Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Ryan Belgrave]

Herwono W Wijaya  writes:

> 
> 
> Tomorrow I will try to capture Univention LDAP traffic with
> wireshark, and if possible I will try also this FreeIPA with vCenter
> 6. Since I became one of the private beta testers so I had vCenter


Any updates on this? I am getting the same issue in vCenter 6 with IPA 4.1.0
on Centos 7. The realm access logs seem fine no errors showing and doing the
search vCenter is doing manually works perfectly. However vCenter is still
logging errors with control not found.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Herwono W Wijaya]

FreeIPA logs:
[06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND 
dn=uid=admin,cn=users,cn=compat,dc=server,dc=local method=128 version=3
[06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=uid=admin,cn=users,cn=accounts,dc=server,dc=local
[06/Mar/2015:21:51:15 +0700] conn=30 op=1 SRCH 
base=cn=users,cn=compat,dc=server,dc=local scope=2 
filter=(objectClass=inetOrgPerson) attrs=uid description givenName sn 
mail useraccountcontrol pwdaccountlockedtime entryuuid
[06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 
nentries=2 etime=0 notes=P

[06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1

vCenter SSO error:
Error: Idm client exception: Control not found

On 3/6/15 8:45 PM, Herwono W Wijaya wrote:
sorry my mistake, okay I'll check slapd log files and try to figure 
out what happened


On 3/6/15 8:43 PM, Martin Kosek wrote:
This is the directory on FreeIPA server that the vCenter is 
authenticating useres against.


On 03/06/2015 02:40 PM, Herwono W Wijaya wrote:

there is no directory /var/log/dirsrv/ in 5.5u2b version

On 3/6/15 8:34 PM, Gianluca Cecchi wrote:

On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:

Ah, I am not sure what control do they mean.

But in general, when, it is always interesting to check the 
LDAP access
logs to see the last failed request and then try the same 
search with

ldapsearch and fix things.

Martin


see my previous e-mail:

/var/log/dirsrv/slapd-REALM-NAME/

contains log and you will see which kind of queries vSphere is doing.

Gianluca


--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
2014, 2015
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 







--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 






--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Martin Kosek]

Ah, I am not sure what control do they mean.

But in general, when, it is always interesting to check the LDAP access logs to 
see the last failed request and then try the same search with ldapsearch and 
fix things.


Martin

On 03/06/2015 02:09 PM, Herwono W Wijaya wrote:

Gianluca's method not working for me, always get this error

Error: Idm client exception: control not found

and also try using this:
http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update

On 3/6/15 7:49 PM, Martin Kosek wrote:

I am glad you have it working. However, I would like to discourage from this
another method as this way, you would need to maintain uniqueMember attribute
yourself. FreeIPA only maintains the member attribute.

I would recommend using the Gianluca's method in
http://www.freeipa.org/page/HowTo/vsphere5_integration

with taking users and groups from compat tree. This way, you will have
uniqueMember populated when you do changes to the group using FreeIPA CLI or UI.

If it was not working for you in the past, note that we identified a change
today that needs to be done with FreeIPA 4.0+:

http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update

Martin


On 03/06/2015 12:11 PM, Herwono W Wijaya wrote:

Now all works well, I use another method

*FreeIPA:**
**Users:*
- admin
- herwono (member of ssogroups group)
- vcadmin (member of ssogroups group)

*Group**s:**
**Only one group for vCenter SSO.*
- ssogroups

*Modif ssogroups using ldif file*
pre
dn: cn=ssogroups,cn=groups,cn=accounts,dc=server,dc=local
changetype: modify
add: objectClass
objectClass: groupOfUniqueNames
-
add: uniqueMember
uniqueMember: uid=herwono,cn=users,cn=accounts,dc=server,dc=local
uniqueMember: uid=vcadmin,cn=users,cn=accounts,dc=server,dc=local
-
/pre

*vCenter Identity Source Config:*
Name: IPA
Base DN for users: cn=users,cn=accounts,dc=server,dc=local
Domain name: server.local
Base DN for groups: cn=groups,cn=accounts,dc=server,dc=local
Primary server url: ldap://identity.server.local:389
Username: uid=admin,cn=users,cn=accounts,dc=server,dc=local
Password: **

*FreeIPA users and groups for vCenter with Administrator permission:*
User: herwono (SERVER.LOCAL\herwono)
Group: ssogroups (SERVER.LOCAL\ssogroups)


On 3/6/15 3:37 PM, Gianluca Cecchi wrote:

On Fri, Mar 6, 2015 at 8:34 AM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:

On 03/06/2015 04:38 AM, Herwono W Wijaya wrote:

Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the admin
user can be
used and always get an error for other users.


