[Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups
Dmitri Pal
dpal at redhat.com
Wed Jan 14 18:34:37 UTC 2015
On 01/14/2015 01:11 PM, Ejner Fergo wrote:
> Hola,
>
> This is a response to:
> https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html
>
> Scott, maybe you already found the solution, but I've been banging my
> head with the same problem, albeit with a newer version of FreeIPA and
> OSX. I used this excellent howto to get started:
> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
>
> Despite initial success, without secondary groups the OSX integration
> doesn't really make sense. I managed to get it working though, by
> doing this:
>
> In the "Search & Mappings" area of Directory Utility, change the
> "Search base" of the Groups record type from
> 'cn=groups,cn=accounts,dc=example,dc=com' to
> 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of
> accounts). In Groups add the attribute 'GroupMembership' mapped to
> 'memberUID'. You might have to map to 'member' in FreeIPA 3.0.
>
> With these settings, doing an 'id user' on OSX shows all secondary
> groups, even indirect group membership!
>
> I still have to test and figure stuff out about ssh and sudo on the
> OSX side of things, but that isn't as important as having group access
> control.
>
> Hope it helps!
>
> Best regards,
> Ejner Fergo
>
>
>
>
>
>
Thanks for sharing!
So this seems to mean that Mac expects 2307 schema instead of the 2307bis.
So yes pointing to compat tree would be the right approach.
Can we document it somethere?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150114/8bd2e4c4/attachment.htm>
More information about the Freeipa-users
mailing list