Rob Crittenden wrote: > hello world via FreeIPA-users wrote: > > Hello All > > I am trying to connect between VMware vCenter Server and FreeIPA. so > > FreeIPA will become as Identity source for vCenter Server Version 7.x > > I am using FreeIPA version 4.11.0 which equipped with 389 Directory Server > > version 2.4.5 > > Based on the following official KB from VMware: > > https://knowledge.broadcom.com/external/article/316480/openldap-schemas-supp... > > The OpenLDAP schema is RFC4519 compliant. > > All users have an objectClass of inetOrgPerson. > > All groups have an objectClass of groupOfUniqueNames. > > All groups have a group membership attribute of uniqueMember. > > All users and group objects have entryUUID configured (The objects have a > > unique GUID and should not be changing) > > I created user that vCenter Server will be using in order to create the > > connection between vCenter Server and FreeIPA ( 389 Directory Server ) > > The user is: vcenter-user > > [root@freeipa-01 ~]# ipa user-show vcenter-user > > User login: vcenter-user > > First name: vcenter > > Last name: user > > Home directory: /home/vcenter-user > > Login shell: /bin/sh > > Principal name: [email protected] > > Principal alias: [email protected] > > Email address: [email protected] > > UID: 1695800005 > > GID: 1695800005 > > Account disabled: False > > Password: True > > Member of groups: ipausers, ssogroups > > Kerberos keys available: True > > # ldapsearch -D "cn=Directory Manager" -y > > /root/Directory-Manager-Password.txt -p 389 -h usa.internal.com -b > > "dc=usa,dc=internal,dc=com" > > "(&(objectclass=groupofnames)(member=uid=vcenter-user,cn=users,cn=accounts,dc=usa,dc=internal,dc=com))" > > # extended LDIF > > # > > # LDAPv3 > > # base <dc=usa,dc=internal,dc=com> with scope subtree > > # filter: > > (&(objectclass=groupofnames)(member=uid=vcenter-user,cn=users,cn=accounts,dc=usa,dc=internal,dc=com)) > > # requesting: ALL > > # > > # ipausers, groups, accounts, usa.internal.com > > dn: cn=ipausers,cn=groups,cn=accounts,dc=usa,dc=internal,dc=com > > objectClass: top > > objectClass: groupofnames > > objectClass: nestedgroup > > objectClass: ipausergroup > > objectClass: ipaobject > > description: Default group for all users > > cn: ipausers > > ipaUniqueID: e4984308-5a82-11ef-ad10-005056b17439 > > member: uid=john,cn=users,cn=accounts,dc=usa,dc=internal,dc=com > > member: uid=vcenter-user,cn=users,cn=accounts,dc=usa,dc=internal,dc=com > > # ssogroups, groups, accounts, usa.internal.com > > dn: cn=ssogroups,cn=groups,cn=accounts,dc=usa,dc=internal,dc=com > > cn: ssogroups > > description: vCenter full access groups > > objectClass: top > > objectClass: groupofnames > > objectClass: nestedgroup > > objectClass: ipausergroup > > objectClass: ipaobject > > objectClass: posixgroup > > objectClass: ipantgroupattrs > > ipaUniqueID: 0d6af93c-5b3d-11ef-afed-005056b17439 > > gidNumber: 1695800003 > > ipaNTSecurityIdentifier: S-1-5-21-1714751759-817553993-2692665272-1003 > > member: uid=john,cn=users,cn=accounts,dc=usa,dc=internal,dc=com > > member: uid=vcenter-user,cn=users,cn=accounts,dc=usa,dc=internal,dc=com > > # search result > > search: 2 > > result: 0 Success > > # numResponses: 3 > > # numEntries: 2 > > can you assist me with this ? > > Can you tell me what is missing on my configuration ? > > See this post from a few years ago: > https://lists.fedoraproject.org/archives/list/[email protected]... > I'm not aware that anything has changed since then. > There have been other posts on this as well but unfortunately search is > currently disabled on the freeipa-users list archive so finding them is > tedious. > rob
I did my own research with VMware internal. and the root cause why FreeIPA and 389DS (389-DS) are not supported is only because it is not complaint with RFC 4530. why someone will use 389 DS if this piece of software is not complain with RFC 4530 ? by the way , I also searched after the ticket that the person in the following link: https://lists.fedoraproject.org/archives/list/[email protected]/thread/IILJF3YJYISDCZZ2G4NPPUO7TQV4M6RR/ has opened with VMware support. and this is clearly because RFC 4530 !!! 389 DS and FreeIPA is waste of time. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
