Ciro Iriarte wrote: > El mar, 31 ago 2021 a las 18:32, Rob Crittenden > (<[email protected]>) escribió: >> >> Ciro Iriarte via FreeIPA-users wrote: >>> >>> >>> On Tue, Aug 31, 2021, 15:01 Ciro Iriarte <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> >>> >>> On Tue, Aug 31, 2021, 14:11 Rob Crittenden <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Ciro Iriarte via FreeIPA-users wrote: >>> > Good afternoon, >>> > >>> > I'm looking for integrating VMware Identity Manager with >>> FreeIPA and it >>> > looks better than vCenter so far because there are options to >>> customize >>> > filters and map attributes. >>> > >>> > The only missing bit seems to be the "domain" attribute that vIDM >>> > expects to be present in users & groups. Would that be >>> something that >>> > can be accommodated with the stock schemas?, I can not find any >>> > reference to it. >>> >>> The VMWare docs that I found are very opaque about what this >>> attribute >>> is or should contain. We generally don't recommend re-purposing >>> attributes to mean something in a different context because >>> there is no >>> guarantee that IPA won't use it for its own purposes in the future. >>> >>> If you can obtain more information on what the domain attribute >>> is for >>> and why it might contain that would be very helpful. >>> >>> Or hopefully someone else on the list has already done this >>> integration >>> and can help out. >>> >>> rob >>> >>> >>> Hello, >>> >>> The document mentioning the integration is >>> >>> https://docs.vmware.com/en/VMware-Workspace-ONE-Access/19.03/vidm_dir_integration.pdf >>> >>> It seems it can be an arbitrary string but many examples show it as >>> the kerberos REALM and/or the DNS domain attached to the directory. >>> >>> Regards, >>> CI.- >>> >>> >>> To elaborate a little more, it seems to be used as a filter for user & >>> groups sync/replication. >>> >>> Feels like a funky implementation, I would just use different Base DNs >>> or REALM (I recall it being possible with openLDAP, which is used for >>> their generic LDAP integration tests. Not sure about FreeIPA though) or >>> group membership. >>> >>> Tested the integration setting up all the filters & mappings I could, >>> leaving the domain mapping blank lead to 0 users & groups imported. >> >> I saw the web equivalent of these docs and they seem pretty thin. >> >> But the fact that you were able to run a query is a good sign. I guess >> what I'd do is stick some obvious value in for the mapping, do a query, >> then check the 389-ds access log to see what the filter looks like. That >> may give us a clue about what to put in there. Note that the 389 log is >> buffered by 30 seconds. >> >> rob >> > Hello!, > > I attempted a sync operation, the logs are available here in case you > could take a look: > > https://pastebin.com/Yzvb6HNe > > Couldn't spot anything weird.
In the first query it is trying to discover some information about the LDAP server in the search for namingContexts. It is using the wrong base though (the user not the base) so it is getting nothing back. It doesn't seem to care though as it continues on and searches for the user you are binding as. A sysaccount user typically doesn't have half of the attributes it's looking for and "primarygroupid" doesn't exist in the 389/IPA schema. Does the VMWare app throw an error after this? rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
