<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/16/2015 11:36 AM, Ejner Fergo
wrote:<br>
</div>
<blockquote
cite="mid:CAA2-24aHGPXArY5FEdxV-+dF8JDtyuxbUEEk5gL4Q0B411z2pg@mail.gmail.com"
type="cite">
<div dir="ltr">Sorry, I didn't look close enough, so missed the
link to HowTos under "Additional Resources"...</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Jan 16, 2015 at 5:31 PM, Ejner
Fergo <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ejnersan@gmail.com" target="_blank">ejnersan@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I emailed the author of the howto, so
hopefully he will update it.
<div><br>
</div>
<div>I still think it would make sense to have this
information (how to setup an OSX 10.7+ client)
documented directly on <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">freeipa.org</a>
like <a moz-do-not-send="true"
href="http://www.freeipa.org/page/FreeIPAv1:ConfiguringMacintoshClients"
target="_blank">http://www.freeipa.org/page/FreeIPAv1:ConfiguringMacintoshClients</a>,
or at least have a link to <a moz-do-not-send="true"
href="http://www.freeipa.org/page/HowTos"
target="_blank">http://www.freeipa.org/page/HowTos</a>
under <a moz-do-not-send="true"
href="http://www.freeipa.org/page/Documentation"
target="_blank">http://www.freeipa.org/page/Documentation</a>
(I could not find a link to HowTos on <a
moz-do-not-send="true" href="http://freeipa.org"
target="_blank">freeipa.org</a> without searching for
it..).</div>
<div><br>
</div>
<div>I may be willing to volunteer to write this updated
howto, even though it would be a 99% copy/paste from <a
moz-do-not-send="true" href="http://linsec.ca"
target="_blank">linsec.ca</a> .... don't know if
that's a good idea.</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
Many people are looking for pointers on FreeIPA site. Some kind of
linking or copy/paste needs to happen, whatever makes more sense and
the cleanest.<br>
<br>
<br>
<blockquote
cite="mid:CAA2-24aHGPXArY5FEdxV-+dF8JDtyuxbUEEk5gL4Q0B411z2pg@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Jan 15, 2015 at 10:23
AM, Martin Kosek <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>On 01/14/2015 07:34 PM, Dmitri Pal wrote:<br>
> On 01/14/2015 01:11 PM, Ejner Fergo
wrote:<br>
>> Hola,<br>
>><br>
>> This is a response to:<br>
>> <a moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html"
target="_blank">https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html</a><br>
>><br>
>> Scott, maybe you already found the
solution, but I've been banging my head<br>
>> with the same problem, albeit with a
newer version of FreeIPA and OSX. I used<br>
>> this excellent howto to get started:<br>
>> <a moz-do-not-send="true"
href="http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8"
target="_blank">http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8</a><br>
>><br>
>> Despite initial success, without
secondary groups the OSX integration doesn't<br>
>> really make sense. I managed to get
it working though, by doing this:<br>
>><br>
>> In the "Search & Mappings" area
of Directory Utility, change the "Search<br>
>> base" of the Groups record type from<br>
>>
'cn=groups,cn=accounts,dc=example,dc=com' to<br>
>>
'cn=groups,cn=compat,dc=example,dc=com' ( so
compat instead of accounts). In<br>
>> Groups add the attribute
'GroupMembership' mapped to 'memberUID'. You
might<br>
>> have to map to 'member' in FreeIPA
3.0.<br>
>><br>
>> With these settings, doing an 'id
user' on OSX shows all secondary groups,<br>
>> even indirect group membership!<br>
>><br>
>> I still have to test and figure stuff
out about ssh and sudo on the OSX side<br>
>> of things, but that isn't as
important as having group access control.<br>
>><br>
>> Hope it helps!<br>
>><br>
>> Best regards,<br>
>> Ejner Fergo<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
><br>
> Thanks for sharing!<br>
> So this seems to mean that Mac expects
2307 schema instead of the 2307bis.<br>
> So yes pointing to compat tree would be
the right approach.<br>
><br>
> Can we document it somethere?<br>
<br>
</div>
</div>
I at least added this useful link to <a
moz-do-not-send="true"
href="http://www.freeipa.org/page/HowTos#UNIX"
target="_blank">http://www.freeipa.org/page/HowTos#UNIX</a><br>
<br>
If there is some better place, please feel free to
update.<br>
<span><font color="#888888"><br>
Martin<br>
<br>
--<br>
Manage your subscription for the Freeipa-users
mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>