Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define an MVP #1

Open
johnkeates opened this issue Oct 26, 2017 · 4 comments
Open

Define an MVP #1

johnkeates opened this issue Oct 26, 2017 · 4 comments

Comments

@johnkeates
Copy link

I think it would help everyone involved if we made a list of things that are needed to get a basic version working. For example:

  • Being able to generate a profile
  • Said profile can configure a machine to do auth from the login screen and ssh sessions
  • Said profile can be generated from the cli
@abbra
Copy link
Owner

abbra commented Oct 26, 2017

Right, I think this is a good starting point. Next step would be downloading and uploading profiles to allow quick import of existing configuration. There needs to be a way to filter out irrelevant parts of a plist file uploaded as macOS seems to generate some noise. This would give us a baseline to experiment with different settings.

@johnkeates
Copy link
Author

Yes, there are some fields that seem to be added on the fly but are not actually required. It's probably a side effect from the macOS frameworks that deal with the profiles during importing and exporting. The Apple Configurator does this as well as command line tools, yet none of the tools seem to be bothered if they are missing.

@d3vi1
Copy link

d3vi1 commented Oct 26, 2017

Assuming that you mean profiles in the macOS terminology: Profiles are step N. We need to make sure first that the authn/authz aspects work correctly. After that we can talk about profiles. Note that Apple also gave up on MCX profiles and is moving to AppleConfigurator MDM style profiles. I don't think that these are in the objectives of FreeIPA. If you want AppleConfigurator, just install it on an OS X Server joined to the FreeIPA.
Let's talk in Active Directory terminology. Profiles are roughly equivalent to GPOs. You first need to be able to join a domain and logon using domain credentials. Group Policy Objects are a distant issue.

If by profiles you mean the ODConfig templates, I'm working on them. They are 99% written and static and just need a few elements to be changed, see the comments at the beginning of the file in https://github.com/d3vi1/freeipa-macosx-support/blob/master/freeipa-darwin-policy.py .
The dicts in the .py file, can then be converted to Apple XML Property Lists (PLISTS) quite easily, base64 encoded and put in the correct entries.

Down the line, my question is how do we trigger a regeneration of the properties once the ldap replicas or KDCs change or once their IP address changes.

Please move the chat to the active fork in https://github.com/d3vi1/freeipa-macosx-support/

@johnkeates
Copy link
Author

johnkeates commented Oct 26, 2017
edited
Loading

ODConfig indeed, not the GPO-type profiles, but the format you can embed the ODConfig in. It's a bit confusing with vendors using generic terminology for specific things. Moving to your fork for further communication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@abbra @johnkeates @d3vi1