You mean admin user from vCenter, not admin user from FreeIPA, right?

Did you follow this HOWTO:
http://www.freeipa.org/page/HowTo/vsphere5_integration

Note that the vSphere integration topic is being discussed this week,
CCing also Gialunca (author of the HOWTO), he may have some ideas where
the problem is too.

Martin



The logs that let us know the kind of queries generated b vSPhere are in
/var/log/dirsrv/slapd-REALM-NAME/
(at least for 3.3.3)

Also, searching through my e-mails I found one direct contact using vSphere
5.5 and that was doing some tests with VMware support connected to his
systems.
It seems they found out that it almost all worked correctly when using
accounts instead of compat BUT
you can't log in.

An action was the to add objectclass=groupOfUniqueNames to a single test
group and they were able to login

I asked more information about his setup if still in place and to eventually
share with others.

Stay tuned...

Gianluca


--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr*






--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr*



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Gianluca Cecchi]

On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com wrote:

 Ah, I am not sure what control do they mean.

 But in general, when, it is always interesting to check the LDAP access
 logs to see the last failed request and then try the same search with
 ldapsearch and fix things.

 Martin


see my previous e-mail:

/var/log/dirsrv/slapd-REALM-NAME/

contains log and you will see which kind of queries vSphere is doing.

Gianluca
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Martin Kosek]

This is the directory on FreeIPA server that the vCenter is authenticating 
useres against.


On 03/06/2015 02:40 PM, Herwono W Wijaya wrote:

there is no directory /var/log/dirsrv/ in 5.5u2b version

On 3/6/15 8:34 PM, Gianluca Cecchi wrote:

On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:

Ah, I am not sure what control do they mean.

But in general, when, it is always interesting to check the LDAP access
logs to see the last failed request and then try the same search with
ldapsearch and fix things.

Martin


see my previous e-mail:

/var/log/dirsrv/slapd-REALM-NAME/

contains log and you will see which kind of queries vSphere is doing.

Gianluca


--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr*



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Herwono W Wijaya]

there is no directory /var/log/dirsrv/ in 5.5u2b version

On 3/6/15 8:34 PM, Gianluca Cecchi wrote:
On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com 
mailto:mko...@redhat.com wrote:


Ah, I am not sure what control do they mean.

But in general, when, it is always interesting to check the LDAP
access logs to see the last failed request and then try the same
search with ldapsearch and fix things.

Martin


see my previous e-mail:

/var/log/dirsrv/slapd-REALM-NAME/

contains log and you will see which kind of queries vSphere is doing.

Gianluca


--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Herwono W Wijaya]

sorry my mistake, okay I'll check slapd log files and try to figure out 
what happened


On 3/6/15 8:43 PM, Martin Kosek wrote:
This is the directory on FreeIPA server that the vCenter is 
authenticating useres against.


On 03/06/2015 02:40 PM, Herwono W Wijaya wrote:

there is no directory /var/log/dirsrv/ in 5.5u2b version

On 3/6/15 8:34 PM, Gianluca Cecchi wrote:

On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:

Ah, I am not sure what control do they mean.

But in general, when, it is always interesting to check the LDAP 
access
logs to see the last failed request and then try the same search 
with

ldapsearch and fix things.

Martin


see my previous e-mail:

/var/log/dirsrv/slapd-REALM-NAME/

contains log and you will see which kind of queries vSphere is doing.

