On 01/14/2015 07:34 PM, Dmitri Pal wrote: > On 01/14/2015 01:11 PM, Ejner Fergo wrote: >> Hola, >> >> This is a response to: >> https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html >> >> Scott, maybe you already found the solution, but I've been banging my head >> with the same problem, albeit with a newer version of FreeIPA and OSX. I used >> this excellent howto to get started: >> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 >> >> Despite initial success, without secondary groups the OSX integration doesn't >> really make sense. I managed to get it working though, by doing this: >> >> In the "Search & Mappings" area of Directory Utility, change the "Search >> base" of the Groups record type from >> 'cn=groups,cn=accounts,dc=example,dc=com' to >> 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of accounts). In >> Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You might >> have to map to 'member' in FreeIPA 3.0. >> >> With these settings, doing an 'id user' on OSX shows all secondary groups, >> even indirect group membership! >> >> I still have to test and figure stuff out about ssh and sudo on the OSX side >> of things, but that isn't as important as having group access control. >> >> Hope it helps! >> >> Best regards, >> Ejner Fergo >> >> >> >> >> >> > > Thanks for sharing! > So this seems to mean that Mac expects 2307 schema instead of the 2307bis. > So yes pointing to compat tree would be the right approach. > > Can we document it somethere?
I at least added this useful link to http://www.freeipa.org/page/HowTos#UNIX If there is some better place, please feel free to update. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
