This is great info Razvan. Thanks for sharing it! We provision Macs by pushing configuration scripts via Munki. Can you point me where I can find more documentation about this? Thanks again, Guillermo
On Fri, May 20, 2016 at 3:45 PM, "Răzvan Corneliu C.R. VILT" < [email protected]> wrote: > Hi guys, > > Regarding the Macs, there are a few notes: > > 1) The template kerberos setup can be pushed through LDAP > (cn=KerberosClient and cn=KerberosKDC,cn=config) > 2) The LDAP replicas can be also configured in cn=config and it is cached > by OpenDirectory in the following format: > > dn: cn=ldapreplicas, cn=config, dc=example, dc=com > objectClass: apple-configuration > apple-ldap-replica: ldap://192.168.1.1 > apple-ldap-replica: ldap://192.168.2.2 > apple-ldap-writable-replica: ldap://192.168.1.1 > apple-ldap-writable-replica: ldap://192.168.2.2 > apple-xml-plist: base64 encode of: > --------------------- > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" " > http://www.apple.com/DTDs/PropertyList-1.0.dtd";> > <plist version="1.0"> > <dict> > <key>GUID</key> > <string>01234567-89AB-CDEF-0123-456789ABCDEF</string> > <key>IPaddresses</key><!-- of the master ipa host if there are multiple > interfaces for it --> > <array> > <string>192.168.1.1</string> > <string>10.0.0.1</string> > </array> > <key>PrimaryMaster</key> > <string>ipa-server.example.org</string> > <key>ReplicaName</key> > <string>Master</string> > <key>Replicas</key> > <array> > <string>ipa-bkserver.example.org</string> > <array> > <!-- use only <array/> if there are no replicas --> > </dict> > </plist> > ---------------------- > > 3) The main problem with FreeIPA and Mac OS X comes from the SSL part (CRL > and/or OCSP are enforced). IPA refuses PLAIN authentication on SSL. > > > If you do this manually instead of OpenDirectory compatible way, your > machine doesn't create an account for itself in IPA so service access > without login are not available, it doesn't download the root CA > automatically and you don't get SSO out of the box. > > > On 20 mai 2016, at 22:13, Guillermo Fuentes < > [email protected]> wrote: > > SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc > = yes" and removing the KDC server ("kdc = xxx") entries from the > /Library/Preferences/edu.mit.Kerberos config file does the trick. > > For LDAP, although you can enable it, I can't see it documented anywhere > so I'm assuming that isn't the recommended way for the Mac. This can be > enabled by running this for the LDAP server you're using: > sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option > "Use DNS replicas" "true" > > Adding the altServer values with the Directory Manager credentials worked > and I'm happy to report that the failover on the Mac works great with > FreeIPA! > > As suggested by Rob, for three servers, on server ipa1: > $ ldapmodify -x -D 'cn=directory manager' -W > Enter LDAP Password: > dn: > changetype: modify > add: altServer > altServer: ldap://ipa2.example.com > - > add: altServer > altServer: ldap://ipa3.example.com > > modifying entry "" > ^D > > The altServer values didn't replicate so I had to add them to each of the > FreeIPA servers. > > Then, tell the Mac (testing on OS X v10.11.5) to use the altServer > attribute to look for replicas in case of failover: > sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option > "Use altServer replicas" "true" > > And, viola! Highly available authentication with a FreeIPA cluster for the > Mac! > > Thanks so much for your help! > Guillermo > > > On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden <[email protected]> > wrote: > >> Martin Basti wrote: >> >>> Hello, >>> >>> IPA uses SRV records for failover to another replica/LDAP. >>> >>> I don't know how it works on MACs, but in case that there is no >>> possibility to use SRV, you may need to file a RFE ticket >>> (https://fedorahosted.org/freeipa/newticket) >>> >> >> Agreed, SRV records are the preferred mechanism. I was curious though so >> played with this a bit and it is possible to add altServer values: >> >> $ ldapmodify -x -D 'cn=directory manager' -W >> Enter LDAP Password: >> dn: >> changetype: modify >> add: altServer >> altServer: ldap://gyre.example.com >> >> modifying entry "" >> ^D >> >> $ ldapsearch -LLL -x -b "" -s base altServer >> dn: >> altServer: ldap://gyre.example.com >> >> My test rig is a single master so I don't know if this replicates or not. >> >> rob >> >> >>> Martin >>> >>> >>> On 19.05.2016 17:43, Guillermo Fuentes wrote: >>> >>>> Hello all, >>>> >>>> As OS X allows LDAP server failover via the altServer attribute >>>> (RFC4512) from RootDSE, it would be great to be able to configure our >>>> Macs to connect to a single FreeIPA server and add other FreeIPA >>>> servers as multiple altServer values. >>>> The current schema doesn't seem to support adding this attribute. >>>> Can this be done in a way I'm missing? >>>> >>>> Thanks in advance! >>>> >>>> GUILLERMO FUENTES >>>> SR. SYSTEMS ADMINISTRATOR >>>> >>>> 561-880-2998 x1337 >>>> >>>> [email protected] <mailto:[email protected]> >>>> >>>> >>>> [ Modernizing Medicine ] <http://www.modmed.com/> >>>> [ Facebook ] <http://www.facebook.com/modernizingmedicine> >>>> [ >>>> LinkedIn ] <http://www.linkedin.com/company/modernizing-medicine/> >>>> [ >>>> YouTube ] <http://www.youtube.com/user/modernizingmedicine> >>>> [ >>>> Twitter ] <https://twitter.com/modmed_EMA> [ Blog ] >>>> <http://www.modmed.com/BlogBeyondEMR> [ Instagram ] >>>> <http://instagram.com/modernizing_medicine> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >> > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