Gianluca


--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
2014, 2015
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 







--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Rich Megginson]

On 03/06/2015 07:54 AM, Herwono W Wijaya wrote:

FreeIPA logs:
[06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND 
dn=uid=admin,cn=users,cn=compat,dc=server,dc=local method=128 version=3
[06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97 
nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=server,dc=local
[06/Mar/2015:21:51:15 +0700] conn=30 op=1 SRCH 
base=cn=users,cn=compat,dc=server,dc=local scope=2 
filter=(objectClass=inetOrgPerson) attrs=uid description givenName 
sn mail useraccountcontrol pwdaccountlockedtime entryuuid
[06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 
nentries=2 etime=0 notes=P

[06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1

vCenter SSO error:
Error: Idm client exception: Control not found


There's no error log debug level which will give us all of the controls 
received by the server or all of the controls sent back by the server.  
The TRACE level will give us some information.


But the problem appears to be that vCenter is expecting some control.  
There is no way we can tell what control that might be by analyzing the 
LDAP protocol, even with wireshark.  If the vCenter documentation does 
not suffice, and VMWare support is not forthcoming, then we might be 
able to reverse engineer the code. For example, search the code, if 
scripts, or use something like the strings command on binaries, to 
look for well known OID prefixes.


For example, from dirsrv:
# strings /usr/lib64/lib/dirsrv/libslapd.so.0.0.0|grep 1.3.6.1.4
1.3.6.1.4.1.1466.115.121.1.34
1.3.6.1.4.1.1466.115.121.1.12
1.3.6.1.4.1.1466.115.121.1.15
1.3.6.1.4.1.42.2.27.8.5.1
1.3.6.1.4.1.42.2.27.9.5.2
...

If we can narrow down the list of possible control OIDs that vCenter 
knows about, we can perhaps figure out if 389 supports them.




On 3/6/15 8:45 PM, Herwono W Wijaya wrote:
sorry my mistake, okay I'll check slapd log files and try to figure 
out what happened


On 3/6/15 8:43 PM, Martin Kosek wrote:
This is the directory on FreeIPA server that the vCenter is 
authenticating useres against.


On 03/06/2015 02:40 PM, Herwono W Wijaya wrote:

there is no directory /var/log/dirsrv/ in 5.5u2b version

On 3/6/15 8:34 PM, Gianluca Cecchi wrote:

On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:

Ah, I am not sure what control do they mean.

But in general, when, it is always interesting to check the 
LDAP access
logs to see the last failed request and then try the same 
search with

ldapsearch and fix things.

Martin


see my previous e-mail:

/var/log/dirsrv/slapd-REALM-NAME/

contains log and you will see which kind of queries vSphere is doing.

Gianluca


--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
2014, 2015
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 







--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 






--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Herwono W Wijaya]

this result from
#strings /usr/lib/openldap/slapd | grep 1.3.6.1.4

On 3/6/15 10:40 PM, Rich Megginson wrote:

On 03/06/2015 07:54 AM, Herwono W Wijaya wrote:

FreeIPA logs:
[06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND 
dn=uid=admin,cn=users,cn=compat,dc=server,dc=local method=128 version=3
[06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97 
nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=server,dc=local
[06/Mar/2015:21:51:15 +0700] conn=30 op=1 SRCH 
base=cn=users,cn=compat,dc=server,dc=local scope=2 
filter=(objectClass=inetOrgPerson) attrs=uid description givenName 
sn mail useraccountcontrol pwdaccountlockedtime entryuuid
[06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 
nentries=2 etime=0 notes=P

[06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1

vCenter SSO error:
Error: Idm client exception: Control not found


There's no error log debug level which will give us all of the 
controls received by the server or all of the controls sent back by 
the server.  The TRACE level will give us some information.


But the problem appears to be that vCenter is expecting some control.  
There is no way we can tell what control that might be by analyzing 
the LDAP protocol, even with wireshark.  If the vCenter documentation 
does not suffice, and VMWare support is not forthcoming, then we might 
be able to reverse engineer the code. For example, search the code, if 
scripts, or use something like the strings command on binaries, to 
look for well known OID prefixes.


