[Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups
Ejner Fergo
ejnersan at gmail.com
Wed Jan 14 18:11:56 UTC 2015
Hola,
This is a response to:
https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html
Scott, maybe you already found the solution, but I've been banging my head
with the same problem, albeit with a newer version of FreeIPA and OSX. I
used this excellent howto to get started:
http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
Despite initial success, without secondary groups the OSX integration
doesn't really make sense. I managed to get it working though, by doing
this:
In the "Search & Mappings" area of Directory Utility, change the "Search
base" of the Groups record type from
'cn=groups,cn=accounts,dc=example,dc=com' to
'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of accounts).
In Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You
might have to map to 'member' in FreeIPA 3.0.
With these settings, doing an 'id user' on OSX shows all secondary groups,
even indirect group membership!
I still have to test and figure stuff out about ssh and sudo on the OSX
side of things, but that isn't as important as having group access control.
Hope it helps!
Best regards,
Ejner Fergo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150114/b511816e/attachment.htm>
More information about the Freeipa-users
mailing list