Good!
And thanks for letting us know, it may help other users too.

Simo.

On Wed, 2014-04-16 at 17:58 -0400, Fredy Sanchez wrote:
> Hi Simo,
> 
> Thanks for your reply. Good old Google pointed me to
> https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/open-ldap_bind_script/Mac_OpenLDAP_bind_script.sh,
> which gave me the idea of
> updating the RealName mapping to displayName. This solved the problem, I'll
> have to recreate the permissions for every share, but the user names now
> show up, and stick. No more UIDs.
> 
> 
> On Tue, Apr 15, 2014 at 9:30 AM, Simo Sorce <s...@redhat.com> wrote:
> 
> > On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote:
> > > Hi all,
> > >
> > > We asked this same question at discussions.apple.com, but figured we'd
> > have
> > > better luck here. I apologize in advance if this is the wrong forum.
> > >
> > > We are switching from Synology (DSM 5) to Mavericks server (v3.1.1.
> > running
> > > in Mavericks 10.9.2) for File Sharing. We use a FreeIPA
> > (ipa-server.x86_64
> > >         3.0.0-37.el6) backend for SSO, and the Mac server seems correctly
> > > bound to it. Unfortunately, although we can add usernames to the shares
> > for
> > > the initial config, the usernames transform to UIDs after (only for SSO
> > > accounts; local accounts are not affected). That is, when we go to edit
> > the
> > > permissions for a share, all we see are UIDs. We can always figure out
> > the
> > > username from the UID, but this is an extra step we don't want to have.
> > > We've tried reinstalling the Mac server app from scratch, re-binding to
> > the
> > > FreeIPA backend, changing mappings in Directory Utility (for example,
> > > mapping GeneratedUID to uid, which is the username), recreating the
> > shares
> > > and permissions, etc. Here are more details about the binding:
> > >
> > > * The binding happens thru a custom package we created based primarily on
> > >
> > http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
> > > * Sys Prefs, Users & Groups, Login Options show the server bound to the
> > > FreeIPA backend with the green dot
> > > * The following mappings are in place in Directory Utility, Services,
> > > LDAPv3, FreeIPA backend
> > >
> > > Users: inetOrgPerson
> > >      AuthenticationAuthority: uid
> > >      GeneratedUID: random number in uppercase
> > >      HomeDirectory: #/Users/$uid$
> > >      NFSHomeDirectory: #/Users/$uid$
> > >      OriginalHomeDirectory: #/Users/$uid$
> > >      PrimaryGroupID: gidNumber
> > >      RealName: cn
> > >      RecordName: uid
> > >      UniqueID: uidNumber
> > >      UserShell: loginShell
> > > Groups: posixgroup
> > >      PrimaryGroupID: gidNumber
> > >      RecordName: cn
> > >
> > > The search bases are correct
> > >
> > > * Directory Utility, Directory Editor shows the right info for the users.
> > > * $ id $USERNAME shows the right information for the user
> > >
> > > FreeIPA is working beautifully for our Mac / Linux environment. We
> > provide
> > > directory services to about 300 hosts, and 200 employees using it; and
> > > haven't had any problems LDAP wise until now. So we think we are missing
> > a
> > > mapping here. Any ideas?
> >
> > Fredy,
> > I quickly tried to check for some documentation on how to configure this
> > stuff, but found only useless superficial guides on how to find the
> > pointy/clicky buttons to push to enable the service.
> >
> > I am not a Mac expert by a long shot so I cannot help you much here.
> >
> > Is there any guide available on how to use this service with other LDAP
> > servers, like openLDAP or Active Directory ? We can probably draw some
> > conclusions from there.
> >
> > Simo.
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> >
> 
> 


-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to