El mar, 31 ago 2021 a las 18:32, Rob Crittenden (<[email protected]>) escribió: > > Ciro Iriarte via FreeIPA-users wrote: > > > > > > On Tue, Aug 31, 2021, 15:01 Ciro Iriarte <[email protected] > > <mailto:[email protected]>> wrote: > > > > > > > > On Tue, Aug 31, 2021, 14:11 Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > Ciro Iriarte via FreeIPA-users wrote: > > > Good afternoon, > > > > > > I'm looking for integrating VMware Identity Manager with > > FreeIPA and it > > > looks better than vCenter so far because there are options to > > customize > > > filters and map attributes. > > > > > > The only missing bit seems to be the "domain" attribute that vIDM > > > expects to be present in users & groups. Would that be > > something that > > > can be accommodated with the stock schemas?, I can not find any > > > reference to it. > > > > The VMWare docs that I found are very opaque about what this > > attribute > > is or should contain. We generally don't recommend re-purposing > > attributes to mean something in a different context because > > there is no > > guarantee that IPA won't use it for its own purposes in the future. > > > > If you can obtain more information on what the domain attribute > > is for > > and why it might contain that would be very helpful. > > > > Or hopefully someone else on the list has already done this > > integration > > and can help out. > > > > rob > > > > > > Hello, > > > > The document mentioning the integration is > > > > https://docs.vmware.com/en/VMware-Workspace-ONE-Access/19.03/vidm_dir_integration.pdf > > > > It seems it can be an arbitrary string but many examples show it as > > the kerberos REALM and/or the DNS domain attached to the directory. > > > > Regards, > > CI.- > > > > > > To elaborate a little more, it seems to be used as a filter for user & > > groups sync/replication. > > > > Feels like a funky implementation, I would just use different Base DNs > > or REALM (I recall it being possible with openLDAP, which is used for > > their generic LDAP integration tests. Not sure about FreeIPA though) or > > group membership. > > > > Tested the integration setting up all the filters & mappings I could, > > leaving the domain mapping blank lead to 0 users & groups imported. > > I saw the web equivalent of these docs and they seem pretty thin. > > But the fact that you were able to run a query is a good sign. I guess > what I'd do is stick some obvious value in for the mapping, do a query, > then check the 389-ds access log to see what the filter looks like. That > may give us a clue about what to put in there. Note that the 389 log is > buffered by 30 seconds. > > rob > Hello!,
I attempted a sync operation, the logs are available here in case you could take a look: https://pastebin.com/Yzvb6HNe Couldn't spot anything weird. Regards, CI.- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
