[Freeipa-users] Search Base issues

Chris Whittle cwhittl at gmail.com
Tue Sep 2 20:26:13 UTC 2014 

Thanks Dmitri, I'm so close I can almost see the end!


On Tue, Sep 2, 2014 at 3:24 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 09/02/2014 10:08 PM, Chris Whittle wrote:
>
>  hmmm...
> Is there not a permission or role in freeIPA that I could give a group or
> role just to see everything in
> my CN "cn=canlogin,cn=compat,dc=DOMAIN,dc=com"
>
>
> I thint it might be related to the new permission system that was released
> in 4.0.
> Stay tuned, the chivalry is on the way...
>
>
>
>
>
> On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>>  On 09/02/2014 09:34 PM, Chris Whittle wrote:
>>
>> Ok Dmitri, I got it added using what you sent and the following links
>>
>> https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt
>>  and
>> https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html
>>
>>  I think i'm 90% there with the caveat that I can't seem to see what
>> permissions I need to give a user to view my NIS "view".  Right now
>> Directory Manager can see it but that is it.
>>
>>  Any ideas?
>>
>>   You got me :-)
>> I would defer to specialist in this area to solve this problem.
>>
>>
>>
>>
>> On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle <cwhittl at gmail.com> wrote:
>>
>>> Thanks Dimitri, before I get too far this rabbit hole (cause it looks a
>>> little scary) let me make sure I get it.
>>>
>>>  So using Slap-NIS I should be able to create a view into FreeIPA that
>>> would show only a subset of user based on something like a group or an
>>> attribute?
>>>
>>>  Then using the built in MAC Directory Utility (or any LDAP client) I
>>> should be able to use that Slap-NIS view as a searchbase and it would
>>> return just people I wanted.  This could be used keep anyone outside that
>>> view from logging in?
>>>
>>>  I'm sorry for the noob questions but there isn't a lot of good
>>> documentation on SlapNIS from first glance and I don't want to spend 2 days
>>> figuring it out if it's not going to work.
>>>
>>>  As always extremely appreciated!
>>> Whitt
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal <dpal at redhat.com> wrote:
>>>
>>>>  On 09/02/2014 03:04 AM, Chris Whittle wrote:
>>>>
>>>> I am trying to limit who can login to my macs and I'm having to stick
>>>> to what OSX will let me do.
>>>>
>>>>  Currently I can only limit users using the searchbase and right now
>>>> it's "cn=users,cn=accounts,dc=DOMAIN,dc=com"
>>>>
>>>>  This works fine unless I wanted to create a user that I wanted in
>>>> LDAP for other purposes but not to login.
>>>>
>>>>  So my questions are,
>>>> A)Can we create different OUs in FreeIPA like most LDAP servers?
>>>>
>>>>
>>>>  You can use slapi-nis to create an alternative view of the tree or
>>>> trees and point your special client to that tree.
>>>> There you might be able to expose a small subset of users that match
>>>> your special criteria.
>>>> The slapi-nis and compat docs are in the doc folder in the
>>>> corresponding git repo.
>>>>
>>>> IPA uses compat tree for its own purposes but you can tweak it if you
>>>> need or create a different view.
>>>>
>>>> HTH
>>>>
>>>>
>>>>
>>>>   B)If not anyone have any idea on how I could do this with OSX's
>>>> directory Utility?
>>>>
>>>>  Thanks!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>  --
>>>> Thank you,
>>>> Dmitri Pal
>>>>
>>>> Sr. Engineering Manager IdM portfolio
>>>> Red Hat, Inc.
>>>>
>>>>
>>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140902/a74320e5/attachment.htm>

More information about the Freeipa-users mailing list