On 03/06/2015 08:35 AM, Alexander Bokovoy wrote:
On Fri, 06 Mar 2015, Martin Kosek wrote:
On 03/06/2015 02:24 AM, re...@hushmail.com wrote:
Just to confirm I should restart the server after i've run the ldapmodify?


Right. It would be safer thing to do, if you modified the Schema
Compatibility config. At least to make sure it re-creates the entries from
scratch.

Also I've used ldap modify to remove the 'uniqueMember' object class from
the compat schema and added the 'sn=%{sn}' attribute and I still am having
no luck. I get the same 'identity source may be malfunctioning error' from
vpshere.

The key here is to see the Directory Server access log, to see what kind of
LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA
with ldapsearch (or any GUI, I use Apache Directory Studio). With this
knowledge, you should just need to update either the Schema Compatibility
plugin configuration or vSphere configuration.
Note also that in 4.1 we have ACIs that only give access to certain
attributes within compat tree and not all of them. Adding a new
attribute requires to add an ACI to allow serving it.

If this is an issue, you'd see the difference when accessing as
cn=Directory Manager or as any other authenticated bind.

Very good point Alexander! I unfortunately did my tests either as admin or DM. I updated the HOWTO with the new step that fixed it for me.

http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update

So reesb, after the update above, you should get it working.

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to