Hi Guillermo,

In February I published my findings for switching IPA in OpenDirectory 
compatible mode. See:
https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html 
<https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html>
Start by reading that thread.

More recently, Stefan Zecevic picked this up and opened up some interesting 
test cases for the setup in this thread:
https://www.redhat.com/archives/freeipa-users/2016-May/msg00310.html 
<https://www.redhat.com/archives/freeipa-users/2016-May/msg00310.html>

There's also a ticket for implementing these changes in IPA 4.4 
<https://fedorahosted.org/freeipa/ticket/4813>.

I'm willing to invest 4 hours per week into this if anyone else joins.

I have VMware virtual machines for every x86 OS X release possible (from Tiger 
to El Capitan) and for historical reasons I also have a few PPC releases in 
QEMU format.

I can host the VMs on a server but I need some help configuring the 389 
directory server plugins to automatically generate the needed extra attributes 
(authAuthority and altSecurityIdentities). I personally think that cn=config 
should be also automatically generated.

Cheers,
Răzvan


> On 22 mai 2016, at 21:31, Guillermo Fuentes 
> <guillermo.fuen...@modernizingmedicine.com> wrote:
> 
> This is great info Razvan. Thanks for sharing it!
> We provision Macs by pushing configuration scripts via Munki.
> Can you point me where I can find more documentation about this?
> Thanks again,
> Guillermo
> 
> On Fri, May 20, 2016 at 3:45 PM, "Răzvan Corneliu C.R. VILT" 
> <razvan.v...@me.com <mailto:razvan.v...@me.com>> wrote:
> Hi guys,
> 
> Regarding the Macs, there are a few notes:
> 
> 1) The template kerberos setup can be pushed through LDAP (cn=KerberosClient 
> and cn=KerberosKDC,cn=config)
> 2) The LDAP replicas can be also configured in cn=config and it is cached by 
> OpenDirectory in the following format:
> 
> dn: cn=ldapreplicas, cn=config, dc=example, dc=com
> objectClass: apple-configuration
> apple-ldap-replica: ldap://192.168.1.1 <>
> apple-ldap-replica: ldap://192.168.2.2 <>
> apple-ldap-writable-replica: ldap://192.168.1.1 <>
> apple-ldap-writable-replica: ldap://192.168.2.2 <>
> apple-xml-plist: base64 encode of:
> ---------------------
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
> "http://www.apple.com/DTDs/PropertyList-1.0.dtd 
> <http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
> <plist version="1.0">
> <dict>
>       <key>GUID</key>
>       <string>01234567-89AB-CDEF-0123-456789ABCDEF</string>
>       <key>IPaddresses</key><!-- of the master ipa host if there are multiple 
> interfaces for it -->
>       <array>
>               <string>192.168.1.1</string>
>                 <string>10.0.0.1</string>
>       </array>
>       <key>PrimaryMaster</key>
>       <string>ipa-server.example.org <http://ipa-server.example.org/></string>
>       <key>ReplicaName</key>
>       <string>Master</string>
>       <key>Replicas</key>
>       <array>
>            <string>ipa-bkserver.example.org 
> <http://ipa-bkserver.example.org/></string>
>         <array>
>        <!-- use only <array/> if there are no replicas -->
> </dict>
> </plist>
> ----------------------
> 
> 3) The main problem with FreeIPA and Mac OS X comes from the SSL part (CRL 
> and/or OCSP are enforced). IPA refuses PLAIN authentication on SSL.
> 
> 
> If you do this manually instead of OpenDirectory compatible way, your machine 
> doesn't create an account for itself in IPA so service access without login 
> are not available, it doesn't download the root CA automatically and you 
> don't get SSO out of the box.
> 
> 
>> On 20 mai 2016, at 22:13, Guillermo Fuentes 
>> <guillermo.fuen...@modernizingmedicine.com 
>> <mailto:guillermo.fuen...@modernizingmedicine.com>> wrote:
>> 
>> SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc = 
>> yes" and removing the KDC server ("kdc = xxx") entries from the 
>> /Library/Preferences/edu.mit.Kerberos config file does the trick.
>> 
>> For LDAP, although you can enable it, I can't see it documented anywhere so 
>> I'm assuming that isn't the recommended way for the Mac. This can be enabled 
>> by running this for the LDAP server you're using:
