OK. I will check requirements to write into The wiki Il 08/dic/2014 18:36 "Dmitri Pal" <[email protected]> ha scritto:
> On 12/08/2014 11:44 AM, Gianluca Cecchi wrote: > > Hello, > I finally was able to configure the integration between what in subject. > I have made basic tests and all seems ok. > > If anyone wants to test further integration scenarios and also test with > vSPhere 5.5, he/she then can report here and I will crosscheck eventually. > > My environment is based on pure vSphere 5.1 that I'm right now using in > trial mode with vcenter server defined as a virtual appliance. > > NOTE that there is a bug in this version of vSphere regarding OpenLDAP > integration in vShere WebClient, so that you are unable to change Base DN > for groups after its initial configuration. In case you need to modify that > field, you have to delete and recreate the whole LDAP definition. > The bug is solved in vsphere 5.1 update 1a. > > As suggested in other threads on this and other lists, I used slapi-nis > (schema compat) plugin. > Initially I tested it on CentOS 6.6 with IPA 3.0.0-42 > and slapi-nis-0.40-4. > I was able to get both users and groups enumeration in vSphere client > (using cn=accounts for bind definition), but then no authentication of > defined users due to inability of IPA 3.0 to do bind on compat tree. > > I read on this list that I had to use IPA 3.3 and slapi-nis >= 0.47.5, > how is indeed provided now in CentOS 7 with: > > ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64 > slapi-nis-0.52-4.el7.x86_64 > > So I migrated my IPA test server from CentOS 6.6 to another server in > CentOS 7.0, following the chapter 6 of the detailed guide here (only some > typos and use of "systemctl" commands for version 6 that should be read as > "service" commands instead): > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html > > After update these were my two ldif files to adapt schema compat entries > for vSphere > > 1) vsphere_usermod.ldif > > dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config > changetype: modify > add: schema-compat-entry-attribute > schema-compat-entry-attribute: objectclass=uniqueMember > - > add: schema-compat-entry-attribute > schema-compat-entry-attribute: objectclass=inetOrgPerson > - > > 2) vsphere_groupmod.ldif > > dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config > changetype: modify > add: schema-compat-entry-attribute > schema-compat-entry-attribute: objectclass=groupOfUniqueNames > - > add: schema-compat-entry-attribute > schema-compat-entry-attribute: > uniqueMember=%regsub("%{member}","^(.*)accounts(.*)","%1compat%2") > - > > Applied with the command: > ldapmodify -x -D "cn=Directory Manager" -f /root/vsphere_usermod.ldif -W > vsphere_usermod.ldif > > and > ldapmodify -x -D "cn=Directory Manager" -f /root/vsphere_usermod.ldif -W > vsphere_groupmod.ldif > > > Configuration in vSphere Web Client under Identity Sources of > Administration --> Sign-On and Discovery --> Configuration > was this one > > Primary server URL: ldaps://c7server.localdomain.local:636 > Base DN for users: cn=users,cn=compat,dc=localdomain,dc=local > Domain name: localdomain.local > Base DN for groups: cn=groups,cn=compat,dc=localdomain,dc=local > Authentication type: Password > Username: uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local > > NOTE: vadmin is a normal IPA user I created only for bind with no ESX > permissions (it is only part of the default ipausers IPA group) > > NOTE: I used ldaps and as certificate I had to use the file > /etc/ipa/ca.crt on IPA server, after copying to client where running the > browser and renaming it to ca.cer without any modification at all. vSphere > accepted it without any problem. > > My tests at the moment have been ok both in vSphere fat client (5.1 > 1471691) and vSphere Web Client (Version 5.1.0 Build 869765). I tried this: > > - add gcecchi IPA user at top vcenter server permissions level as a > virtual machine user (sample) default role > - verify gcecchi is able to connect both in fat and web clients > - edit settings of the vm VC1 and verify that the "add..." button in > hardware