On 09/02/2014 10:08 PM, Chris Whittle wrote:
hmmm...
Is there not a permission or role in freeIPA that I could give a group or role just to see everything in
my CN "cn=canlogin,cn=compat,dc=DOMAIN,dc=com"

I thint it might be related to the new permission system that was released in 4.0.
Stay tuned, the chivalry is on the way...




On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 09/02/2014 09:34 PM, Chris Whittle wrote:
    Ok Dmitri, I got it added using what you sent and the following
    links
    
https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt
    and
    https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html

    I think i'm 90% there with the caveat that I can't seem to see
    what permissions I need to give a user to view my NIS "view".
     Right now Directory Manager can see it but that is it.

    Any ideas?

    You got me :-)
    I would defer to specialist in this area to solve this problem.




    On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle <cwhi...@gmail.com
    <mailto:cwhi...@gmail.com>> wrote:

        Thanks Dimitri, before I get too far this rabbit hole (cause
        it looks a little scary) let me make sure I get it.

        So using Slap-NIS I should be able to create a view into
        FreeIPA that would show only a subset of user based on
        something like a group or an attribute?

        Then using the built in MAC Directory Utility (or any LDAP
        client) I should be able to use that Slap-NIS view as a
        searchbase and it would return just people I wanted.  This
        could be used keep anyone outside that view from logging in?

        I'm sorry for the noob questions but there isn't a lot of
        good documentation on SlapNIS from first glance and I don't
        want to spend 2 days figuring it out if it's not going to work.

        As always extremely appreciated!
        Whitt







        On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal <d...@redhat.com
        <mailto:d...@redhat.com>> wrote:

            On 09/02/2014 03:04 AM, Chris Whittle wrote:
            I am trying to limit who can login to my macs and I'm
            having to stick to what OSX will let me do.

            Currently I can only limit users using the searchbase
            and right now it's "cn=users,cn=accounts,dc=DOMAIN,dc=com"

            This works fine unless I wanted to create a user that I
            wanted in LDAP for other purposes but not to login.

            So my questions are,
            A)Can we create different OUs in FreeIPA like most LDAP
            servers?

            You can use slapi-nis to create an alternative view of
            the tree or trees and point your special client to that tree.
            There you might be able to expose a small subset of users
            that match your special criteria.
            The slapi-nis and compat docs are in the doc folder in
            the corresponding git repo.

            IPA uses compat tree for its own purposes but you can
            tweak it if you need or create a different view.

            HTH



            B)If not anyone have any idea on how I could do this
            with OSX's directory Utility?

            Thanks!





-- Thank you,
            Dmitri Pal

            Sr. Engineering Manager IdM portfolio
            Red Hat, Inc.





-- Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to