Define an MVP

[johnkeates]

I think it would help everyone involved if we made a list of things that are needed to get a basic version working. For example:

• Being able to generate a profile
• Said profile can configure a machine to do auth from the login screen and ssh sessions
• Said profile can be generated from the cli

[abbra]

Right, I think this is a good starting point. Next step would be downloading and uploading profiles to allow quick import of existing configuration. There needs to be a way to filter out irrelevant parts of a plist file uploaded as macOS seems to generate some noise. This would give us a baseline to experiment with different settings.

[johnkeates]

Yes, there are some fields that seem to be added on the fly but are not actually required. It's probably a side effect from the macOS frameworks that deal with the profiles during importing and exporting. The Apple Configurator does this as well as command line tools, yet none of the tools seem to be bothered if they are missing.

[d3vi1]

Assuming that you mean profiles in the macOS terminology: Profiles are step N. We need to make sure first that the authn/authz aspects work correctly. After that we can talk about profiles. Note that Apple also gave up on MCX profiles and is moving to AppleConfigurator MDM style profiles. I don't think that these are in the objectives of FreeIPA. If you want AppleConfigurator, just install it on an OS X Server joined to the FreeIPA. Let's talk in Active Directory terminology. Profiles are roughly equivalent to GPOs. You first need to be able to join a domain and logon using domain credentials. Group Policy Objects are a distant issue.

---

If by profiles you mean the ODConfig templates, I'm working on them. They are 99% written and static and just need a few elements to be changed, see the comments at the beginning of the file in https://github.com/d3vi1/freeipa-macosx-support/blob/master/freeipa-darwin-policy.py . The dicts in the .py file, can then be converted to Apple XML Property Lists (PLISTS) quite easily, base64 encoded and put in the correct entries.

Down the line, my question is how do we trigger a regeneration of the properties once the ldap replicas or KDCs change or once their IP address changes.

Please move the chat to the active fork in https://github.com/d3vi1/freeipa-macosx-support/

[johnkeates]

ODConfig indeed, not the GPO-type profiles, but the format you can embed the ODConfig in. It's a bit confusing with vendors using generic terminology for specific things. Moving to your fork for further communication.