Re: [Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups
I emailed the author of the howto, so hopefully he will update it. I still think it would make sense to have this information (how to setup an OSX 10.7+ client) documented directly on freeipa.org like http://www.freeipa.org/page/FreeIPAv1:ConfiguringMacintoshClients, or at least have a link to http://www.freeipa.org/page/HowTos under http://www.freeipa.org/page/Documentation (I could not find a link to HowTos on freeipa.org without searching for it..). I may be willing to volunteer to write this updated howto, even though it would be a 99% copy/paste from linsec.ca don't know if that's a good idea. On Thu, Jan 15, 2015 at 10:23 AM, Martin Kosek mko...@redhat.com wrote: On 01/14/2015 07:34 PM, Dmitri Pal wrote: On 01/14/2015 01:11 PM, Ejner Fergo wrote: Hola, This is a response to: https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html Scott, maybe you already found the solution, but I've been banging my head with the same problem, albeit with a newer version of FreeIPA and OSX. I used this excellent howto to get started: http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 Despite initial success, without secondary groups the OSX integration doesn't really make sense. I managed to get it working though, by doing this: In the Search Mappings area of Directory Utility, change the Search base of the Groups record type from 'cn=groups,cn=accounts,dc=example,dc=com' to 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of accounts). In Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You might have to map to 'member' in FreeIPA 3.0. With these settings, doing an 'id user' on OSX shows all secondary groups, even indirect group membership! I still have to test and figure stuff out about ssh and sudo on the OSX side of things, but that isn't as important as having group access control. Hope it helps! Best regards, Ejner Fergo Thanks for sharing! So this seems to mean that Mac expects 2307 schema instead of the 2307bis. So yes pointing to compat tree would be the right approach. Can we document it somethere? I at least added this useful link to http://www.freeipa.org/page/HowTos#UNIX If there is some better place, please feel free to update. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups
Sorry, I didn't look close enough, so missed the link to HowTos under Additional Resources... On Fri, Jan 16, 2015 at 5:31 PM, Ejner Fergo ejner...@gmail.com wrote: I emailed the author of the howto, so hopefully he will update it. I still think it would make sense to have this information (how to setup an OSX 10.7+ client) documented directly on freeipa.org like http://www.freeipa.org/page/FreeIPAv1:ConfiguringMacintoshClients, or at least have a link to http://www.freeipa.org/page/HowTos under http://www.freeipa.org/page/Documentation (I could not find a link to HowTos on freeipa.org without searching for it..). I may be willing to volunteer to write this updated howto, even though it would be a 99% copy/paste from linsec.ca don't know if that's a good idea. On Thu, Jan 15, 2015 at 10:23 AM, Martin Kosek mko...@redhat.com wrote: On 01/14/2015 07:34 PM, Dmitri Pal wrote: On 01/14/2015 01:11 PM, Ejner Fergo wrote: Hola, This is a response to: https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html Scott, maybe you already found the solution, but I've been banging my head with the same problem, albeit with a newer version of FreeIPA and OSX. I used this excellent howto to get started: http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 Despite initial success, without secondary groups the OSX integration doesn't really make sense. I managed to get it working though, by doing this: In the Search Mappings area of Directory Utility, change the Search base of the Groups record type from 'cn=groups,cn=accounts,dc=example,dc=com' to 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of accounts). In Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You might have to map to 'member' in FreeIPA 3.0. With these settings, doing an 'id user' on OSX shows all secondary groups, even indirect group membership! I still have to test and figure stuff out about ssh and sudo on the OSX side of things, but that isn't as important as having group access control. Hope it helps! Best regards, Ejner Fergo Thanks for sharing! So this seems to mean that Mac expects 2307 schema instead of the 2307bis. So yes pointing to compat tree would be the right approach. Can we document it somethere? I at least added this useful link to http://www.freeipa.org/page/HowTos#UNIX If there is some better place, please feel free to update. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups
