<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 01/14/2015 01:11 PM, Ejner Fergo
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAA2-24ZU9MhNnWFi0SPXzet_x7derA7=wWfKvKzs7R2_P6c04w@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hola,
        <div><br>
        </div>
        <div>This is a response to:</div>
        <div><a moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html">https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html</a><br>
        </div>
        <div><br>
        </div>
        <div>Scott, maybe you already found the solution, but I've been
          banging my head with the same problem, albeit with a newer
          version of FreeIPA and OSX. I used this excellent howto to get
          started:</div>
        <div><a moz-do-not-send="true"
href="http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8">http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8</a><br>
        </div>
        <div><br>
        </div>
        <div>Despite initial success, without secondary groups the OSX
          integration doesn't really make sense. I managed to get it
          working though, by doing this:</div>
        <div><br>
        </div>
        <div>In the "Search & Mappings" area of Directory Utility,
          change the "Search base" of the Groups record type from
          'cn=groups,cn=accounts,dc=example,dc=com' to
          'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of
          accounts). In Groups add the attribute 'GroupMembership'
          mapped to 'memberUID'. You might have to map to 'member' in
          FreeIPA 3.0.</div>
        <div><br>
        </div>
        <div>With these settings, doing an 'id user' on OSX shows all
          secondary groups, even indirect group membership!</div>
        <div><br>
        </div>
        <div>I still have to test and figure stuff out about ssh and
          sudo on the OSX side of things, but that isn't as important as
          having group access control.</div>
        <div><br>
        </div>
        <div>Hope it helps!</div>
        <div><br>
        </div>
        <div>Best regards,</div>
        <div>Ejner Fergo</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
    Thanks for sharing!<br>
    So this seems to mean that Mac expects 2307 schema instead of the
    2307bis.<br>
    So yes pointing to compat tree would be the right approach.<br>
    <br>
    Can we document it somethere?<br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
  </body>
</html>