Afternoon,

I'm currently attempting to set up an existing vsphere environment to use 
freeipa 4.1.0 for authentication, following this guide:

http://www.freeipa.org/page/HowTo/vsphere5_integration

I've followed it all through, and for the purposes for testing, I've created a 
user called sam that's a member of a group called samtest:

[root@ldap1 ~]# ldapsearch -x -D 
"uid=ldapauth,cn=users,cn=accounts,dc=example,dc=hostname,dc=co,dc=uk" -w 
passwordgoeshere -b "cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk" 
cn=samtest
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk> with scope 
subtree
# filter: cn=samtest
# requesting: ALL
#

# samtest, groups, compat, example.hostname.co.uk
dn: cn=samtest,cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=sam,cn=users,cn=compat,dc=example,dc=hostname,dc=co,dc=
 uk
cn: samtest

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


With only sam in the samtest group, the uniqueMember attribute that vsphere 
seems to depend on displays fine, and you can log into vsphere as the sam user 
if samtest has been given the correct permissions.

The issue arises when a second user (chris) is added to the samtest group.

[root@ldap1 ~]# ldapsearch -x -D 
"uid=ldapauth,cn=users,cn=accounts,dc=example,dc=hostname,dc=co,dc=uk" -w 
passwordgoeshere -b "cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk" 
cn=samtest
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk> with scope 
subtree
# filter: cn=samtest
# requesting: ALL
#

# samtest, groups, compat, example.hostname.co.uk
dn: cn=samtest,cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk
objectClass: groupOfUniqueNames
objectClass: top
cn: samtest

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

This causes the uniqueMember attribute to not display for either sam or chris, 
and neither user can access vsphere. However if sam is removed from samtest, 
then uniqueMember is once again shown:

[root@ldap1 ~]# ldapsearch -x -D 
"uid=ldapauth,cn=users,cn=accounts,dc=example,dc=hostname,dc=co,dc=uk" -w 
passwordgoeshere -b "cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk" 
cn=samtest
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk> with scope 
subtree
# filter: cn=samtest
# requesting: ALL
#

# samtest, groups, compat, example.hostname.co.uk
dn: cn=samtest,cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=chris,cn=users,cn=compat,dc=example,dc=hostname,dc=co,d
 c=uk
cn: samtest

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


If anyone could shed any light on this behaviour, or point out any flaws in my 
logic/understanding, it would be greatly appreciated. 

Kind regards,

Sam

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to