On 01/16/2015 11:36 AM, Ejner Fergo wrote: Sorry, I didn't look close enough, so missed the link to HowTos under Additional Resources... On Fri, Jan 16, 2015 at 5:31 PM, Ejner Fergo ejner...@gmail.com mailto:ejner...@gmail.com wrote: I emailed the author of the howto, so hopefully he will update it. I still think it would make sense to have this information (how to setup an OSX 10.7+ client) documented directly on freeipa.org http://freeipa.org like http://www.freeipa.org/page/FreeIPAv1:ConfiguringMacintoshClients, or at least have a link to http://www.freeipa.org/page/HowTos under http://www.freeipa.org/page/Documentation (I could not find a link to HowTos on freeipa.org http://freeipa.org without searching for it..). I may be willing to volunteer to write this updated howto, even though it would be a 99% copy/paste from linsec.ca http://linsec.ca don't know if that's a good idea. Many people are looking for pointers on FreeIPA site. Some kind of linking or copy/paste needs to happen, whatever makes more sense and the cleanest. On Thu, Jan 15, 2015 at 10:23 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 01/14/2015 07:34 PM, Dmitri Pal wrote: On 01/14/2015 01:11 PM, Ejner Fergo wrote: Hola, This is a response to: https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html Scott, maybe you already found the solution, but I've been banging my head with the same problem, albeit with a newer version of FreeIPA and OSX. I used this excellent howto to get started: http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 Despite initial success, without secondary groups the OSX integration doesn't really make sense. I managed to get it working though, by doing this: In the Search Mappings area of Directory Utility, change the Search base of the Groups record type from 'cn=groups,cn=accounts,dc=example,dc=com' to 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of accounts). In Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You might have to map to 'member' in FreeIPA 3.0. With these settings, doing an 'id user' on OSX shows all secondary groups, even indirect group membership! I still have to test and figure stuff out about ssh and sudo on the OSX side of things, but that isn't as important as having group access control. Hope it helps! Best regards, Ejner Fergo Thanks for sharing! So this seems to mean that Mac expects 2307 schema instead of the 2307bis. So yes pointing to compat tree would be the right approach. Can we document it somethere? I at least added this useful link to http://www.freeipa.org/page/HowTos#UNIX If there is some better place, please feel free to update. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups
Hola, This is a response to: https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html Scott, maybe you already found the solution, but I've been banging my head with the same problem, albeit with a newer version of FreeIPA and OSX. I used this excellent howto to get started: http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 Despite initial success, without secondary groups the OSX integration doesn't really make sense. I managed to get it working though, by doing this: In the Search Mappings area of Directory Utility, change the Search base of the Groups record type from 'cn=groups,cn=accounts,dc=example,dc=com' to 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of accounts). In Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You might have to map to 'member' in FreeIPA 3.0. With these settings, doing an 'id user' on OSX shows all secondary groups, even indirect group membership! I still have to test and figure stuff out about ssh and sudo on the OSX side of things, but that isn't as important as having group access control. Hope it helps! Best regards, Ejner Fergo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups
On 01/14/2015 01:11 PM, Ejner Fergo wrote: Hola, This is a response to: https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html Scott, maybe you already found the solution, but I've been banging my head with the same problem, albeit with a newer version of FreeIPA and OSX. I used this excellent howto to get started: http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 Despite initial success, without secondary groups the OSX integration doesn't really make sense. I managed to get it working though, by doing this: In the Search Mappings area of Directory Utility, change the Search base of the Groups record type from 'cn=groups,cn=accounts,dc=example,dc=com' to 'cn=groups,cn=compat,dc=example,dc=com' ( so compat instead of accounts). In Groups add the attribute 'GroupMembership' mapped to 'memberUID'. You might have to map to 'member' in FreeIPA 3.0. With these settings, doing an 'id user' on OSX shows all secondary groups, even indirect group membership! I still have to test and figure stuff out about ssh and sudo on the OSX side of things, but that isn't as important as having group access control. Hope it helps! Best regards, Ejner Fergo Thanks for sharing! So this seems to mean that Mac expects 2307 schema instead of the 2307bis. So yes pointing to compat tree would be the right approach. Can we document it somethere? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project