Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source

Thu, 05 Mar 2015 23:24:42 -0800 

On 03/06/2015 02:24 AM, [email protected] wrote:

Just to confirm I should restart the server after i've run the ldapmodify?



Right. It would be safer thing to do, if you modified the Schema Compatibility 
config. At least to make sure it re-creates the entries from scratch.



Also I've used ldap modify to remove the 'uniqueMember' object class from the 
compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. 
I get the same 'identity source may be malfunctioning error' from vpshere.



The key here is to see the Directory Server access log, to see what kind of 
LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA 
with ldapsearch (or any GUI, I use Apache Directory Studio). With this 
knowledge, you should just need to update either the Schema Compatibility 
plugin configuration or vSphere configuration.


Martin



On 3/5/2015 at 5:44 PM, "Martin Kosek" <[email protected]> wrote:


Thanks. The configuration looks OK, I wonder why the uniqueMember
is not
generated for your compat groups - it works on my FreeIPA 4.1.3
server.

Did you restart the Directory Server after you changed the Schema
Compatibility
plugin?

On 03/05/2015 09:16 AM, [email protected] wrote:

Ok here is the search result;
# ldapsearch -x  -D "cn=Directory Manager" -W -b "cn=config"

cn=groups

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: cn=groups
# requesting: ALL
#

# groups, Schema Compatibility, plugins, config
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
cn: groups
objectClass: top
objectClass: extensibleObject
schema-compat-container-group: cn=compat, dc=localdomain,dc=local
schema-compat-search-filter: objectclass=posixGroup
schema-compat-container-rdn: cn=groups
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=groups, cn=accounts,

dc=localdomain,dc=local

schema-compat-entry-attribute:

%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objec

  tclass=ipaOverrideTarget","")
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
schema-compat-entry-attribute:

%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchor

  uuid=:IPA:cloud.local:%{ipauniqueid}","")
schema-compat-entry-attribute: memberUid=%{memberUid}
schema-compat-entry-attribute:

%ifeq("ipauniqueid","%{ipauniqueid}","objectcla

  ss=ipaOverrideTarget","")
schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
schema-compat-entry-attribute: objectclass=posixGroup
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
schema-compat-entry-attribute:

uniqueMember=%regsub("%{member}","^(.*)accounts

  (.*)","%1compat%2")
schema-compat-restrict-subtree: cn=Schema

Compatibility,cn=plugins,cn=config

schema-compat-restrict-subtree: dc=localdomain,dc=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

On 3/5/2015 at 3:54 PM, "Martin Kosek" <[email protected]> wrote:


On 03/05/2015 02:37 AM, [email protected] wrote:

Opps, I got that wrong, my groups don't show the

'uniqueMember'

attribute. Here is an example returned from ldapsearch;


# admins, groups, compat, localdomain.local
dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
gidNumber: 756200000
memberUid: admin
memberUid: vadmin
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: top
cn: admins


On 3/5/2015 at 9:15 AM, [email protected] wrote:

Hi Martin,

Using my vadmin account,

"uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local", the
search completes successfully and i get a list of my users and
groups however when I've watched the ldap queries between

vcenter

and freeipa I can see it's applying a filter to the user search
looking for 'objectClass=groupOfUniqueNames' which my groups

don't

seem to contain.



I'm very much an ldap newbie but I thought at step two in the

vsphere integration howto I modified the groups schema to

include

that object class?


On 3/4/2015 at 8:32 PM, "Martin Kosek" <[email protected]>

wrote:


Given that this HOWTO does not use the vanilla Schema

Compatibility settings

(FreeIPA Compat Tree by default uses posixGroup objectclass

and

memberUid

attribute for user membership), I would check if the groups

really have the

right objectclass and uniqueMember generated:

# ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b
"cn=groups,cn=compat,dc=localdomain,dc=local"

I expect there will be some problem preventing the LDAP search

to succeed. Then

we would know where to look next.

Martin



I am also CCing Gialunca who contributed the HOWTO. I checked

it

again and
tried to apply it on my FreeIPA 4.1.3, my compat group now

contain

the proper
uniqueMember attribute and groupOfUniqueNames objectclass.

I am not sure though why are also users updated (mostly

question

to Gialunca):
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=uniqueMember
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=inetOrgPerson
-

For instance, "uniqueMember" is not valid objectclass. Also, if
you are adding
iNetOrgPerson objectclass, you should have all it's MUST
attributes also
generated - otherwise consuming programs may break if they

depend

on such
attributes to exist. I see that "sn" is missing in my compat

user

entries.

Can you show the "cn=groups,cn=Schema
Compatibility,cn=plugins,cn=config" entry
so that we can see if the uniqueMember attribute is really
configured correctly?

Thanks,
Martin






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project






















					Reply via email to