Good! And thanks for letting us know, it may help other users too. Simo.
On Wed, 2014-04-16 at 17:58 -0400, Fredy Sanchez wrote: > Hi Simo, > > Thanks for your reply. Good old Google pointed me to > https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/open-ldap_bind_script/Mac_OpenLDAP_bind_script.sh, > which gave me the idea of > updating the RealName mapping to displayName. This solved the problem, I'll > have to recreate the permissions for every share, but the user names now > show up, and stick. No more UIDs. > > > On Tue, Apr 15, 2014 at 9:30 AM, Simo Sorce <[email protected]> wrote: > > > On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote: > > > Hi all, > > > > > > We asked this same question at discussions.apple.com, but figured we'd > > have > > > better luck here. I apologize in advance if this is the wrong forum. > > > > > > We are switching from Synology (DSM 5) to Mavericks server (v3.1.1. > > running > > > in Mavericks 10.9.2) for File Sharing. We use a FreeIPA > > (ipa-server.x86_64 > > > 3.0.0-37.el6) backend for SSO, and the Mac server seems correctly > > > bound to it. Unfortunately, although we can add usernames to the shares > > for > > > the initial config, the usernames transform to UIDs after (only for SSO > > > accounts; local accounts are not affected). That is, when we go to edit > > the > > > permissions for a share, all we see are UIDs. We can always figure out > > the > > > username from the UID, but this is an extra step we don't want to have. > > > We've tried reinstalling the Mac server app from scratch, re-binding to > > the > > > FreeIPA backend, changing mappings in Directory Utility (for example, > > > mapping GeneratedUID to uid, which is the username), recreating the > > shares > > > and permissions, etc. Here are more details about the binding: > > > > > > * The binding happens thru a custom package we created based primarily on > > > > > http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 > > > * Sys Prefs, Users & Groups, Login Options show the server bound to the > > > FreeIPA backend with the green dot > > > * The following mappings are in place in Directory Utility, Services, > > > LDAPv3, FreeIPA backend > > > > > > Users: inetOrgPerson > > > AuthenticationAuthority: uid > > > GeneratedUID: random number in uppercase > > > HomeDirectory: #/Users/$uid$ > > > NFSHomeDirectory: #/Users/$uid$ > > > OriginalHomeDirectory: #/Users/$uid$ > > > PrimaryGroupID: gidNumber > > > RealName: cn > > > RecordName: uid > > > UniqueID: uidNumber > > > UserShell: loginShell > > > Groups: posixgroup > > > PrimaryGroupID: gidNumber > > > RecordName: cn > > > > > > The search bases are correct > > > > > > * Directory Utility, Directory Editor shows the right info for the users. > > > * $ id $USERNAME shows the right information for the user > > > > > > FreeIPA is working beautifully for our Mac / Linux environment. We > > provide > > > directory services to about 300 hosts, and 200 employees using it; and > > > haven't had any problems LDAP wise until now. So we think we are missing > > a > > > mapping here. Any ideas? > > > > Fredy, > > I quickly tried to check for some documentation on how to configure this > > stuff, but found only useless superficial guides on how to find the > > pointy/clicky buttons to push to enable the service. > > > > I am not a Mac expert by a long shot so I cannot help you much here. > > > > Is there any guide available on how to use this service with other LDAP > > servers, like openLDAP or Active Directory ? We can probably draw some > > conclusions from there. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
