Hello,
I have managed to get most of the functionality working with OSX and
FreeIPA. What I cannot seem to get is the secondary groups working.

Posix security is working for primary groups but the security for people
with a secondary group doesn't work.

I can see in the Directory Utility on OSX that each user has it's own group
created and the secondary groups are in there. As well, I have a mapping
that connected groupMember to memberUid which I have read is the correct
way to do this.


Here is what I get when I go 'dscl -read` on OSX 10.8 asking about the
production group.
---------
dscl -read /LDAPv3/192.168.x.x/Groups/production
dsAttrTypeNative:description:
 producers and budget access for documents
dsAttrTypeNative:ipaUniqueID: db1a2b38-4440-11e4-a2aa-00304881a4bc
dsAttrTypeNative:member:
uid=alapierre,cn=users,cn=accounts,dc=embassy,dc=vfx
uid=danielle,cn=users,cn=accounts,dc=embassy,dc=vfx
uid=ran,cn=users,cn=accounts,dc=embassy,dc=vfx
uid=winston,cn=users,cn=accounts,dc=embassy,dc=vfx
uid=trevor,cn=users,cn=accounts,dc=embassy,dc=vfx
dsAttrTypeNative:objectClass: top groupofnames nestedgroup ipausergroup
ipaobject posixgroup
AppleMetaNodeLocation: /LDAPv3/192.168.4.150
AppleMetaRecordName: cn=production,cn=groups,cn=accounts,dc=embassy,dc=vfx
PrimaryGroupID: 55400020
RecordName: production
RecordType: dsRecTypeStandard:Groups
------

However, when I type `groups` on the Mac, production isn't there and if I
`id` one of the members of the group, they do not show the secondary group.

So I guess I am wondering how do I get OSX access control to use the ALL
the info that it already sees from FreeIPA?

Thanks
Scott A


-- 
Scott Allen
Head of IT
The Embassy Visual Effects Inc.
4th Floor - 177 W 7th Avenue
Vancouver, B.C.
V5Y 1L8
604.696.6862 ext 239
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to