Chris Whittle wrote:
> hmmm... 
> Is there not a permission or role in freeIPA that I could give a group
> or role just to see everything in 
> my CN "cn=canlogin,cn=compat,dc=DOMAIN,dc=com"

Can you provide more details on what you're doing, and how you are
binding? Can you search the cn=users,cn=compat,dc=DOMAIN,dc=com tree?

AFAICT you should be able to read cn=compat as long as you bind as a user.

rob

> 
> 
> 
> On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal <d...@redhat.com
> <mailto:d...@redhat.com>> wrote:
> 
>     On 09/02/2014 09:34 PM, Chris Whittle wrote:
>>     Ok Dmitri, I got it added using what you sent and the following links
>>     
>> https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt
>>     and
>>     https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html
>>
>>     I think i'm 90% there with the caveat that I can't seem to see
>>     what permissions I need to give a user to view my NIS "view".
>>      Right now Directory Manager can see it but that is it.  
>>
>>     Any ideas?
>>
>     You got me :-)
>     I would defer to specialist in this area to solve this problem.
> 
> 
>>
>>
>>     On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle <cwhi...@gmail.com
>>     <mailto:cwhi...@gmail.com>> wrote:
>>
>>         Thanks Dimitri, before I get too far this rabbit hole (cause
>>         it looks a little scary) let me make sure I get it.
>>
>>         So using Slap-NIS I should be able to create a view into
>>         FreeIPA that would show only a subset of user based on
>>         something like a group or an attribute?  
>>
>>         Then using the built in MAC Directory Utility (or any LDAP
>>         client) I should be able to use that Slap-NIS view as a
>>         searchbase and it would return just people I wanted.  This
>>         could be used keep anyone outside that view from logging in?
>>
>>         I'm sorry for the noob questions but there isn't a lot of good
>>         documentation on SlapNIS from first glance and I don't want to
>>         spend 2 days figuring it out if it's not going to work.
>>
>>         As always extremely appreciated!
>>         Whitt
>>
>>
>>
>>
>>
>>
>>
>>         On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal <d...@redhat.com
>>         <mailto:d...@redhat.com>> wrote:
>>
>>             On 09/02/2014 03:04 AM, Chris Whittle wrote:
>>>             I am trying to limit who can login to my macs and I'm
>>>             having to stick to what OSX will let me do.
>>>
>>>             Currently I can only limit users using the searchbase and
>>>             right now it's "cn=users,cn=accounts,dc=DOMAIN,dc=com"
>>>
>>>             This works fine unless I wanted to create a user that I
>>>             wanted in LDAP for other purposes but not to login.  
>>>
>>>             So my questions are, 
>>>             A)Can we create different OUs in FreeIPA like most LDAP
>>>             servers?
>>
>>             You can use slapi-nis to create an alternative view of the
>>             tree or trees and point your special client to that tree.
>>             There you might be able to expose a small subset of users
>>             that match your special criteria.
>>             The slapi-nis and compat docs are in the doc folder in the
>>             corresponding git repo.
>>
>>             IPA uses compat tree for its own purposes but you can
>>             tweak it if you need or create a different view.
>>
>>             HTH
>>
>>
>>
>>>             B)If not anyone have any idea on how I could do this with
>>>             OSX's directory Utility?
>>>
>>>             Thanks!
>>>
>>>
>>>
>>
>>
>>             -- 
>>             Thank you,
>>             Dmitri Pal
>>
>>             Sr. Engineering Manager IdM portfolio
>>             Red Hat, Inc.
>>
>>
>>
> 
> 
>     -- 
>     Thank you,
>     Dmitri Pal
> 
>     Sr. Engineering Manager IdM portfolio
>     Red Hat, Inc.
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to