For example, from dirsrv:
# strings /usr/lib64/lib/dirsrv/libslapd.so.0.0.0|grep 1.3.6.1.4
1.3.6.1.4.1.1466.115.121.1.34
1.3.6.1.4.1.1466.115.121.1.12
1.3.6.1.4.1.1466.115.121.1.15
1.3.6.1.4.1.42.2.27.8.5.1
1.3.6.1.4.1.42.2.27.9.5.2
...

If we can narrow down the list of possible control OIDs that vCenter 
knows about, we can perhaps figure out if 389 supports them.




On 3/6/15 8:45 PM, Herwono W Wijaya wrote:
sorry my mistake, okay I'll check slapd log files and try to figure 
out what happened


On 3/6/15 8:43 PM, Martin Kosek wrote:
This is the directory on FreeIPA server that the vCenter is 
authenticating useres against.


On 03/06/2015 02:40 PM, Herwono W Wijaya wrote:

there is no directory /var/log/dirsrv/ in 5.5u2b version

On 3/6/15 8:34 PM, Gianluca Cecchi wrote:

On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:

Ah, I am not sure what control do they mean.

But in general, when, it is always interesting to check the 
LDAP access
logs to see the last failed request and then try the same 
search with

ldapsearch and fix things.

Martin


see my previous e-mail:

/var/log/dirsrv/slapd-REALM-NAME/

contains log and you will see which kind of queries vSphere is 
doing.


Gianluca


--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware 
vExpert 2014, 2015
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 







--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 






--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 










--
Regards,
Herwono W Wijaya
https://linuxcoding.org | *VMware vExpert 2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 

1.3.6.1.4.1.4203.1.12.2
1.3.6.1.4.1.1466.115.121.1
extended=1.3.6.1.4.1.1466.20037
extended=1.3.6.1.4.1.4203.1.11.1
extended=1.3.6.1.4.1.4203.1.11.3
1.3.6.1.4.1.1466.20036
1.3.6.1.4.1.1466.115.121.1.27
1.3.6.1.4.1.1466.115.121.1.34
1.3.6.1.4.1.1466.115.121.1.12
group %s attr %s: inappropriate syntax: %s; must be 
1.3.6.1.4.1.1466.115.121.1.12 (DN), 1.3.6.1.4.1.1466.115.121.1.34 (NameUID) or 
a subtype of labeledURI.
1.3.6.1.4.1.4203.666.5.15
1.3.6.1.4.1.4203.1.10.1
1.3.6.1.4.1.4203.666.5.2
1.3.6.1.4.1.4203.666.5.12
1.3.6.1.4.1.1466.101.119.1
1.3.6.1.4.1.4203.1.11.1
1.3.6.1.4.1.4203.1.11.3
1.3.6.1.4.1.4203.666.11.2.1
1.3.6.1.4.1.1466.115.121.1.8
1.3.6.1.4.1.1466.115.121.1.9
1.3.6.1.4.1.1466.115.121.1.44
1.3.6.1.4.1.1466.115.121.1.17
1.3.6.1.4.1.1466.115.121.1.38
1.3.6.1.4.1.1466.115.121.1.3
1.3.6.1.4.1.1466.115.121.1.16
1.3.6.1.4.1.1466.115.121.1.54
1.3.6.1.4.1.1466.115.121.1.30
1.3.6.1.4.1.1466.115.121.1.31
1.3.6.1.4.1.1466.115.121.1.35
1.3.6.1.4.1.1466.115.121.1.37
1.3.6.1.4.1.4203.666.4.4
1.3.6.1.4.1.4203.666.4.5
1.3.6.1.4.1.1466.115.121.1.15
1.3.6.1.4.1.1466.115.121.1.26
1.3.6.1.4.1.4203.666.11.10.2.1
( 1.3.6.1.4.1.1466.115.121.1.1 DESC 'ACI Item' X-BINARY-TRANSFER-REQUIRED 
'TRUE' X-NOT-HUMAN-READABLE 'TRUE' )
( 1.3.6.1.4.1.1466.115.121.1.2 DESC 'Access Point' X-NOT-HUMAN-READABLE 'TRUE' )
( 1.3.6.1.4.1.1466.115.121.1.3 DESC 'Attribute Type Description' )
( 1.3.6.1.4.1.1466.115.121.1.4 DESC 'Audio' 

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Herwono W Wijaya]

vCenter SSO works well with Univention LDAP.

