Thanks for all the hard work on this, I've been enjoying an almost
functional setup for the last week but have been tearing my hair out with
making GSSAPI  behave.

What I have found so far using the config instructions - may be error prone
now as the number of combinations tried!

Anonymous bind enabled on freeipa: all works fine as you would expect.
RootDSE only enabled on freeipa    : Works If you also specify a real user
in the Directory Utility auth section (not a service account)
No anonymous binds                        : Will not play at all.

Now the thing that is really throwing me, is that GSSAPI ldapsearch works
just fine from the command line (using -Y GSSAPI) but  directiory utility
seems unable to use these credentials.
I'm totally unsure if this is an OS limitation (as the login screen
wouldn't have any creds until a user has typed them) or if I've managed to
screw something up.

I'd like to be in a position where I can either have a very reduced access
LDAP user enabled on all Mac clients, or that they can harness the host or
user keytab in order to require no special LDAP credentials of their own.

Hope this makes sense, and thanks in advance,


p.s. I've attempted to and failed to join this list, so subject to
moderation, and I might require an explicit reply to in order to get
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to