Hi Guillermo, In February I published my findings for switching IPA in OpenDirectory compatible mode. See: https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html <https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html> Start by reading that thread.
More recently, Stefan Zecevic picked this up and opened up some interesting test cases for the setup in this thread: https://www.redhat.com/archives/freeipa-users/2016-May/msg00310.html <https://www.redhat.com/archives/freeipa-users/2016-May/msg00310.html> There's also a ticket for implementing these changes in IPA 4.4 <https://fedorahosted.org/freeipa/ticket/4813>. I'm willing to invest 4 hours per week into this if anyone else joins. I have VMware virtual machines for every x86 OS X release possible (from Tiger to El Capitan) and for historical reasons I also have a few PPC releases in QEMU format. I can host the VMs on a server but I need some help configuring the 389 directory server plugins to automatically generate the needed extra attributes (authAuthority and altSecurityIdentities). I personally think that cn=config should be also automatically generated. Cheers, Răzvan > On 22 mai 2016, at 21:31, Guillermo Fuentes > <guillermo.fuen...@modernizingmedicine.com> wrote: > > This is great info Razvan. Thanks for sharing it! > We provision Macs by pushing configuration scripts via Munki. > Can you point me where I can find more documentation about this? > Thanks again, > Guillermo > > On Fri, May 20, 2016 at 3:45 PM, "Răzvan Corneliu C.R. VILT" > <razvan.v...@me.com <mailto:razvan.v...@me.com>> wrote: > Hi guys, > > Regarding the Macs, there are a few notes: > > 1) The template kerberos setup can be pushed through LDAP (cn=KerberosClient > and cn=KerberosKDC,cn=config) > 2) The LDAP replicas can be also configured in cn=config and it is cached by > OpenDirectory in the following format: > > dn: cn=ldapreplicas, cn=config, dc=example, dc=com > objectClass: apple-configuration > apple-ldap-replica: ldap://192.168.1.1 <> > apple-ldap-replica: ldap://192.168.2.2 <> > apple-ldap-writable-replica: ldap://192.168.1.1 <> > apple-ldap-writable-replica: ldap://192.168.2.2 <> > apple-xml-plist: base64 encode of: > --------------------- > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" > "http://www.apple.com/DTDs/PropertyList-1.0.dtd > <http://www.apple.com/DTDs/PropertyList-1.0.dtd>"> > <plist version="1.0"> > <dict> > <key>GUID</key> > <string>01234567-89AB-CDEF-0123-456789ABCDEF</string> > <key>IPaddresses</key><!-- of the master ipa host if there are multiple > interfaces for it --> > <array> > <string>192.168.1.1</string> > <string>10.0.0.1</string> > </array> > <key>PrimaryMaster</key> > <string>ipa-server.example.org <http://ipa-server.example.org/></string> > <key>ReplicaName</key> > <string>Master</string> > <key>Replicas</key> > <array> > <string>ipa-bkserver.example.org > <http://ipa-bkserver.example.org/></string> > <array> > <!-- use only <array/> if there are no replicas --> > </dict> > </plist> > ---------------------- > > 3) The main problem with FreeIPA and Mac OS X comes from the SSL part (CRL > and/or OCSP are enforced). IPA refuses PLAIN authentication on SSL. > > > If you do this manually instead of OpenDirectory compatible way, your machine > doesn't create an account for itself in IPA so service access without login > are not available, it doesn't download the root CA automatically and you > don't get SSO out of the box. > > >> On 20 mai 2016, at 22:13, Guillermo Fuentes >> <guillermo.fuen...@modernizingmedicine.com >> <mailto:guillermo.fuen...