Hello, I have managed to get most of the functionality working with OSX and FreeIPA. What I cannot seem to get is the secondary groups working.
Posix security is working for primary groups but the security for people with a secondary group doesn't work. I can see in the Directory Utility on OSX that each user has it's own group created and the secondary groups are in there. As well, I have a mapping that connected groupMember to memberUid which I have read is the correct way to do this. Here is what I get when I go 'dscl -read` on OSX 10.8 asking about the production group. --------- dscl -read /LDAPv3/192.168.x.x/Groups/production dsAttrTypeNative:description: producers and budget access for documents dsAttrTypeNative:ipaUniqueID: db1a2b38-4440-11e4-a2aa-00304881a4bc dsAttrTypeNative:member: uid=alapierre,cn=users,cn=accounts,dc=embassy,dc=vfx uid=danielle,cn=users,cn=accounts,dc=embassy,dc=vfx uid=ran,cn=users,cn=accounts,dc=embassy,dc=vfx uid=winston,cn=users,cn=accounts,dc=embassy,dc=vfx uid=trevor,cn=users,cn=accounts,dc=embassy,dc=vfx dsAttrTypeNative:objectClass: top groupofnames nestedgroup ipausergroup ipaobject posixgroup AppleMetaNodeLocation: /LDAPv3/192.168.4.150 AppleMetaRecordName: cn=production,cn=groups,cn=accounts,dc=embassy,dc=vfx PrimaryGroupID: 55400020 RecordName: production RecordType: dsRecTypeStandard:Groups ------ However, when I type `groups` on the Mac, production isn't there and if I `id` one of the members of the group, they do not show the secondary group. So I guess I am wondering how do I get OSX access control to use the ALL the info that it already sees from FreeIPA? Thanks Scott A -- Scott Allen Head of IT The Embassy Visual Effects Inc. 4th Floor - 177 W 7th Avenue Vancouver, B.C. V5Y 1L8 604.696.6862 ext 239
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project