tab is greyed out > - add the defined esxpower IPA group at VC1 permissions level granting it > the virtual machine power user (sample) role > - logout/login gcecchi and verify nothing changed in his permissions > - add gcecchi to the IPA group esxpower > - logout/login gcecchi and verify the user now can select the "add..." > button in hardware tab of VC1 > - logout gcecchi and remove gcecchi from IPA group esxpower > - login as gcecchi in vSphere and verify that now the "add..." button is > disabled again > - create an IPA group named esxnestedpower and insert it in esxpower group > - login as gcecchi in vSphere and verify he is still unable to add devices > - modify IPA user gcecchi adding him to esxnestedpower group > - logout/login gcecchi from vSphere and verify that now gcecchi is able to > add device to VC1 > > NOTE: as my tests began in CentOS 6.6, I noticed that the IPA groups > created in IPA 3.0 and CentOS 6.6 didn't get the uniqueMember property for > their group members... I didn't investigate more, but I noticed that for > the system group "admins" and for newly created groups, instead it was ok... > NOTE: after my migration from IPA 3.0 to 3.3 it seems I lost dna settings, > so that group addition failed without explicitly specifying its GID. I > solved as described here adding the missing dnaNextRange: > 1639600001-1639799999: > https://www.redhat.com/archives/freeipa-users/2014-December/msg00090.html > > Screenshot with permissions of VC1 > > https://drive.google.com/file/d/0BwoPbcrMv8mvdUgwanQzNWpBbkE/view?usp=sharing > > Some outputs of ldapsearch queries: > [root@c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b > "cn=groups,cn=compat,dc=localdomain,dc=local" cn=esxpower > # extended LDIF > # > # LDAPv3 > # base <cn=groups,cn=compat,dc=localdomain,dc=local> with scope subtree > # filter: cn=esxpower > # requesting: ALL > # > > # esxpower, groups, compat, localdomain.local > dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local > objectClass: posixGroup > objectClass: groupOfUniqueNames > objectClass: top > gidNumber: 1639600010 > memberUid: gcecchi > uniqueMember: cn=esxnestedpower,cn=groups,cn=compat,dc=localdomain,dc=local > cn: esxpower > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > [root@c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b > "cn=groups,cn=compat,dc=localdomain,dc=local" cn=esxnestedpower > # extended LDIF > # > # LDAPv3 > # base <cn=groups,cn=compat,dc=localdomain,dc=local> with scope subtree > # filter: cn=esxnestedpower > # requesting: ALL > # > > # esxnestedpower, groups, compat, localdomain.local > dn: cn=esxnestedpower,cn=groups,cn=compat,dc=localdomain,dc=local > objectClass: posixGroup > objectClass: groupOfUniqueNames > objectClass: top > gidNumber: 1639600012 > memberUid: gcecchi > uniqueMember: uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local > cn: esxnestedpower > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > [root@c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b > "cn=users,cn=compat,dc=localdomain,dc=local" uid=gcecchi > # extended LDIF > # > # LDAPv3 > # base <cn=users,cn=compat,dc=localdomain,dc=local> with scope subtree > # filter: uid=gcecchi > # requesting: ALL > # > > # gcecchi, users, compat, localdomain.local > dn: uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local > objectClass: posixAccount > objectClass: uniqueMember > objectClass: inetOrgPerson > objectClass: extensibleObject > objectClass: top > objectClass: organizationalPerson > objectClass: person > gecos: Gianluca Cecchi > cn: Gianluca Cecchi > uidNumber: 1639600001 > gidNumber: 1639600001 > loginShell: /bin/sh > homeDirectory: /home/gcecchi > uid: gcecchi > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > Hope that this can help others trying to accomplish vSphere/IPA > integration and feel free to comment as I'm far from an IPA expert and my > main approach is RTFM and ask help... ;-) > > Gianluca Cecchi > > > > > Thank you for a detailed summary! > Would you mind turning it into a wiki page? > http://www.freeipa.org/page/HowTos > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
