<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi Guillermo,<div class=""><br class=""></div><div class="">In February I published my findings for switching IPA in OpenDirectory compatible mode. See:</div><div class=""><a href="https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html" class="">https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html</a></div><div class="">Start by reading that thread.</div><div class=""><br class=""></div><div class="">More recently, Stefan Zecevic picked this up and opened up some interesting test cases for the setup in this thread:</div><div class=""><a href="https://www.redhat.com/archives/freeipa-users/2016-May/msg00310.html" class="">https://www.redhat.com/archives/freeipa-users/2016-May/msg00310.html</a></div><div class=""><br class=""></div><div class="">There's also a ticket for implementing these changes in <a href="https://fedorahosted.org/freeipa/ticket/4813" class="">IPA 4.4</a>.</div><div class=""><br class=""></div><div class="">I'm willing to invest 4 hours per week into this if anyone else joins.</div><div class=""><br class=""></div><div class="">I have VMware virtual machines for every x86 OS X release possible (from Tiger to El Capitan) and for historical reasons I also have a few PPC releases in QEMU format.</div><div class=""><br class=""></div><div class="">I can host the VMs on a server but I need some help configuring the 389 directory server plugins to automatically generate the needed extra attributes (authAuthority and altSecurityIdentities). I personally think that cn=config should be also automatically generated.</div><div class=""><br class=""></div><div class="">Cheers,</div><div class="">Răzvan</div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 22 mai 2016, at 21:31, Guillermo Fuentes <<a href="mailto:guillermo.fuentes@modernizingmedicine.com" class="">guillermo.fuentes@modernizingmedicine.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_default" style="font-family:verdana,sans-serif">This is great info Razvan. Thanks for sharing it!</div><div class="gmail_default" style="font-family:verdana,sans-serif">We provision Macs by pushing configuration scripts via Munki.</div><div class="gmail_default" style="font-family:verdana,sans-serif">Can you point me where I can find more documentation about this?</div><div class="gmail_default" style="font-family:verdana,sans-serif">Thanks again,</div><div class="gmail_default" style="font-family:verdana,sans-serif">Guillermo</div><div class="gmail_extra">
<br class=""><div class="gmail_quote">On Fri, May 20, 2016 at 3:45 PM, "Răzvan Corneliu C.R. VILT" <span dir="ltr" class=""><<a href="mailto:razvan.vilt@me.com" target="_blank" class="">razvan.vilt@me.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class="">Hi guys,<div class=""><br class=""></div><div class="">Regarding the Macs, there are a few notes:</div><div class=""><br class=""></div><div class="">1) The template kerberos setup can be pushed through LDAP (cn=KerberosClient and cn=KerberosKDC,cn=config)</div><div class="">2) The LDAP replicas can be also configured in cn=config and it is cached by OpenDirectory in the following format:</div><div class=""><br class=""></div><div class="">dn: cn=ldapreplicas, cn=config, dc=example, dc=com</div><div class="">objectClass: apple-configuration</div><div class="">apple-ldap-replica: <a class="">ldap://192.168.1.1</a></div><div class="">apple-ldap-replica: <a class="">ldap://192.168.2.2</a></div><div class="">apple-ldap-writable-replica: <a class="">ldap://192.168.1.1</a></div><div class="">apple-ldap-writable-replica: <a class="">ldap://192.168.2.2</a></div><div class="">apple-xml-plist: base64 encode of:</div><div class="">---------------------</div><div class=""><?xml version="1.0" encoding="UTF-8"?><br class=""><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<a href="http://www.apple.com/DTDs/PropertyList-1.0.dtd" target="_blank" class="">http://www.apple.com/DTDs/PropertyList-1.0.dtd</a>"><br class=""><plist version="1.0"><br class=""><dict><br class=""><span style="white-space:pre-wrap" class="">    </span><key>GUID</key><br class=""><span style="white-space:pre-wrap" class="">     </span><string>01234567-89AB-CDEF-0123-456789ABCDEF</string><br class=""><span style="white-space:pre-wrap" class="">       </span><key>IPaddresses</key><!