[Freeipa-users] Mac OSX 10.6 client configuration
Dan Scott
danieljamesscott at gmail.com
Tue Jun 14 21:25:24 UTC 2011
Hi,
I'm trying to set up a Mac OSX 10.6 client to connect to our FreeIPA
1.x servers. Unfortunately, I don't have the authentication working
yet, neither do I have the group lookup working. So far, all I have
working is that I can 'id $USERNAME' on a FreeIPA username and have a
record returned (without the groups).
My main question is that I'm confused by the attribute mapping
configuration. The manual states that the "Authentication Authority"
should be mapped to "#;Kerberosv5;;$uid$;EXAMPLE.COM", which is fine.
It also states that I should add mappings for other attributes, but
I'm unsure how to modify the string correctly.
i.e. Should "PrimaryGroupID" map to
"#;Kerberosv5;;$gidNumber$;EXAMPLE.COM"? Or do I have to alter it in
some other way.
There seems to be no configuration for the group mappings, and I'm
unsure how to configure these.
I'm happy to experiment/document the procedure further if someone can
suggest the correct settings for me to use.
Finally, the current documentation is written for OSx 10.4 and is a
little out of date - here are some updates:
1. There is no GUI 'realm configuration tool', you have to manually
edit the file:
/Library/Preferences/edu.mit.kerberos
2. In the 'authorization' file, the existing text is:
'builtin:authenticate,privileged' which must be replaced with
'builtin:krb5authnoverify,privileged' (But authentication still
doesn't work for me - any ideas?)
3. The "Directory Utility" is now in: /System/Library/CoreServices
4. The "Add DHCP-supplied LDAP servers" option is no longer available.
Thanks,
Dan
More information about the Freeipa-users
mailing list