> I have some questions for the author himself or anyone who has replicated
> his work:
>   - Which OS X versions has this been tested on?

10.6.7 through 10.10.4 (latest Snow Leopard through latest Yosemite in May 
2015). The client had two Snow Leopards, one or two Lions, 10 Mountain Lions 
and the rest were Mavericks slowly upgraded during the project to Yosemite.

>   - Does changing a expired password work on an OS X GUI login?

I don't recall testing it. I recall testing the password change with the 
Kerberos "Ticket Viewer.app" and from the Users and Groups applet of System 

>   - Does the LDIF file included in that thread only work for MIT Kerberos
>   or does it also work for Heimdal?

It should work for both. IIRC FreeIPA uses MIT while OS X uses Heimdal.

Let's start with a bit of background:
The project that I worked on was for an all Apple house (50+ of OS X 
installations, hundreds of iOS and only 2 Windows stations).
It took place between late November 2014 and February 2015 and I monitored it 
through May 2015.
I reasonably sure that we haven't set password expiration.
One of the criteria for the project was to actually migrate the original 
passwords stored in almost clear-text in OpenDirectory to the FreeIPA server 
(80 lines of code and the /var/db/authdb file).
We've migrated the file sharing to Samba and NetATalk. Samba was a royal pain 
for LDAP+Kerberos in user mode.
We migrated L2TP/IPSec and PPTP using Winbind for authentication (again with 
We migrated mail and calendar to Postfix+Dovecot+SOGo.
And we've also migrated a few simple (static) websites.
Mostly unrelated to IPA we also migrated DHCP and DNS. DiscoveryD gave us major 
The interesting part that we've accomplished was that we've managed to do the 
migration almost transparently because FreeIPA was seen as a Kerberized OD 
Server. As such, the clients were able to use Kerberized logins to each others 
services (local file shares and such).
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to