On 01/16/2015 11:36 AM, Ejner Fergo wrote:
Sorry, I didn't look close enough, so missed the link to HowTos under "Additional Resources"...

On Fri, Jan 16, 2015 at 5:31 PM, Ejner Fergo <ejner...@gmail.com <mailto:ejner...@gmail.com>> wrote:

    I emailed the author of the howto, so hopefully he will update it.

    I still think it would make sense to have this information (how to
    setup an OSX 10.7+ client) documented directly on freeipa.org
    <http://freeipa.org> like
    http://www.freeipa.org/page/FreeIPAv1:ConfiguringMacintoshClients,
    or at least have a link to http://www.freeipa.org/page/HowTos
    under http://www.freeipa.org/page/Documentation (I could not find
    a link to HowTos on freeipa.org <http://freeipa.org> without
    searching for it..).

    I may be willing to volunteer to write this updated howto, even
    though it would be a 99% copy/paste from linsec.ca
    <http://linsec.ca> .... don't know if that's a good idea.


Many people are looking for pointers on FreeIPA site. Some kind of linking or copy/paste needs to happen, whatever makes more sense and the cleanest.



    On Thu, Jan 15, 2015 at 10:23 AM, Martin Kosek <mko...@redhat.com
    <mailto:mko...@redhat.com>> wrote:

        On 01/14/2015 07:34 PM, Dmitri Pal wrote:
        > On 01/14/2015 01:11 PM, Ejner Fergo wrote:
        >> Hola,
        >>
        >> This is a response to:
        >>
        https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html
        >>
        >> Scott, maybe you already found the solution, but I've been
        banging my head
        >> with the same problem, albeit with a newer version of
        FreeIPA and OSX. I used
        >> this excellent howto to get started:
        >>
        
http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
        >>
        >> Despite initial success, without secondary groups the OSX
        integration doesn't
        >> really make sense. I managed to get it working though, by
        doing this:
        >>
        >> In the "Search & Mappings" area of Directory Utility,
        change the "Search
        >> base" of the Groups record type from
        >> 'cn=groups,cn=accounts,dc=example,dc=com' to
        >> 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead
        of accounts). In
        >> Groups add the attribute 'GroupMembership' mapped to
        'memberUID'. You might
        >> have to map to 'member' in FreeIPA 3.0.
        >>
        >> With these settings, doing an 'id user' on OSX shows all
        secondary groups,
        >> even indirect group membership!
        >>
        >> I still have to test and figure stuff out about ssh and
        sudo on the OSX side
        >> of things, but that isn't as important as having group
        access control.
        >>
        >> Hope it helps!
        >>
        >> Best regards,
        >> Ejner Fergo
        >>
        >>
        >>
        >>
        >>
        >>
        >
        > Thanks for sharing!
        > So this seems to mean that Mac expects 2307 schema instead
        of the 2307bis.
        > So yes pointing to compat tree would be the right approach.
        >
        > Can we document it somethere?

        I at least added this useful link to
        http://www.freeipa.org/page/HowTos#UNIX

        If there is some better place, please feel free to update.

        Martin

        --
        Manage your subscription for the Freeipa-users mailing list:
        https://www.redhat.com/mailman/listinfo/freeipa-users
        Go To http://freeipa.org for more info on the project





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to