On 03/06/2015 02:24 AM, re...@hushmail.com wrote:
Just to confirm I should restart the server after i've run the ldapmodify?

Right. It would be safer thing to do, if you modified the Schema Compatibility config. At least to make sure it re-creates the entries from scratch.

Also I've used ldap modify to remove the 'uniqueMember' object class from the 
compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. 
I get the same 'identity source may be malfunctioning error' from vpshere.

The key here is to see the Directory Server access log, to see what kind of LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA with ldapsearch (or any GUI, I use Apache Directory Studio). With this knowledge, you should just need to update either the Schema Compatibility plugin configuration or vSphere configuration.


On 3/5/2015 at 5:44 PM, "Martin Kosek" <mko...@redhat.com> wrote:

Thanks. The configuration looks OK, I wonder why the uniqueMember
is not
generated for your compat groups - it works on my FreeIPA 4.1.3

Did you restart the Directory Server after you changed the Schema

On 03/05/2015 09:16 AM, re...@hushmail.com wrote:
Ok here is the search result;
# ldapsearch -x  -D "cn=Directory Manager" -W -b "cn=config"
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <cn=config> with scope subtree
# filter: cn=groups
# requesting: ALL

# groups, Schema Compatibility, plugins, config
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
cn: groups
objectClass: top
objectClass: extensibleObject
schema-compat-container-group: cn=compat, dc=localdomain,dc=local
schema-compat-search-filter: objectclass=posixGroup
schema-compat-container-rdn: cn=groups
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=groups, cn=accounts,
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
schema-compat-entry-attribute: memberUid=%{memberUid}
schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
schema-compat-entry-attribute: objectclass=posixGroup
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
schema-compat-restrict-subtree: cn=Schema
schema-compat-restrict-subtree: dc=localdomain,dc=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

On 3/5/2015 at 3:54 PM, "Martin Kosek" <mko...@redhat.com> wrote:

On 03/05/2015 02:37 AM, re...@hushmail.com wrote:
Opps, I got that wrong, my groups don't show the
attribute. Here is an example returned from ldapsearch;

# admins, groups, compat, localdomain.local
dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
gidNumber: 756200000
memberUid: admin
memberUid: vadmin
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: top
cn: admins

On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote:

Hi Martin,

Using my vadmin account,
"uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local", the
search completes successfully and i get a list of my users and
groups however when I've watched the ldap queries between
and freeipa I can see it's applying a filter to the user search
looking for 'objectClass=groupOfUniqueNames' which my groups
seem to contain.

I'm very much an ldap newbie but I thought at step two in the
vsphere integration howto I modified the groups schema to
that object class?

On 3/4/2015 at 8:32 PM, "Martin Kosek" <mko...@redhat.com>

Given that this HOWTO does not use the vanilla Schema
Compatibility settings
(FreeIPA Compat Tree by default uses posixGroup objectclass
attribute for user membership), I would check if the groups
really have the
right objectclass and uniqueMember generated:

# ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b

I expect there will be some problem preventing the LDAP search
to succeed. Then
we would know where to look next.


I am also CCing Gialunca who contributed the HOWTO. I checked
again and
tried to apply it on my FreeIPA 4.1.3, my compat group now
the proper
uniqueMember attribute and groupOfUniqueNames objectclass.

I am not sure though why are also users updated (mostly
to Gialunca):
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=uniqueMember
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=inetOrgPerson

For instance, "uniqueMember" is not valid objectclass. Also, if
you are adding
iNetOrgPerson objectclass, you should have all it's MUST
attributes also
generated - otherwise consuming programs may break if they
on such
attributes to exist. I see that "sn" is missing in my compat

Can you show the "cn=groups,cn=Schema
Compatibility,cn=plugins,cn=config" entry
so that we can see if the uniqueMember attribute is really
configured correctly?


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to