[Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups
Martin Kosek
mkosek at redhat.com
Thu Jan 15 09:23:28 UTC 2015
On 01/14/2015 07:34 PM, Dmitri Pal wrote:
> On 01/14/2015 01:11 PM, Ejner Fergo wrote:
>> Hola,
>>
>> This is a response to:
>> https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html
>>
>> Scott, maybe you already found the solution, but I've been banging my head
>> with the same problem, albeit with a newer version of FreeIPA and OSX. I used
>> this excellent howto to get started:
>> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
>>
>> Despite initial success, without secondary groups the OSX integration doesn't
>> really make sense. I managed to get it working though, by doing this:
>>
>> In the "Search & Mappings" area of Directory Utility, change the "Search
>> base" of the Groups record type from
>> 'cn=groups,cn=accounts,dc=example,dc=com' to
>> 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of accounts). In
>> Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You might
>> have to map to 'member' in FreeIPA 3.0.
>>
>> With these settings, doing an 'id user' on OSX shows all secondary groups,
>> even indirect group membership!
>>
>> I still have to test and figure stuff out about ssh and sudo on the OSX side
>> of things, but that isn't as important as having group access control.
>>
>> Hope it helps!
>>
>> Best regards,
>> Ejner Fergo
>>
>>
>>
>>
>>
>>
>
> Thanks for sharing!
> So this seems to mean that Mac expects 2307 schema instead of the 2307bis.
> So yes pointing to compat tree would be the right approach.
>
> Can we document it somethere?
I at least added this useful link to http://www.freeipa.org/page/HowTos#UNIX
If there is some better place, please feel free to update.
Martin
More information about the Freeipa-users
mailing list