On 09/02/2014 10:08 PM, Chris Whittle wrote:
hmmm...
Is there not a permission or role in freeIPA that I could give a group
or role just to see everything in
my CN "cn=canlogin,cn=compat,dc=DOMAIN,dc=com"
I thint it might be related to the new permission system that was
released in 4.0.
Stay tuned, the chivalry is on the way...
On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal <[email protected]
<mailto:[email protected]>> wrote:
On 09/02/2014 09:34 PM, Chris Whittle wrote:
Ok Dmitri, I got it added using what you sent and the following
links
https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt
and
https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html
I think i'm 90% there with the caveat that I can't seem to see
what permissions I need to give a user to view my NIS "view".
Right now Directory Manager can see it but that is it.
Any ideas?
You got me :-)
I would defer to specialist in this area to solve this problem.
On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle <[email protected]
<mailto:[email protected]>> wrote:
Thanks Dimitri, before I get too far this rabbit hole (cause
it looks a little scary) let me make sure I get it.
So using Slap-NIS I should be able to create a view into
FreeIPA that would show only a subset of user based on
something like a group or an attribute?
Then using the built in MAC Directory Utility (or any LDAP
client) I should be able to use that Slap-NIS view as a
searchbase and it would return just people I wanted. This
could be used keep anyone outside that view from logging in?
I'm sorry for the noob questions but there isn't a lot of
good documentation on SlapNIS from first glance and I don't
want to spend 2 days figuring it out if it's not going to work.
As always extremely appreciated!
Whitt
On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal <[email protected]
<mailto:[email protected]>> wrote:
On 09/02/2014 03:04 AM, Chris Whittle wrote:
I am trying to limit who can login to my macs and I'm
having to stick to what OSX will let me do.
Currently I can only limit users using the searchbase
and right now it's "cn=users,cn=accounts,dc=DOMAIN,dc=com"
This works fine unless I wanted to create a user that I
wanted in LDAP for other purposes but not to login.
So my questions are,
A)Can we create different OUs in FreeIPA like most LDAP
servers?
You can use slapi-nis to create an alternative view of
the tree or trees and point your special client to that tree.
There you might be able to expose a small subset of users
that match your special criteria.
The slapi-nis and compat docs are in the doc folder in
the corresponding git repo.
IPA uses compat tree for its own purposes but you can
tweak it if you need or create a different view.
HTH
B)If not anyone have any idea on how I could do this
with OSX's directory Utility?
Thanks!
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