@modernizingmedicine.com>> wrote: >> >> SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc = >> yes" and removing the KDC server ("kdc = xxx") entries from the >> /Library/Preferences/edu.mit.Kerberos config file does the trick. >> >> For LDAP, although you can enable it, I can't see it documented anywhere so >> I'm assuming that isn't the recommended way for the Mac. This can be enabled >> by running this for the LDAP server you're using: >> sudo odutil set configuration /LDAPv3/ipa1.example.com >> <http://ipa1.example.com/> module ldap option "Use DNS replicas" "true" >> >> Adding the altServer values with the Directory Manager credentials worked >> and I'm happy to report that the failover on the Mac works great with >> FreeIPA! >> >> As suggested by Rob, for three servers, on server ipa1: >> $ ldapmodify -x -D 'cn=directory manager' -W >> Enter LDAP Password: >> dn: >> changetype: modify >> add: altServer >> altServer: ldap://ipa2.example.com <http://ipa2.example.com/> >> - >> add: altServer >> altServer: ldap://ipa3.example.com <http://ipa3.example.com/> >> >> modifying entry "" >> ^D >> >> The altServer values didn't replicate so I had to add them to each of the >> FreeIPA servers. >> >> Then, tell the Mac (testing on OS X v10.11.5) to use the altServer attribute >> to look for replicas in case of failover: >> sudo odutil set configuration /LDAPv3/ipa1.example.com >> <http://ipa1.example.com/> module ldap option "Use altServer replicas" "true" >> >> And, viola! Highly available authentication with a FreeIPA cluster for the >> Mac! >> >> Thanks so much for your help! >> Guillermo >> >> >> On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> Martin Basti wrote: >> Hello, >> >> IPA uses SRV records for failover to another replica/LDAP. >> >> I don't know how it works on MACs, but in case that there is no >> possibility to use SRV, you may need to file a RFE ticket >> (https://fedorahosted.org/freeipa/newticket >> <https://fedorahosted.org/freeipa/newticket>) >> >> Agreed, SRV records are the preferred mechanism. I was curious though so >> played with this a bit and it is possible to add altServer values: >> >> $ ldapmodify -x -D 'cn=directory manager' -W >> Enter LDAP Password: >> dn: >> changetype: modify >> add: altServer >> altServer: ldap://gyre.example.com <http://gyre.example.com/> >> >> modifying entry "" >> ^D >> >> $ ldapsearch -LLL -x -b "" -s base altServer >> dn: >> altServer: ldap://gyre.example.com <http://gyre.example.com/> >> >> My test rig is a single master so I don't know if this replicates or not. >> >> rob >> >> >> Martin >> >> >> On 19.05.2016 17:43, Guillermo Fuentes wrote: >> Hello all, >> >> As OS X allows LDAP server failover via the altServer attribute >> (RFC4512) from RootDSE, it would be great to be able to configure our >> Macs to connect to a single FreeIPA server and add other FreeIPA >> servers as multiple altServer values. >> The current schema doesn't seem to support adding this attribute. >> Can this be done in a way I'm missing? >> >> Thanks in advance! >> >> GUILLERMO FUENTES >> SR. SYSTEMS ADMINISTRATOR >> >> 561-880-2998 x1337 <tel:561-880-2998%20x1337> >> >> guillermo.fuen...@modmed.com <mailto:guillermo.fuen...@modmed.com> >> <mailto:guillermo.fuen...@modmed.com <mailto:guillermo.fuen...@modmed.com>> >> >> >> [ Modernizing Medicine ] <http://www.modmed.com/ <http://www.modmed.com/>> >> [ Facebook ] <http://www.facebook.com/modernizingmedicine >> <http://www.facebook.com/modernizingmedicine>> [ >> LinkedIn ] <http://www.linkedin.com/company/modernizing-medicine/ >> <http://www.linkedin.com/company/modernizing-medicine/>> [ >> YouTube ] <http://www.youtube.com/user/modernizingmedicine >> <http://www.youtube.com/user/modernizingmedicine>> [ >> Twitter ] <https://twitter.com/modmed_EMA <https://twitter.com/modmed_EMA>> >> [ Blog ] >> <http://www.modmed.com/BlogBeyondEMR <http://www.modmed.com/BlogBeyondEMR>> >> [ Instagram ] >> <http://instagram.com/modernizing_medicine >> <http://instagram.com/modernizing_medicine>> >> >> >> >> >> >> >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> <https://www.redhat.com/mailman/listinfo/freeipa-users> >> Go to http://freeipa.org <http://freeipa.org/> for more info on the project > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > Go to http://freeipa.org <http://freeipa.org/> for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project