On 03/06/2015 02:24 AM, re...@hushmail.com wrote:
Just to confirm I should restart the server after i've run the ldapmodify?


Right. It would be safer thing to do, if you modified the Schema Compatibility config. At least to make sure it re-creates the entries from scratch.

Also I've used ldap modify to remove the 'uniqueMember' object class from the 
compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. 
I get the same 'identity source may be malfunctioning error' from vpshere.

The key here is to see the Directory Server access log, to see what kind of LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA with ldapsearch (or any GUI, I use Apache Directory Studio). With this knowledge, you should just need to update either the Schema Compatibility plugin configuration or vSphere configuration.

Martin


On 3/5/2015 at 5:44 PM, "Martin Kosek" <mko...@redhat.com> wrote:

Thanks. The configuration looks OK, I wonder why the uniqueMember
is not
generated for your compat groups - it works on my FreeIPA 4.1.3
server.

Did you restart the Directory Server after you changed the Schema
Compatibility
plugin?

On 03/05/2015 09:16 AM, re...@hushmail.com wrote:
Ok here is the search result;
# ldapsearch -x  -D "cn=Directory Manager" -W -b "cn=config"
cn=groups
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: cn=groups
# requesting: ALL
#

# groups, Schema Compatibility, plugins, config
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
cn: groups
objectClass: top
objectClass: extensibleObject
schema-compat-container-group: cn=compat, dc=localdomain,dc=local
schema-compat-search-filter: objectclass=posixGroup
schema-compat-container-rdn: cn=groups
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=groups, cn=accounts,
dc=localdomain,dc=local
schema-compat-entry-attribute:
%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objec
  tclass=ipaOverrideTarget","")
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
schema-compat-entry-attribute:
%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchor
  uuid=:IPA:cloud.local:%{ipauniqueid}","")
schema-compat-entry-attribute: memberUid=%{memberUid}
schema-compat-entry-attribute:
%ifeq("ipauniqueid","%{ipauniqueid}","objectcla
  ss=ipaOverrideTarget","")
schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
schema-compat-entry-attribute: objectclass=posixGroup
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
schema-compat-entry-attribute:
uniqueMember=%regsub("%{member}","^(.*)accounts
  (.*)","%1compat%2")
schema-compat-restrict-subtree: cn=Schema
Compatibility,cn=plugins,cn=config
schema-compat-restrict-subtree: dc=localdomain,dc=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

On 3/5/2015 at 3:54 PM, "Martin Kosek" <mko...@redhat.com> wrote:

On 03/05/2015 02:37 AM, re...@hushmail.com wrote:
Opps, I got that wrong, my groups don't show the
'uniqueMember'
attribute. Here is an example returned from ldapsearch;

# admins, groups, compat, localdomain.local
dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
gidNumber: 756200000
memberUid: admin
memberUid: vadmin
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: top
cn: admins


On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote:

Hi Martin,

Using my vadmin account,
"uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local", the
search completes successfully and i get a list of my users and
groups however when I've watched the ldap queries between
vcenter
and freeipa I can see it's applying a filter to the user search
looking for 'objectClass=groupOfUniqueNames' which my groups
don't
seem to contain.


I'm very much an ldap newbie but I thought at step two in the
vsphere integration howto I modified the groups schema to
include
that object class?

On 3/4/2015 at 8:32 PM, "Martin Kosek" <mko...@redhat.com>
wrote:

Given that this HOWTO does not use the vanilla Schema
Compatibility settings
(FreeIPA Compat Tree by default uses posixGroup objectclass
and
memberUid
attribute for user membership), I would check if the groups
really have the
right objectclass and uniqueMember generated:

# ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b
"cn=groups,cn=compat,dc=localdomain,dc=local"

I expect there will be some problem preventing the LDAP search
to succeed. Then
we would know where to look next.

Martin


I am also CCing Gialunca who contributed the HOWTO. I checked
it
again and
tried to apply it on my FreeIPA 4.1.3, my compat group now
contain
the proper
uniqueMember attribute and groupOfUniqueNames objectclass.

I am not sure though why are also users updated (mostly
question
to Gialunca):
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=uniqueMember
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=inetOrgPerson
-

For instance, "uniqueMember" is not valid objectclass. Also, if
you are adding
iNetOrgPerson objectclass, you should have all it's MUST
attributes also
generated - otherwise consuming programs may break if they
depend
on such
attributes to exist. I see that "sn" is missing in my compat
user
entries.

Can you show the "cn=groups,cn=Schema
Compatibility,cn=plugins,cn=config" entry
so that we can see if the uniqueMember attribute is really
configured correctly?

Thanks,
Martin



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to