> I have some questions for the author himself or anyone who has replicated
> his work:
> - Which OS X versions has this been tested on?
10.6.7 through 10.10.4 (latest Snow Leopard through latest Yosemite in May
2015). The client had two Snow Leopards, one or two Lions, 10 Mountain Lions
and the rest were Mavericks slowly upgraded during the project to Yosemite.
> - Does changing a expired password work on an OS X GUI login?
I don't recall testing it. I recall testing the password change with the
Kerberos "Ticket Viewer.app" and from the Users and Groups applet of System
> - Does the LDIF file included in that thread only work for MIT Kerberos
> or does it also work for Heimdal?
It should work for both. IIRC FreeIPA uses MIT while OS X uses Heimdal.
Let's start with a bit of background:
The project that I worked on was for an all Apple house (50+ of OS X
installations, hundreds of iOS and only 2 Windows stations).
It took place between late November 2014 and February 2015 and I monitored it
through May 2015.
I reasonably sure that we haven't set password expiration.
One of the criteria for the project was to actually migrate the original
passwords stored in almost clear-text in OpenDirectory to the FreeIPA server
(80 lines of code and the /var/db/authdb file).
We've migrated the file sharing to Samba and NetATalk. Samba was a royal pain
for LDAP+Kerberos in user mode.
We migrated L2TP/IPSec and PPTP using Winbind for authentication (again with
We migrated mail and calendar to Postfix+Dovecot+SOGo.
And we've also migrated a few simple (static) websites.
Mostly unrelated to IPA we also migrated DHCP and DNS. DiscoveryD gave us major
The interesting part that we've accomplished was that we've managed to do the
migration almost transparently because FreeIPA was seen as a Kerberized OD
Server. As such, the clients were able to use Kerberized logins to each others
services (local file shares and such).
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project