Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
I've update the ACI's but am still getting the same error as before. I am guessing this is probably related to the same issue in the other concurrent vsphere 5.5 email thread that is going. I'll just keep my eye on that to see the resolution. On 3/6/2015 at 3:45 PM, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 08:35 AM, Alexander Bokovoy wrote: On Fri, 06 Mar 2015, Martin Kosek wrote: On 03/06/2015 02:24 AM, re...@hushmail.com wrote: Just to confirm I should restart the server after i've run the ldapmodify? Right. It would be safer thing to do, if you modified the Schema Compatibility config. At least to make sure it re-creates the entries from scratch. Also I've used ldap modify to remove the 'uniqueMember' object class from the compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. I get the same 'identity source may be malfunctioning error' from vpshere. The key here is to see the Directory Server access log, to see what kind of LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA with ldapsearch (or any GUI, I use Apache Directory Studio). With this knowledge, you should just need to update either the Schema Compatibility plugin configuration or vSphere configuration. Note also that in 4.1 we have ACIs that only give access to certain attributes within compat tree and not all of them. Adding a new attribute requires to add an ACI to allow serving it. If this is an issue, you'd see the difference when accessing as cn=Directory Manager or as any other authenticated bind. Very good point Alexander! I unfortunately did my tests either as admin or DM. I updated the HOWTO with the new step that fixed it for me. http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_U pdate So reesb, after the update above, you should get it working. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
Ok here is the search result; # ldapsearch -x -D cn=Directory Manager -W -b cn=config cn=groups Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=config with scope subtree # filter: cn=groups # requesting: ALL # # groups, Schema Compatibility, plugins, config dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config cn: groups objectClass: top objectClass: extensibleObject schema-compat-container-group: cn=compat, dc=localdomain,dc=local schema-compat-search-filter: objectclass=posixGroup schema-compat-container-rdn: cn=groups schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=groups, cn=accounts, dc=localdomain,dc=local schema-compat-entry-attribute: %ifeq(ipaanchoruuid,%{ipaanchoruuid},objec tclass=ipaOverrideTarget,) schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: memberUid=%deref_r(member,uid) schema-compat-entry-attribute: %ifeq(ipauniqueid,%{ipauniqueid},ipaanchor uuid=:IPA:cloud.local:%{ipauniqueid},) schema-compat-entry-attribute: memberUid=%{memberUid} schema-compat-entry-attribute: %ifeq(ipauniqueid,%{ipauniqueid},objectcla ss=ipaOverrideTarget,) schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} schema-compat-entry-attribute: objectclass=posixGroup schema-compat-entry-attribute: objectclass=groupOfUniqueNames schema-compat-entry-attribute: uniqueMember=%regsub(%{member},^(.*)accounts (.*),%1compat%2) schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config schema-compat-restrict-subtree: dc=localdomain,dc=local # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 On 3/5/2015 at 3:54 PM, Martin Kosek mko...@redhat.com wrote: On 03/05/2015 02:37 AM, re...@hushmail.com wrote: Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. Here is an example returned from ldapsearch; # admins, groups, compat, localdomain.local dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local gidNumber: 75620 memberUid: admin memberUid: vadmin objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top cn: admins On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote: Hi Martin, Using my vadmin account, uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, Martin Kosek mko...@redhat.com wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin I am also CCing Gialunca who contributed the HOWTO. I checked it again and tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper uniqueMember attribute and groupOfUniqueNames objectclass. I am not sure though why are also users updated (mostly question to Gialunca): dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=uniqueMember - add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=inetOrgPerson - For instance, uniqueMember is not valid objectclass. Also, if you are adding iNetOrgPerson objectclass, you should have all it's MUST attributes also generated - otherwise consuming programs may break if they depend on such attributes to exist. I see that sn is missing in my compat user entries. Can you show the cn=groups,cn=Schema Compatibility,cn=plugins,cn=config entry so that we can see if the uniqueMember attribute is really configured correctly? Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
Just to confirm I should restart the server after i've run the ldapmodify? Also I've used ldap modify to remove the 'uniqueMember' object class from the compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. I get the same 'identity source may be malfunctioning error' from vpshere. On 3/5/2015 at 5:44 PM, Martin Kosek mko...@redhat.com wrote: Thanks. The configuration looks OK, I wonder why the uniqueMember is not generated for your compat groups - it works on my FreeIPA 4.1.3 server. Did you restart the Directory Server after you changed the Schema Compatibility plugin? On 03/05/2015 09:16 AM, re...@hushmail.com wrote: Ok here is the search result; # ldapsearch -x -D cn=Directory Manager -W -b cn=config cn=groups Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=config with scope subtree # filter: cn=groups # requesting: ALL # # groups, Schema Compatibility, plugins, config dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config cn: groups objectClass: top objectClass: extensibleObject schema-compat-container-group: cn=compat, dc=localdomain,dc=local schema-compat-search-filter: objectclass=posixGroup schema-compat-container-rdn: cn=groups schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=groups, cn=accounts, dc=localdomain,dc=local schema-compat-entry-attribute: %ifeq(ipaanchoruuid,%{ipaanchoruuid},objec tclass=ipaOverrideTarget,) schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: memberUid=%deref_r(member,uid) schema-compat-entry-attribute: %ifeq(ipauniqueid,%{ipauniqueid},ipaanchor uuid=:IPA:cloud.local:%{ipauniqueid},) schema-compat-entry-attribute: memberUid=%{memberUid} schema-compat-entry-attribute: %ifeq(ipauniqueid,%{ipauniqueid},objectcla ss=ipaOverrideTarget,) schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} schema-compat-entry-attribute: objectclass=posixGroup schema-compat-entry-attribute: objectclass=groupOfUniqueNames schema-compat-entry-attribute: uniqueMember=%regsub(%{member},^(.*)accounts (.*),%1compat%2) schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config schema-compat-restrict-subtree: dc=localdomain,dc=local # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 On 3/5/2015 at 3:54 PM, Martin Kosek mko...@redhat.com wrote: On 03/05/2015 02:37 AM, re...@hushmail.com wrote: Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. Here is an example returned from ldapsearch; # admins, groups, compat, localdomain.local dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local gidNumber: 75620 memberUid: admin memberUid: vadmin objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top cn: admins On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote: Hi Martin, Using my vadmin account, uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, Martin Kosek mko...@redhat.com wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin I am also CCing Gialunca who contributed the HOWTO. I checked it again and tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper uniqueMember attribute and groupOfUniqueNames objectclass. I am not sure though why are also users updated (mostly question to Gialunca): dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=uniqueMember - add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=inetOrgPerson - For instance, uniqueMember is not valid objectclass. Also, if you are adding iNetOrgPerson objectclass, you should have all it's MUST attributes also generated - otherwise consuming programs may break if they depend on such attributes to exist. I see that sn is missing in my compat user entries. Can you show the cn=groups,cn=Schema Compatibility,cn=plugins,cn=config entry so that we can
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. Here is an example returned from ldapsearch; # admins, groups, compat, localdomain.local dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local gidNumber: 75620 memberUid: admin memberUid: vadmin objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top cn: admins On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote: Hi Martin, Using my vadmin account, uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, Martin Kosek mko...@redhat.com wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
Hi Martin, Using my vadmin account, uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, Martin Kosek wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project