-- of the master ipa host if there are multiple interfaces for it --><br class=""><span style="white-space:pre-wrap" class=""> </span><array><br class=""><span style="white-space:pre-wrap" class="">           </span><string>192.168.1.1</string></div><div class="">                <string>10.0.0.1</string><br class=""><span style="white-space:pre-wrap" class=""> </span></array><br class=""><span style="white-space:pre-wrap" class="">  </span><key>PrimaryMaster</key><br class=""><span style="white-space:pre-wrap" class="">    </span><string><a href="http://ipa-server.example.org/" target="_blank" class="">ipa-server.example.org</a></string><br class=""><span style="white-space:pre-wrap" class="">     </span><key>ReplicaName</key><br class=""><span style="white-space:pre-wrap" class="">      </span><string>Master</string><br class=""><span style="white-space:pre-wrap" class="">     </span><key>Replicas</key><br class=""><span style="white-space:pre-wrap" class=""> </span><array></div><div class="">           <string><a href="http://ipa-bkserver.example.org/" target="_blank" class="">ipa-bkserver.example.org</a></string></div><div class="">        <array></div><div class="">       <!-- use only <array/> if there are no replicas --><br class=""></dict><br class=""></plist><br class="">----------------------</div><div class=""><br class=""></div><div class="">3) The main problem with FreeIPA and Mac OS X comes from the SSL part (CRL and/or OCSP are enforced). IPA refuses PLAIN authentication on SSL.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">If you do this manually instead of OpenDirectory compatible way, your machine doesn't create an account for itself in IPA so service access without login are not available, it doesn't download the root CA automatically and you don't get SSO out of the box.</div><div class=""><br class=""></div><div class=""><br class=""><div class=""><blockquote type="cite" class=""><div class=""><div class="h5"><div class="">On 20 mai 2016, at 22:13, Guillermo Fuentes <<a href="mailto:guillermo.fuentes@modernizingmedicine.com" target="_blank" class="">guillermo.fuentes@modernizingmedicine.com</a>> wrote:</div><br class=""></div></div><div class=""><div class=""><div class="h5"><div dir="ltr" style="font-family:HelveticaNeue;font-size:14px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" class=""><div class=""><div class=""><font face="verdana, sans-serif" class="">SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc = yes" and removing the KDC server ("kdc = xxx") entries from the /Library/Preferences/edu.mit.Kerberos config file does the trick.</font></div><div class=""><font face="verdana, sans-serif" class=""><br class=""></font></div><div class=""><font face="verdana, sans-serif" class="">For LDAP, although you can enable it, I can't see it documented anywhere so I'm assuming that isn't the recommended way for the Mac. This can be enabled by running this for the LDAP server you're using:</font></div><div class=""><font face="verdana, sans-serif" class="">sudo odutil set configuration /LDAPv3/<a href="http://ipa1.example.com/" target="_blank" class="">ipa1.example.com</a><span class=""> </span>module ldap option "Use DNS replicas" "true"</font></div><div class=""><br class=""></div><div class=""><font face="verdana, sans-serif" class="">Adding the altServer values with the Directory Manager credentials worked and I'm happy to report that the failover on the Mac works great with FreeIPA!