Ciro Iriarte via FreeIPA-users wrote: > > > On Tue, Aug 31, 2021, 15:01 Ciro Iriarte <[email protected] > <mailto:[email protected]>> wrote: > > > > On Tue, Aug 31, 2021, 14:11 Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Ciro Iriarte via FreeIPA-users wrote: > > Good afternoon, > > > > I'm looking for integrating VMware Identity Manager with > FreeIPA and it > > looks better than vCenter so far because there are options to > customize > > filters and map attributes. > > > > The only missing bit seems to be the "domain" attribute that vIDM > > expects to be present in users & groups. Would that be > something that > > can be accommodated with the stock schemas?, I can not find any > > reference to it. > > The VMWare docs that I found are very opaque about what this > attribute > is or should contain. We generally don't recommend re-purposing > attributes to mean something in a different context because > there is no > guarantee that IPA won't use it for its own purposes in the future. > > If you can obtain more information on what the domain attribute > is for > and why it might contain that would be very helpful. > > Or hopefully someone else on the list has already done this > integration > and can help out. > > rob > > > Hello, > > The document mentioning the integration is > > https://docs.vmware.com/en/VMware-Workspace-ONE-Access/19.03/vidm_dir_integration.pdf > > It seems it can be an arbitrary string but many examples show it as > the kerberos REALM and/or the DNS domain attached to the directory. > > Regards, > CI.- > > > To elaborate a little more, it seems to be used as a filter for user & > groups sync/replication. > > Feels like a funky implementation, I would just use different Base DNs > or REALM (I recall it being possible with openLDAP, which is used for > their generic LDAP integration tests. Not sure about FreeIPA though) or > group membership. > > Tested the integration setting up all the filters & mappings I could, > leaving the domain mapping blank lead to 0 users & groups imported.
I saw the web equivalent of these docs and they seem pretty thin. But the fact that you were able to run a query is a good sign. I guess what I'd do is stick some obvious value in for the mapping, do a query, then check the 389-ds access log to see what the filter looks like. That may give us a clue about what to put in there. Note that the 389 log is buffered by 30 seconds. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
