0

Has anyone successfully set up authentication and authorization between MacOS X and FreeIPA?

An old revision of the FreeIPA documentation explains how to get it working in 10.4 and nothing in their current documentation indicates it can't be made to work; but so far I'm unsuccessful getting it working.

The outdated FreeIPA guide is here: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Macintosh_OS_X.html

Following this guide I've successfully got Directory Services browsing the LDAP repository, Directory Services can authenticate as a user in LDAP, and 'kinit ' works on the command line. However I can not login over ssh or the login screen as a Kerberos user. The console provides no indication what the error is, and tcpdump'ing kinit and ssh login they both appear to be sending very similar data over the wire.

Any troubleshooting tips or pointer to relevant guides would be appreciated. Thanks!

moof2k
  • 103
  • 1
  • 2

1 Answers1

0

There is a more recent tutorial here, works for Mac OS 10.7 / 10.8.

http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8

mrik974
  • 126
  • 1
  • 4
  • This tutorial is really complete and works well, but I'm concerned about the "must disable SSL" part. Is the traffic to the server sufficiently encrypted without SSL to avoid a MITM getting passwords? – Brian Topping Jun 21 '15 at 22:40
  • Encryption is not activated for LDAP connection. I don't know why it doesn't work. I haven't use this tutorial in a production environment. But the Kerberos part needs traffic encryption, so most of the sensible traffic must be encrypted. – mrik974 Jun 22 '15 at 10:22
  • 2
    I came across this looking for the same information. However, http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 seems to no longer works. The newest one is located at https://annvix.com/using_freeipa_for_user_authentication#Mac_OS_X_10.7.2F10.8 – Tim Mar 30 '17 at 22:32