[Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups
Ejner Fergo
ejnersan at gmail.com
Fri Jan 16 16:36:16 UTC 2015
Sorry, I didn't look close enough, so missed the link to HowTos under
"Additional Resources"...
On Fri, Jan 16, 2015 at 5:31 PM, Ejner Fergo <ejnersan at gmail.com> wrote:
> I emailed the author of the howto, so hopefully he will update it.
>
> I still think it would make sense to have this information (how to setup
> an OSX 10.7+ client) documented directly on freeipa.org like
> http://www.freeipa.org/page/FreeIPAv1:ConfiguringMacintoshClients, or at
> least have a link to http://www.freeipa.org/page/HowTos under
> http://www.freeipa.org/page/Documentation (I could not find a link to
> HowTos on freeipa.org without searching for it..).
>
> I may be willing to volunteer to write this updated howto, even though it
> would be a 99% copy/paste from linsec.ca .... don't know if that's a good
> idea.
>
> On Thu, Jan 15, 2015 at 10:23 AM, Martin Kosek <mkosek at redhat.com> wrote:
>
>> On 01/14/2015 07:34 PM, Dmitri Pal wrote:
>> > On 01/14/2015 01:11 PM, Ejner Fergo wrote:
>> >> Hola,
>> >>
>> >> This is a response to:
>> >>
>> https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html
>> >>
>> >> Scott, maybe you already found the solution, but I've been banging my
>> head
>> >> with the same problem, albeit with a newer version of FreeIPA and OSX.
>> I used
>> >> this excellent howto to get started:
>> >>
>> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
>> >>
>> >> Despite initial success, without secondary groups the OSX integration
>> doesn't
>> >> really make sense. I managed to get it working though, by doing this:
>> >>
>> >> In the "Search & Mappings" area of Directory Utility, change the
>> "Search
>> >> base" of the Groups record type from
>> >> 'cn=groups,cn=accounts,dc=example,dc=com' to
>> >> 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of
>> accounts). In
>> >> Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You
>> might
>> >> have to map to 'member' in FreeIPA 3.0.
>> >>
>> >> With these settings, doing an 'id user' on OSX shows all secondary
>> groups,
>> >> even indirect group membership!
>> >>
>> >> I still have to test and figure stuff out about ssh and sudo on the
>> OSX side
>> >> of things, but that isn't as important as having group access control.
>> >>
>> >> Hope it helps!
>> >>
>> >> Best regards,
>> >> Ejner Fergo
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> > Thanks for sharing!
>> > So this seems to mean that Mac expects 2307 schema instead of the
>> 2307bis.
>> > So yes pointing to compat tree would be the right approach.
>> >
>> > Can we document it somethere?
>>
>> I at least added this useful link to
>> http://www.freeipa.org/page/HowTos#UNIX
>>
>> If there is some better place, please feel free to update.
>>
>> Martin
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150116/7baa435a/attachment.htm>
More information about the Freeipa-users
mailing list