Here I want to make sure if FreeIPA can work with vCenter SSO, because I 
read it on this page: http://www.freeipa.org/page/HowTo/vsphere5_integration


And thanks for the help and answer any questions from me.
Have a nice day.

On 3/6/15 11:23 PM, Rich Megginson wrote:

On 03/06/2015 09:13 AM, Gianluca Cecchi wrote:
On Fri, Mar 6, 2015 at 4:40 PM, Rich Megginson rmegg...@redhat.com 
mailto:rmegg...@redhat.com wrote:





[06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101
nentries=2 etime=0 notes=P
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1

vCenter SSO error:
Error: Idm client exception: Control not found


There's no error log debug level which will give us all of the
controls received by the server or all of the controls sent back
by the server.  The TRACE level will give us some information.



Could it be that the Control not found somehow related with page 
results control as described in

https://bugzilla.redhat.com/show_bug.cgi?id=558099


Could be.


Is the notes=P in ipa logs a setting managed by the server or by 
the type of the query done by the client?


Yes.  It means the client is requesting a Simple Paged Search by using 
that control.


In my past IPA 3.3.3 logs I didn't find it at the end of the log line 
with nentries...


It has everything to do with the client.  The server has supported 
Simple Paged Search for a long time.  Perhaps some newer version of 
the client is requesting paged results?




Just an attempt...



One more thing - does vCenter work with another LDAP server, like 
openldap or active directory?  If so, try capturing a wireshark trace 
of a successful search operation, then capture a wireshark trace of a 
session using ipa, and we can compare them to see which controls the 
working server is sending back that ipa is not.





--
Regards,
Herwono W Wijaya
https://linuxcoding.org | *VMware vExpert 2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Gianluca Cecchi]

On Fri, Mar 6, 2015 at 4:40 PM, Rich Megginson rmegg...@redhat.com wrote:



 [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 nentries=2
 etime=0 notes=P
 [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND
 [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1

 vCenter SSO error:
 Error: Idm client exception: Control not found


 There's no error log debug level which will give us all of the controls
 received by the server or all of the controls sent back by the server.  The
 TRACE level will give us some information.



Could it be that the Control not found somehow related with page results
control as described in
https://bugzilla.redhat.com/show_bug.cgi?id=558099

Is the notes=P in ipa logs a setting managed by the server or by the type
of the query done by the client?
In my past IPA 3.3.3 logs I didn't find it at the end of the log line with
nentries...
Just an attempt...
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Rich Megginson]

On 03/06/2015 09:01 AM, Herwono W Wijaya wrote:

this result from
#strings /usr/lib/openldap/slapd | grep 1.3.6.1.4


Sorry, I should have been much more explicit about what you need to do:

1) Are you a VMWare customer with a paid support contract?  If so, then 
contact VMWare support - ask them which LDAP controls vCenter knows 
about and which ones it can expect in an LDAP response.


2) Look for LDAP Control OIDs in the _vCenter_ code, not the openldap 
code.  I can't help you here - I don't have vCenter, and I have no idea 
what the code/binary layout looks like on disk.  For example, here is a 
list of well known LDAP Control OIDs: 
https://www.ldap.com/ldap-oid-reference - scroll down to OIDs for Controls




On 3/6/15 10:40 PM, Rich Megginson wrote:

On 03/06/2015 07:54 AM, Herwono W Wijaya wrote:

FreeIPA logs:
[06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND 
dn=uid=admin,cn=users,cn=compat,dc=server,dc=local method=128 
version=3
[06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97 
nentries=0 etime=0 
dn=uid=admin,cn=users,cn=accounts,dc=server,dc=local
[06/Mar/2015:21:51:15 +0700] conn=30 op=1 SRCH 
base=cn=users,cn=compat,dc=server,dc=local scope=2 
filter=(objectClass=inetOrgPerson) attrs=uid description 
givenName sn mail useraccountcontrol pwdaccountlockedtime entryuuid
[06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 
nentries=2 etime=0 notes=P

[06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1

vCenter SSO error:
Error: Idm client exception: Control not found


There's no error log debug level which will give us all of the 
controls received by the server or all of the controls sent back by 
the server.  The TRACE level will give us some information.


