[Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups
Dmitri Pal
dpal at redhat.com
Fri Jan 16 20:53:00 UTC 2015
On 01/16/2015 11:36 AM, Ejner Fergo wrote:
> Sorry, I didn't look close enough, so missed the link to HowTos under
> "Additional Resources"...
>
> On Fri, Jan 16, 2015 at 5:31 PM, Ejner Fergo <ejnersan at gmail.com
> <mailto:ejnersan at gmail.com>> wrote:
>
> I emailed the author of the howto, so hopefully he will update it.
>
> I still think it would make sense to have this information (how to
> setup an OSX 10.7+ client) documented directly on freeipa.org
> <http://freeipa.org> like
> http://www.freeipa.org/page/FreeIPAv1:ConfiguringMacintoshClients,
> or at least have a link to http://www.freeipa.org/page/HowTos
> under http://www.freeipa.org/page/Documentation (I could not find
> a link to HowTos on freeipa.org <http://freeipa.org> without
> searching for it..).
>
> I may be willing to volunteer to write this updated howto, even
> though it would be a 99% copy/paste from linsec.ca
> <http://linsec.ca> .... don't know if that's a good idea.
>
Many people are looking for pointers on FreeIPA site. Some kind of
linking or copy/paste needs to happen, whatever makes more sense and the
cleanest.
>
> On Thu, Jan 15, 2015 at 10:23 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
> On 01/14/2015 07:34 PM, Dmitri Pal wrote:
> > On 01/14/2015 01:11 PM, Ejner Fergo wrote:
> >> Hola,
> >>
> >> This is a response to:
> >>
> https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html
> >>
> >> Scott, maybe you already found the solution, but I've been
> banging my head
> >> with the same problem, albeit with a newer version of
> FreeIPA and OSX. I used
> >> this excellent howto to get started:
> >>
> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
> >>
> >> Despite initial success, without secondary groups the OSX
> integration doesn't
> >> really make sense. I managed to get it working though, by
> doing this:
> >>
> >> In the "Search & Mappings" area of Directory Utility,
> change the "Search
> >> base" of the Groups record type from
> >> 'cn=groups,cn=accounts,dc=example,dc=com' to
> >> 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead
> of accounts). In
> >> Groups add the attribute 'GroupMembership' mapped to
> 'memberUID'. You might
> >> have to map to 'member' in FreeIPA 3.0.
> >>
> >> With these settings, doing an 'id user' on OSX shows all
> secondary groups,
> >> even indirect group membership!
> >>
> >> I still have to test and figure stuff out about ssh and
> sudo on the OSX side
> >> of things, but that isn't as important as having group
> access control.
> >>
> >> Hope it helps!
> >>
> >> Best regards,
> >> Ejner Fergo
> >>
> >>
> >>
> >>
> >>
> >>
> >
> > Thanks for sharing!
> > So this seems to mean that Mac expects 2307 schema instead
> of the 2307bis.
> > So yes pointing to compat tree would be the right approach.
> >
> > Can we document it somethere?
>
> I at least added this useful link to
> http://www.freeipa.org/page/HowTos#UNIX
>
> If there is some better place, please feel free to update.
>
> Martin
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150116/eb5ce2a3/attachment.htm>
More information about the Freeipa-users
mailing list