</font></div><div class=""><font face="verdana, sans-serif" class=""><br class=""></font></div><div class=""><font face="verdana, sans-serif" class="">As suggested by Rob, for three servers, on server ipa1:</font></div><div class=""><font face="verdana, sans-serif" class="">$ ldapmodify -x -D 'cn=directory manager' -W</font></div><div class=""><font face="verdana, sans-serif" class="">Enter LDAP Password:</font></div><div class=""><font face="verdana, sans-serif" class="">dn:</font></div><div class=""><font face="verdana, sans-serif" class="">changetype: modify</font></div><div class=""><font face="verdana, sans-serif" class="">add: altServer</font></div><div class=""><font face="verdana, sans-serif" class="">altServer: ldap://<a href="http://ipa2.example.com/" target="_blank" class="">ipa2.example.com</a></font></div><div class=""><font face="verdana, sans-serif" class="">-</font></div><div class=""><font face="verdana, sans-serif" class="">add: altServer</font></div><div class=""><font face="verdana, sans-serif" class="">altServer: ldap://<a href="http://ipa3.example.com/" target="_blank" class="">ipa3.example.com</a></font></div><div class=""><font face="verdana, sans-serif" class=""><br class=""></font></div><div class=""><font face="verdana, sans-serif" class="">modifying entry ""</font></div><div class=""><font face="verdana, sans-serif" class="">^D</font></div><div class=""><font face="verdana, sans-serif" class=""><br class=""></font></div><div class=""><font face="verdana, sans-serif" class="">The altServer values didn't replicate so I had to add them to each of the FreeIPA servers.</font></div><div class=""><font face="verdana, sans-serif" class=""><br class=""></font></div><div class=""><font face="verdana, sans-serif" class="">Then, tell the Mac (testing on OS X v10.11.5) to use the altServer attribute to look for replicas in case of failover: </font></div><div class=""><font face="verdana, sans-serif" class="">sudo odutil set configuration /LDAPv3/<a href="http://ipa1.example.com/" target="_blank" class="">ipa1.example.com</a><span class=""> </span>module ldap option "Use altServer replicas" "true"</font></div><div class=""><font face="verdana, sans-serif" class=""><br class=""></font></div><div class=""><font face="verdana, sans-serif" class="">And, viola! Highly available authentication with a FreeIPA cluster for the Mac!</font></div><div class=""><br class=""></div><div class=""><font face="verdana, sans-serif" class="">Thanks so much for your help!</font></div><div class=""><font face="verdana, sans-serif" class="">Guillermo</font></div><div style="font-family:verdana,sans-serif" class=""><br class=""></div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden<span class=""> </span><span dir="ltr" class=""><<a href="mailto:rcritten@redhat.com" target="_blank" class="">rcritten@redhat.com</a>></span><span class=""> </span>wrote:<br class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class="">Martin Basti wrote:<br class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hello,<br class=""><br class="">IPA uses SRV records for failover to another replica/LDAP.<br class=""><br class="">I don't know how it works on MACs, but in case that there is no<br class="">possibility to use SRV, you may need to file a RFE ticket<br class="">(<a href="https://fedorahosted.org/freeipa/newticket" rel="noreferrer" target="_blank" class="">https://fedorahosted.org/freeipa/newticket</a>)<br class=""></blockquote><br class=""></span>Agreed, SRV records are the preferred mechanism. I was curious though so played with this a bit and it is possible to add altServer values:<br class=""><br class="">$ ldapmodify -x -D 'cn=directory manager' -W<br class="">Enter LDAP Password:<br class="">dn:<br class="">changetype: modify<br class="">add: altServer<br class="">altServer: ldap://<a href="http://gyre.example.com/" rel="noreferrer" target="_blank" class="">gyre.example.com</a><br class=""><br class="">modifying entry ""<br class="">^D<br class=""><br class="">$ ldapsearch -LLL -x -b "" -s base altServer<br class="">dn:<br class="">altServer: ldap://<a href="http://gyre.example.com/" rel="noreferrer" target="_blank" class="">gyre.example.com</a><br class=""><br class="">My test rig is a single master so I don't know if this replicates or not.<br class=""><br class="">rob<br class=""><br class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class=""><br class="">Martin<br class=""><br class=""><br class="">On 19.05.2016 17:43, Guillermo Fuentes wrote:<br class=""></span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class="">Hello all,<br class=""><br class="">As OS X allows LDAP server failover via the altServer attribute<br class="">(RFC4512) from RootDSE, it would be great to be able to configure our<br class="">Macs to connect to a single FreeIPA server and add other FreeIPA<br class="">servers as multiple altServer values.