[Freeipa-users] Mac OSX 10.6 client configuration

[Dan Scott]

Hi,

I'm trying to set up a Mac OSX 10.6 client to connect to our FreeIPA
1.x servers. Unfortunately, I don't have the authentication working
yet, neither do I have the group lookup working. So far, all I have
working is that I can 'id $USERNAME' on a FreeIPA username and have a
record returned (without the groups).

My main question is that I'm confused by the attribute mapping
configuration. The manual states that the "Authentication Authority"
should be mapped to "#;Kerberosv5;;$uid$;EXAMPLE.COM", which is fine.
It also states that I should add mappings for other attributes, but
I'm unsure how to modify the string correctly.

i.e. Should "PrimaryGroupID" map to
"#;Kerberosv5;;$gidNumber$;EXAMPLE.COM"? Or do I have to alter it in
some other way.

There seems to be no configuration for the group mappings, and I'm
unsure how to configure these.

I'm happy to experiment/document the procedure further if someone can
suggest the correct settings for me to use.



Finally, the current documentation is written for OSx 10.4 and is a
little out of date - here are some updates:

1. There is no GUI 'realm configuration tool', you have to manually
edit the file:

/Library/Preferences/edu.mit.kerberos

2. In the 'authorization' file, the existing text is:

'builtin:authenticate,privileged' which must be replaced with
'builtin:krb5authnoverify,privileged' (But authentication still
doesn't work for me - any ideas?)

3. The "Directory Utility" is now in: /System/Library/CoreServices

4. The "Add DHCP-supplied LDAP servers" option is no longer available.

Thanks,

Dan