Hi, I'm trying to set up a Mac OSX 10.6 client to connect to our FreeIPA 1.x servers. Unfortunately, I don't have the authentication working yet, neither do I have the group lookup working. So far, all I have working is that I can 'id $USERNAME' on a FreeIPA username and have a record returned (without the groups).
My main question is that I'm confused by the attribute mapping configuration. The manual states that the "Authentication Authority" should be mapped to "#;Kerberosv5;;$uid$;EXAMPLE.COM", which is fine. It also states that I should add mappings for other attributes, but I'm unsure how to modify the string correctly. i.e. Should "PrimaryGroupID" map to "#;Kerberosv5;;$gidNumber$;EXAMPLE.COM"? Or do I have to alter it in some other way. There seems to be no configuration for the group mappings, and I'm unsure how to configure these. I'm happy to experiment/document the procedure further if someone can suggest the correct settings for me to use. Finally, the current documentation is written for OSx 10.4 and is a little out of date - here are some updates: 1. There is no GUI 'realm configuration tool', you have to manually edit the file: /Library/Preferences/edu.mit.kerberos 2. In the 'authorization' file, the existing text is: 'builtin:authenticate,privileged' which must be replaced with 'builtin:krb5authnoverify,privileged' (But authentication still doesn't work for me - any ideas?) 3. The "Directory Utility" is now in: /System/Library/CoreServices 4. The "Add DHCP-supplied LDAP servers" option is no longer available. Thanks, Dan _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
