Sorry, I didn't look close enough, so missed the link to HowTos under "Additional Resources"...
On Fri, Jan 16, 2015 at 5:31 PM, Ejner Fergo <[email protected]> wrote: > I emailed the author of the howto, so hopefully he will update it. > > I still think it would make sense to have this information (how to setup > an OSX 10.7+ client) documented directly on freeipa.org like > http://www.freeipa.org/page/FreeIPAv1:ConfiguringMacintoshClients, or at > least have a link to http://www.freeipa.org/page/HowTos under > http://www.freeipa.org/page/Documentation (I could not find a link to > HowTos on freeipa.org without searching for it..). > > I may be willing to volunteer to write this updated howto, even though it > would be a 99% copy/paste from linsec.ca .... don't know if that's a good > idea. > > On Thu, Jan 15, 2015 at 10:23 AM, Martin Kosek <[email protected]> wrote: > >> On 01/14/2015 07:34 PM, Dmitri Pal wrote: >> > On 01/14/2015 01:11 PM, Ejner Fergo wrote: >> >> Hola, >> >> >> >> This is a response to: >> >> >> https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html >> >> >> >> Scott, maybe you already found the solution, but I've been banging my >> head >> >> with the same problem, albeit with a newer version of FreeIPA and OSX. >> I used >> >> this excellent howto to get started: >> >> >> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 >> >> >> >> Despite initial success, without secondary groups the OSX integration >> doesn't >> >> really make sense. I managed to get it working though, by doing this: >> >> >> >> In the "Search & Mappings" area of Directory Utility, change the >> "Search >> >> base" of the Groups record type from >> >> 'cn=groups,cn=accounts,dc=example,dc=com' to >> >> 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of >> accounts). In >> >> Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You >> might >> >> have to map to 'member' in FreeIPA 3.0. >> >> >> >> With these settings, doing an 'id user' on OSX shows all secondary >> groups, >> >> even indirect group membership! >> >> >> >> I still have to test and figure stuff out about ssh and sudo on the >> OSX side >> >> of things, but that isn't as important as having group access control. >> >> >> >> Hope it helps! >> >> >> >> Best regards, >> >> Ejner Fergo >> >> >> >> >> >> >> >> >> >> >> >> >> > >> > Thanks for sharing! >> > So this seems to mean that Mac expects 2307 schema instead of the >> 2307bis. >> > So yes pointing to compat tree would be the right approach. >> > >> > Can we document it somethere? >> >> I at least added this useful link to >> http://www.freeipa.org/page/HowTos#UNIX >> >> If there is some better place, please feel free to update. >> >> Martin >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
