<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 09/02/2014 10:08 PM, Chris Whittle
wrote:<br>
</div>
<blockquote
cite="mid:CANyEwjQ-OGgi2nkyFqJ-PntEvhZpEbSM5r32MNVtsk+fUSEd0g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>hmmm... </div>
Is there not a permission or role in freeIPA that I could give a
group or role just to see everything in
<div>my CN "cn=canlogin,cn=compat,dc=DOMAIN,dc=com"<br>
</div>
</div>
</blockquote>
<br>
I thint it might be related to the new permission system that was
released in 4.0.<br>
Stay tuned, the chivalry is on the way...<br>
<br>
<blockquote
cite="mid:CANyEwjQ-OGgi2nkyFqJ-PntEvhZpEbSM5r32MNVtsk+fUSEd0g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Sep 2, 2014 at 3:06 PM, Dmitri
Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="">
<div>On 09/02/2014 09:34 PM, Chris Whittle wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Ok Dmitri, I got it added using what
you sent and the following links
<div><a moz-do-not-send="true"
href="https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt"
target="_blank">https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt</a><br>
</div>
<div>and</div>
<div><a moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html"
target="_blank">https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html</a><br>
</div>
<div><br>
</div>
<div>I think i'm 90% there with the caveat that I
can't seem to see what permissions I need to give
a user to view my NIS "view". Right now Directory
Manager can see it but that is it. </div>
<div><br>
</div>
<div>Any ideas?</div>
<div><br>
</div>
</div>
</blockquote>
</div>
You got me :-)<br>
I would defer to specialist in this area to solve this
problem.
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Sep 2, 2014 at
9:00 AM, Chris Whittle <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:cwhittl@gmail.com"
target="_blank">cwhittl@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">Thanks Dimitri, before I get
too far this rabbit hole (cause it looks a
little scary) let me make sure I get it.
<div> <br>
</div>
<div>So using Slap-NIS I should be able to
create a view into FreeIPA that would show
only a subset of user based on something
like a group or an attribute? </div>
<div><br>
</div>
<div>Then using the built in MAC Directory
Utility (or any LDAP client) I should be
able to use that Slap-NIS view as a
searchbase and it would return just people
I wanted. This could be used keep anyone
outside that view from logging in?</div>
<div><br>
</div>
<div>I'm sorry for the noob questions but
there isn't a lot of good documentation on
SlapNIS from first glance and I don't want
to spend 2 days figuring it out if it's
not going to work.</div>
<div><br>
</div>
<div>As always extremely appreciated!</div>
<div>Whitt</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Sep 2,
2014 at 3:54 AM, Dmitri Pal <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF">
<div>
<div>On 09/02/2014 03:04 AM,
Chris Whittle wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I am trying to
limit who can login to my
macs and I'm having to stick
to what OSX will let me do.
<div><br>
</div>
<div>Currently I can only
limit users using the
searchbase and right now
it's
"cn=users,cn=accounts,dc=DOMAIN,dc=com"</div>
<div><br>
</div>
<div>This works fine unless
I wanted to create a user
that I wanted in LDAP for
other purposes but not to
login. <br>
<div><br>
</div>
<div>So my questions are, </div>
<div>A)Can we create
different OUs in FreeIPA
like most LDAP servers?</div>
</div>
</div>
</blockquote>
<br>
</div>
You can use slapi-nis to create an
alternative view of the tree or
trees and point your special
client to that tree.<br>
There you might be able to expose
a small subset of users that match
your special criteria.<br>
The slapi-nis and compat docs are
in the doc folder in the
corresponding git repo.<br>
<br>
IPA uses compat tree for its own
purposes but you can tweak it if
you need or create a different
view.<br>
<br>
HTH
<div><br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>B)If not anyone have
any idea on how I could
do this with OSX's
directory Utility?</div>
<div><br>
</div>
<div>Thanks!</div>
<div><br>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
<span><font color="#888888">
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>