On 03/04/2015 09:43 AM, re...@hushmail.com wrote: > Hi,I've read the thread from Nov and checked out > http://www.freeipa.org/page/HowTo/vsphere5_integration however i'm > still having trouble getting vpshere to use freeipa as an identity > source. > I've set the base DN for users and groups, the connection url and > username and password and my vadmin account connects correctly however > when i try to log in as a user (whom i've assigned permissions to) i > get an authentication error that states it may be caused by a > malfunctioning identity source. > Also I have modified my ldap schema as directed in the howto however > (and i'm pretty sure this is the root of my problem) I notice that > when I do an ldapsearch for a group which i've assigned administrator > permissions it does not have the 'uniqueMember' attribute. The > ldapmodify command seemed to run correctly without any complaints. > Also i'm running freeipa 4.1. > Watching the ldap traffic between the two boxes show that vcenter is > binding successfully however when it does a search request with the > following filter;"Filter: > (&(objectClass=groupOfUniqueNames)(uniqueMember=uid=adminuser,cn=users,cn=compat,dc=localdomain,dc=local))"it > returns no results. > > Does anyone have any suggestions? > Cheers, > Rees
Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b "cn=groups,cn=compat,dc=localdomain,dc=local" I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project