But the problem appears to be that vCenter is expecting some 
control.  There is no way we can tell what control that might be by 
analyzing the LDAP protocol, even with wireshark.  If the vCenter 
documentation does not suffice, and VMWare support is not 
forthcoming, then we might be able to reverse engineer the code.  For 
example, search the code, if scripts, or use something like the 
strings command on binaries, to look for well known OID prefixes.


For example, from dirsrv:
# strings /usr/lib64/lib/dirsrv/libslapd.so.0.0.0|grep 1.3.6.1.4
1.3.6.1.4.1.1466.115.121.1.34
1.3.6.1.4.1.1466.115.121.1.12
1.3.6.1.4.1.1466.115.121.1.15
1.3.6.1.4.1.42.2.27.8.5.1
1.3.6.1.4.1.42.2.27.9.5.2
...

If we can narrow down the list of possible control OIDs that vCenter 
knows about, we can perhaps figure out if 389 supports them.




On 3/6/15 8:45 PM, Herwono W Wijaya wrote:
sorry my mistake, okay I'll check slapd log files and try to figure 
out what happened


On 3/6/15 8:43 PM, Martin Kosek wrote:
This is the directory on FreeIPA server that the vCenter is 
authenticating useres against.


On 03/06/2015 02:40 PM, Herwono W Wijaya wrote:

there is no directory /var/log/dirsrv/ in 5.5u2b version

On 3/6/15 8:34 PM, Gianluca Cecchi wrote:

On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:

Ah, I am not sure what control do they mean.

But in general, when, it is always interesting to check the 
LDAP access
logs to see the last failed request and then try the same 
search with

ldapsearch and fix things.

Martin


see my previous e-mail:

/var/log/dirsrv/slapd-REALM-NAME/

contains log and you will see which kind of queries vSphere is 
doing.


Gianluca


--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware 
vExpert 2014, 2015
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 







--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 






--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 










--
Regards,
Herwono W Wijaya
https://linuxcoding.org | *VMware vExpert 2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Gianluca Cecchi]

On Fri, Mar 6, 2015 at 6:21 PM, Rich Megginson rmegg...@redhat.com wrote:

  On 03/06/2015 09:39 AM, Herwono W Wijaya wrote:

 vCenter SSO works well with Univention LDAP.


 Then set up a wireshark session to capture traffic between vCenter SSO and
 Univention LDAP, then do the same with vCenter SSO and IPA.  Then we can
 compare the TCP traffic dumps.


And so we can then change the preface that at this moment explicitly
contains:

Preface
The environment used to write this document is based on pure vSphere 5.1,
used in trial mode with vCenter server configured as a virtual appliance.

and update it covering 5.5 and hopefully 6.0 too... ;-)
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Herwono W Wijaya]

Tomorrow I will try to capture Univention LDAP traffic with wireshark, 
and if possible I will try also this FreeIPA with vCenter 6. Since I 
became one of the private beta testers so I had vCenter 6.


On 3/7/15 1:34 AM, Gianluca Cecchi wrote:
On Fri, Mar 6, 2015 at 7:06 PM, Rich Megginson rmegg...@redhat.com 
mailto:rmegg...@redhat.com wrote:




And so we can then change the preface that at this moment
explicitly contains:

Preface
The environment used to write this document is based on pure
vSphere 5.1, used in trial mode with vCenter server configured as
a virtual appliance.

and update it covering 5.5 and hopefully 6.0 too... ;-)



I'm sorry - which preface?  Link?


The message was for Herwono... not for you ...
He/she referred

Here I want to make sure if FreeIPA can work with vCenter SSO, because 
I read it on this page: 
http://www.freeipa.org/page/HowTo/vsphere5_integration



And at the top of the doc in the link there is the note about only 5.1 
tested, while the version here is 5.5u2b.

