<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 09/02/2014 10:08 PM, Chris Whittle wrote:<br> </div> <blockquote cite="mid:CANyEwjQ-OGgi2nkyFqJ-PntEvhZpEbSM5r32MNVtsk+fUSEd0g@mail.gmail.com" type="cite"> <div dir="ltr"> <div>hmmm... </div> Is there not a permission or role in freeIPA that I could give a group or role just to see everything in <div>my CN "cn=canlogin,cn=compat,dc=DOMAIN,dc=com"<br> </div> </div> </blockquote> <br> I thint it might be related to the new permission system that was released in 4.0.<br> Stay tuned, the chivalry is on the way...<br> <br> <blockquote cite="mid:CANyEwjQ-OGgi2nkyFqJ-PntEvhZpEbSM5r32MNVtsk+fUSEd0g@mail.gmail.com" type="cite"> <div dir="ltr"> <div><br> </div> </div> <div class="gmail_extra"><br> <br> <div class="gmail_quote">On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal <span dir="ltr"><<a moz-do-not-send="true" href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div text="#000000" bgcolor="#FFFFFF"> <div class=""> <div>On 09/02/2014 09:34 PM, Chris Whittle wrote:<br> </div> <blockquote type="cite"> <div dir="ltr">Ok Dmitri, I got it added using what you sent and the following links <div><a moz-do-not-send="true" href="https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt" target="_blank">https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt</a><br> </div> <div>and</div> <div><a moz-do-not-send="true" href="https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html" target="_blank">https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html</a><br> </div> <div><br> </div> <div>I think i'm 90% there with the caveat that I can't seem to see what permissions I need to give a user to view my NIS "view". Right now Directory Manager can see it but that is it. </div> <div><br> </div> <div>Any ideas?</div> <div><br> </div> </div> </blockquote> </div> You got me :-)<br> I would defer to specialist in this area to solve this problem. <div> <div class="h5"><br> <br> <blockquote type="cite"> <div class="gmail_extra"><br> <br> <div class="gmail_quote">On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle <span dir="ltr"><<a moz-do-not-send="true" href="mailto:cwhittl@gmail.com" target="_blank">cwhittl@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr">Thanks Dimitri, before I get too far this rabbit hole (cause it looks a little scary) let me make sure I get it. <div> <br> </div> <div>So using Slap-NIS I should be able to create a view into FreeIPA that would show only a subset of user based on something like a group or an attribute? </div> <div><br> </div> <div>Then using the built in MAC Directory Utility (or any LDAP client) I should be able to use that Slap-NIS view as a searchbase and it would return just people I wanted. This could be used keep anyone outside that view from logging in?</div> <div><br> </div> <div>I'm sorry for the noob questions but there isn't a lot of good documentation on SlapNIS from first glance and I don't want to spend 2 days figuring it out if it's not going to work.</div> <div><br> </div> <div>As always extremely appreciated!</div> <div>Whitt</div> <div><br> </div> <div><br> </div> <div><br> </div> <div><br> </div> <div><br> </div> </div> <div> <div> <div class="gmail_extra"><br> <br> <div class="gmail_quote">On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal <span dir="ltr"><<a moz-do-not-send="true" href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div text="#000000" bgcolor="#FFFFFF"> <div> <div>On 09/02/2014 03:04 AM, Chris Whittle wrote:<br> </div> <blockquote type="cite"> <div dir="ltr">I am trying to limit who can login to my macs and I'm having to stick to what OSX will let me do. <div><br> </div> <div>Currently I can only limit users using the searchbase and right now it's "cn=users,cn=accounts,dc=DOMAIN,dc=com"</div> <div><br> </div> <div>This works fine unless I wanted to create a user that I wanted in LDAP for other purposes but not to login. <br> <div><br> </div> <div>So my questions are, </div> <div>A)Can we create different OUs in FreeIPA like most LDAP servers?</div> </div> </div> </blockquote> <br> </div> You can use slapi-nis to create an alternative view of the tree or trees and point your special client to that tree.<br> There you might be able to expose a small subset of users that match your special criteria.<br> The slapi-nis and compat docs are in the doc folder in the corresponding git repo.<br> <br> IPA uses compat tree for its own purposes but you can tweak it if you need or create a different view.<br> <br> HTH <div><br> <br> <br> <blockquote type="cite"> <div dir="ltr"> <div> <div>B)If not anyone have any idea on how I could do this with OSX's directory Utility?</div> <div><br> </div> <div>Thanks!</div> <div><br> </div> </div> </div> <br> <fieldset></fieldset> <br> </blockquote> <br> <br> </div> <span><font color="#888888"> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </font></span></div> </blockquote> </div> <br> </div> </div> </div> </blockquote> </div> <br> </div> </blockquote> <br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </div> </div> </div> </blockquote> </div> <br> </div> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>