<br class="">The current schema doesn't seem to support adding this attribute.<br class="">Can this be done in a way I'm missing?<br class=""><br class="">Thanks in advance!<br class=""><br class="">GUILLERMO FUENTES<br class="">SR. SYSTEMS ADMINISTRATOR<br class=""><br class=""><a href="tel:561-880-2998%20x1337" value="+15618802998" target="_blank" class="">561-880-2998 x1337</a><br class=""><br class=""></span><a href="mailto:guillermo.fuentes@modmed.com" target="_blank" class="">guillermo.fuentes@modmed.com</a><span class=""> </span><mailto:<a href="mailto:guillermo.fuentes@modmed.com" target="_blank" class="">guillermo.fuentes@modmed.com</a>><br class=""><br class=""><br class="">[ Modernizing Medicine ] <<a href="http://www.modmed.com/" rel="noreferrer" target="_blank" class="">http://www.modmed.com/</a>><br class="">[ Facebook ] <<a href="http://www.facebook.com/modernizingmedicine" rel="noreferrer" target="_blank" class="">http://www.facebook.com/modernizingmedicine</a>>              [<br class="">LinkedIn ] <<a href="http://www.linkedin.com/company/modernizing-medicine/" rel="noreferrer" target="_blank" class="">http://www.linkedin.com/company/modernizing-medicine/</a>>              [<br class="">YouTube ] <<a href="http://www.youtube.com/user/modernizingmedicine" rel="noreferrer" target="_blank" class="">http://www.youtube.com/user/modernizingmedicine</a>>             [<br class="">Twitter ] <<a href="https://twitter.com/modmed_EMA" rel="noreferrer" target="_blank" class="">https://twitter.com/modmed_EMA</a>>              [ Blog ]<br class=""><<a href="http://www.modmed.com/BlogBeyondEMR" rel="noreferrer" target="_blank" class="">http://www.modmed.com/BlogBeyondEMR</a>>           [ Instagram ]<br class=""><<a href="http://instagram.com/modernizing_medicine" rel="noreferrer" target="_blank" class="">http://instagram.com/modernizing_medicine</a>><br class=""><br class=""><br class=""><br class=""><br class=""><br class=""></blockquote><br class=""><br class=""><br class=""></blockquote><br class=""></blockquote></div><br class=""></div></div></div></div><span class="HOEnZb"><font color="#888888" class=""><span style="font-family:HelveticaNeue;font-size:14px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important" class="">--<span class=""> </span></span><br style="font-family:HelveticaNeue;font-size:14px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" class=""><span style="font-family:HelveticaNeue;font-size:14px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important" class="">Manage your subscription for the Freeipa-users mailing list:</span><br style="font-family:HelveticaNeue;font-size:14px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" class=""><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" style="font-family:HelveticaNeue;font-size:14px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" class="">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br style="font-family:HelveticaNeue;font-size:14px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" class=""><span style="font-family:HelveticaNeue;font-size:14px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important" class="">Go to<span class=""> </span></span><a href="http://freeipa.org/" style="font-family:HelveticaNeue;font-size:14px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" class="">http://freeipa.org</a><span style="font-family:HelveticaNeue;font-size:14px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important" class=""><span class=""> </span>for more info on the project</span></font></span></div></blockquote></div><br class=""></div></div><br class="">--<br class="">
Manage your subscription for the Freeipa-users mailing list:<br class="">
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank" class="">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br class="">
Go to <a href="http://freeipa.org/" rel="noreferrer" target="_blank" class="">http://freeipa.org</a> for more info on the project<br class=""></blockquote></div><br class=""></div></div>
</div></blockquote></div><br class=""></div></body></html>