I was able to take that script and with some customizing get it to work with Mavericks.... This should work, I tried to do a find and replace to make it work like the github one.
On Wed, Apr 16, 2014 at 5:40 PM, Fredy Sanchez <fredy.sanc...@modmed.com>wrote: > Sure Rob, we'll put something together and send it to you for publishing. > Give us a few days. We'll also sanitize our enrollment package and share it > w/ you too. This is what we use to enroll our Macs, a one time install that > does what ipa-client-install does for Linux, including these LDAP mappings. > We love FreeIPA and will be really happy if this helps any other users with > Mac fleets. > > > On Wed, Apr 16, 2014 at 6:12 PM, Rob Crittenden <rcrit...@redhat.com>wrote: > >> Fredy Sanchez wrote: >> >>> Hi Simo, >>> >>> Thanks for your reply. Good old Google pointed me to >>> https://github.com/rtrouton/rtrouton_scripts/blob/master/ >>> rtrouton_scripts/open-l >>> dap_bind_script/Mac_OpenLDAP_bind_script.sh, which gave me the idea of >>> updating the RealName mapping to displayName. This solved the problem, >>> I'll have to recreate the permissions for every share, but the user >>> names now show up, and stick. No more UIDs. >>> >> >> Great. Any chance you can write something and post a howto on our wiki? >> Or send the details to me and I'll write something up? >> >> thanks >> >> rob >> >> >>> >>> On Tue, Apr 15, 2014 at 9:30 AM, Simo Sorce <s...@redhat.com >>> <mailto:s...@redhat.com>> wrote: >>> >>> On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote: >>> > Hi all, >>> > >>> > We asked this same question at discussions.apple.com >>> <http://discussions.apple.com>, but figured we'd have >>> >>> > better luck here. I apologize in advance if this is the wrong >>> forum. >>> > >>> > We are switching from Synology (DSM 5) to Mavericks server >>> (v3.1.1. running >>> > in Mavericks 10.9.2) for File Sharing. We use a FreeIPA >>> (ipa-server.x86_64 >>> > 3.0.0-37.el6) backend for SSO, and the Mac server seems >>> correctly >>> > bound to it. Unfortunately, although we can add usernames to the >>> shares for >>> > the initial config, the usernames transform to UIDs after (only >>> for SSO >>> > accounts; local accounts are not affected). That is, when we go >>> to edit the >>> > permissions for a share, all we see are UIDs. We can always >>> figure out the >>> > username from the UID, but this is an extra step we don't want to >>> have. >>> > We've tried reinstalling the Mac server app from scratch, >>> re-binding to the >>> > FreeIPA backend, changing mappings in Directory Utility (for >>> example, >>> > mapping GeneratedUID to uid, which is the username), recreating >>> the shares >>> > and permissions, etc. Here are more details about the binding: >>> > >>> > * The binding happens thru a custom package we created based >>> primarily on >>> > >>> http://linsec.ca/Using_FreeIPA_for_User_ >>> Authentication#Mac_OS_X_10.7.2F10.8 >>> > * Sys Prefs, Users & Groups, Login Options show the server bound >>> to the >>> > FreeIPA backend with the green dot >>> > * The following mappings are in place in Directory Utility, >>> Services, >>> > LDAPv3, FreeIPA backend >>> > >>> > Users: inetOrgPerson >>> > AuthenticationAuthority: uid >>> > GeneratedUID: random number in uppercase >>> > HomeDirectory: #/Users/$uid$ >>> > NFSHomeDirectory: #/Users/$uid$ >>> > OriginalHomeDirectory: #/Users/$uid$ >>> > PrimaryGroupID: gidNumber >>> > RealName: cn >>> > RecordName: uid >>> > UniqueID: uidNumber >>> > UserShell: loginShell >>> > Groups: posixgroup >>> > PrimaryGroupID: gidNumber >>> > RecordName: cn >>> > >>> > The search bases are correct >>> > >>> > * Directory Utility, Directory Editor shows the right info for >>> the users. >>> > * $ id $USERNAME shows the right information for the user >>> > >>> > FreeIPA is working beautifully for our Mac / Linux environment. >>> We provide >>> > directory services to about 300 hosts, and 200 employees using >>> it; and >>> > haven't had any problems LDAP wise until now. So we think we are >>> missing a >>> > mapping here. Any ideas? >>> >>> Fredy, >>> I quickly tried to check for some documentation on how to configure >>> this >>> stuff, but found only useless superficial guides on how to find the >>> pointy/clicky buttons to push to enable the service. >>> >>> I am not a Mac expert by a long shot so I cannot help you much here. >>> >>> Is there any guide available on how to use this service with other >>> LDAP >>> servers, like openLDAP or Active Directory ? We can probably draw >>> some >>> conclusions from there. >>> >>> Simo. >>> >>> -- >>> Simo Sorce * Red Hat, Inc * New York >>> >>> >>> >>> >>> -- >>> Cheers, >>> >>> Fredy Sanchez >>> IT Manager @ Modernizing Medicine >>> (561) 880-2998 x237 >>> fredy.sanc...@modmed.com <mailto:fredy.sanc...@modmed.com> >>> >>> *Need IT support?* Visit https://mmit.zendesk.com >>> <https://mmit.zendesk.com/> >>> >>> * >>> >>> >>> * * >>> * >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> > > > -- > Cheers, > > Fredy Sanchez > IT Manager @ Modernizing Medicine > (561) 880-2998 x237 > fredy.sanc...@modmed.com > > *Need IT support?* Visit https://mmit.zendesk.com > > - > > > - > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users >
FREEIPABindScript.sh
Description: Bourne shell script
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users