>> sudo odutil set configuration /LDAPv3/ipa1.example.com 
>> <http://ipa1.example.com/> module ldap option "Use DNS replicas" "true"
>> 
>> Adding the altServer values with the Directory Manager credentials worked 
>> and I'm happy to report that the failover on the Mac works great with 
>> FreeIPA!
>> 
>> As suggested by Rob, for three servers, on server ipa1:
>> $ ldapmodify -x -D 'cn=directory manager' -W
>> Enter LDAP Password:
>> dn:
>> changetype: modify
>> add: altServer
>> altServer: ldap://ipa2.example.com <http://ipa2.example.com/>
>> -
>> add: altServer
>> altServer: ldap://ipa3.example.com <http://ipa3.example.com/>
>> 
>> modifying entry ""
>> ^D
>> 
>> The altServer values didn't replicate so I had to add them to each of the 
>> FreeIPA servers.
>> 
>> Then, tell the Mac (testing on OS X v10.11.5) to use the altServer attribute 
>> to look for replicas in case of failover: 
>> sudo odutil set configuration /LDAPv3/ipa1.example.com 
>> <http://ipa1.example.com/> module ldap option "Use altServer replicas" "true"
>> 
>> And, viola! Highly available authentication with a FreeIPA cluster for the 
>> Mac!
>> 
>> Thanks so much for your help!
>> Guillermo
>> 
>> 
>> On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden <rcrit...@redhat.com 
>> <mailto:rcrit...@redhat.com>> wrote:
>> Martin Basti wrote:
>> Hello,
>> 
>> IPA uses SRV records for failover to another replica/LDAP.
>> 
>> I don't know how it works on MACs, but in case that there is no
>> possibility to use SRV, you may need to file a RFE ticket
>> (https://fedorahosted.org/freeipa/newticket 
>> <https://fedorahosted.org/freeipa/newticket>)
>> 
>> Agreed, SRV records are the preferred mechanism. I was curious though so 
>> played with this a bit and it is possible to add altServer values:
>> 
>> $ ldapmodify -x -D 'cn=directory manager' -W
>> Enter LDAP Password:
>> dn:
>> changetype: modify
>> add: altServer
>> altServer: ldap://gyre.example.com <http://gyre.example.com/>
>> 
>> modifying entry ""
>> ^D
>> 
>> $ ldapsearch -LLL -x -b "" -s base altServer
>> dn:
>> altServer: ldap://gyre.example.com <http://gyre.example.com/>
>> 
>> My test rig is a single master so I don't know if this replicates or not.
>> 
>> rob
>> 
>> 
>> Martin
>> 
>> 
>> On 19.05.2016 17:43, Guillermo Fuentes wrote:
>> Hello all,
>> 
>> As OS X allows LDAP server failover via the altServer attribute
>> (RFC4512) from RootDSE, it would be great to be able to configure our
>> Macs to connect to a single FreeIPA server and add other FreeIPA
>> servers as multiple altServer values.
>> The current schema doesn't seem to support adding this attribute.
>> Can this be done in a way I'm missing?
>> 
>> Thanks in advance!
>> 
>> GUILLERMO FUENTES
>> SR. SYSTEMS ADMINISTRATOR
>> 
>> 561-880-2998 x1337 <tel:561-880-2998%20x1337>
>> 
>> guillermo.fuen...@modmed.com <mailto:guillermo.fuen...@modmed.com> 
>> <mailto:guillermo.fuen...@modmed.com <mailto:guillermo.fuen...@modmed.com>>
>> 
>> 
>> [ Modernizing Medicine ] <http://www.modmed.com/ <http://www.modmed.com/>>
>> [ Facebook ] <http://www.facebook.com/modernizingmedicine 
>> <http://www.facebook.com/modernizingmedicine>>              [
>> LinkedIn ] <http://www.linkedin.com/company/modernizing-medicine/ 
>> <http://www.linkedin.com/company/modernizing-medicine/>>              [
>> YouTube ] <http://www.youtube.com/user/modernizingmedicine 
>> <http://www.youtube.com/user/modernizingmedicine>>             [
>> Twitter ] <https://twitter.com/modmed_EMA <https://twitter.com/modmed_EMA>>  
>>             [ Blog ]
>> <http://www.modmed.com/BlogBeyondEMR <http://www.modmed.com/BlogBeyondEMR>>  
>>          [ Instagram ]
>> <http://instagram.com/modernizing_medicine 
>> <http://instagram.com/modernizing_medicine>>
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users 
>> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>> Go to http://freeipa.org <http://freeipa.org/> for more info on the project
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users 
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
> Go to http://freeipa.org <http://freeipa.org/> for more info on the project
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to