat tree is not exposing any RBAC rules by itself. It is not supposed to be used for those use cases which go outside of serving an nsswitch support on legacy clients (systems that cannot use SSSD for identity and access control) and as such is limited to RFC2307 objectclasses and attributes for most.
If you need to expose RBAC information to web services, I strongly suggest looking into integrating IdM with an IdP system, like RH SSO (Keycloak upstream) and then using SAML2 or OpenID Connect to provide all required details to those web services via assertions given by the IdP. When SSSD is used as a backend to RH SSO, it provides both the details you need and applies RBAC rules you need.
Compat tree is simply a wrong place to apply these decisions.
The current Global Catalog work will help this to be possible. Deferring until that work is complete.
Closing this for now.