hmmm... Is there not a permission or role in freeIPA that I could give a group or role just to see everything in my CN "cn=canlogin,cn=compat,dc=DOMAIN,dc=com"
On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal <d...@redhat.com> wrote: > On 09/02/2014 09:34 PM, Chris Whittle wrote: > > Ok Dmitri, I got it added using what you sent and the following links > > https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt > and > https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html > > I think i'm 90% there with the caveat that I can't seem to see what > permissions I need to give a user to view my NIS "view". Right now > Directory Manager can see it but that is it. > > Any ideas? > > You got me :-) > I would defer to specialist in this area to solve this problem. > > > > > On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle <cwhi...@gmail.com> wrote: > >> Thanks Dimitri, before I get too far this rabbit hole (cause it looks a >> little scary) let me make sure I get it. >> >> So using Slap-NIS I should be able to create a view into FreeIPA that >> would show only a subset of user based on something like a group or an >> attribute? >> >> Then using the built in MAC Directory Utility (or any LDAP client) I >> should be able to use that Slap-NIS view as a searchbase and it would >> return just people I wanted. This could be used keep anyone outside that >> view from logging in? >> >> I'm sorry for the noob questions but there isn't a lot of good >> documentation on SlapNIS from first glance and I don't want to spend 2 days >> figuring it out if it's not going to work. >> >> As always extremely appreciated! >> Whitt >> >> >> >> >> >> >> >> On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal <d...@redhat.com> wrote: >> >>> On 09/02/2014 03:04 AM, Chris Whittle wrote: >>> >>> I am trying to limit who can login to my macs and I'm having to stick to >>> what OSX will let me do. >>> >>> Currently I can only limit users using the searchbase and right now >>> it's "cn=users,cn=accounts,dc=DOMAIN,dc=com" >>> >>> This works fine unless I wanted to create a user that I wanted in LDAP >>> for other purposes but not to login. >>> >>> So my questions are, >>> A)Can we create different OUs in FreeIPA like most LDAP servers? >>> >>> >>> You can use slapi-nis to create an alternative view of the tree or >>> trees and point your special client to that tree. >>> There you might be able to expose a small subset of users that match >>> your special criteria. >>> The slapi-nis and compat docs are in the doc folder in the corresponding >>> git repo. >>> >>> IPA uses compat tree for its own purposes but you can tweak it if you >>> need or create a different view. >>> >>> HTH >>> >>> >>> >>> B)If not anyone have any idea on how I could do this with OSX's >>> directory Utility? >>> >>> Thanks! >>> >>> >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project