Have a nice weekend, to all the list ;-)
Gianluca



--
Regards,
Herwono W Wijaya
https://linuxcoding.org | *VMware vExpert 2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Rich Megginson]

On 03/06/2015 09:39 AM, Herwono W Wijaya wrote:

vCenter SSO works well with Univention LDAP.


Then set up a wireshark session to capture traffic between vCenter SSO 
and Univention LDAP, then do the same with vCenter SSO and IPA. Then we 
can compare the TCP traffic dumps.




Here I want to make sure if FreeIPA can work with vCenter SSO, because 
I read it on this page: 
http://www.freeipa.org/page/HowTo/vsphere5_integration


And thanks for the help and answer any questions from me.
Have a nice day.

On 3/6/15 11:23 PM, Rich Megginson wrote:

On 03/06/2015 09:13 AM, Gianluca Cecchi wrote:
On Fri, Mar 6, 2015 at 4:40 PM, Rich Megginson rmegg...@redhat.com 
mailto:rmegg...@redhat.com wrote:





[06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101
nentries=2 etime=0 notes=P
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1

vCenter SSO error:
Error: Idm client exception: Control not found


There's no error log debug level which will give us all of the
controls received by the server or all of the controls sent back
by the server.  The TRACE level will give us some information.



Could it be that the Control not found somehow related with page 
results control as described in

https://bugzilla.redhat.com/show_bug.cgi?id=558099


Could be.


Is the notes=P in ipa logs a setting managed by the server or by 
the type of the query done by the client?


Yes.  It means the client is requesting a Simple Paged Search by 
using that control.


In my past IPA 3.3.3 logs I didn't find it at the end of the log 
line with nentries...


It has everything to do with the client.  The server has supported 
Simple Paged Search for a long time.  Perhaps some newer version of 
the client is requesting paged results?




Just an attempt...



One more thing - does vCenter work with another LDAP server, like 
openldap or active directory?  If so, try capturing a wireshark trace 
of a successful search operation, then capture a wireshark trace of a 
session using ipa, and we can compare them to see which controls the 
working server is sending back that ipa is not.





--
Regards,
Herwono W Wijaya
https://linuxcoding.org | *VMware vExpert 2014, 2015 
https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Natxo Asenjo]

On Fri, Mar 6, 2015 at 7:06 PM, Rich Megginson rmegg...@redhat.com wrote:

  On 03/06/2015 11:02 AM, Gianluca Cecchi wrote:

  On Fri, Mar 6, 2015 at 6:21 PM, Rich Megginson rmegg...@redhat.com
 wrote:

  On 03/06/2015 09:39 AM, Herwono W Wijaya wrote:

 vCenter SSO works well with Univention LDAP.


  Then set up a wireshark session to capture traffic between vCenter SSO
 and Univention LDAP, then do the same with vCenter SSO and IPA.  Then we
 can compare the TCP traffic dumps.


  And so we can then change the preface that at this moment explicitly
 contains:
 
  Preface
 The environment used to write this document is based on pure vSphere 5.1,
 used in trial mode with vCenter server configured as a virtual appliance.
 
 and update it covering 5.5 and hopefully 6.0 too... ;-)


 I'm sorry - which preface?  Link?

 http://www.freeipa.org/page/HowTo/vsphere5_integration , I think

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Gianluca Cecchi]

On Fri, Mar 6, 2015 at 7:06 PM, Rich Megginson rmegg...@redhat.com wrote:


  And so we can then change the preface that at this moment explicitly
 contains:
 
  Preface
 The environment used to write this document is based on pure vSphere 5.1,
 used in trial mode with vCenter server configured as a virtual appliance.
 
 and update it covering 5.5 and hopefully 6.0 too... ;-)


 I'm sorry - which preface?  Link?


The message was for Herwono... not for you ...
He/she referred

Here I want to make sure if FreeIPA can work with vCenter SSO, because I
read it on this page: http://www.freeipa.org/page/HowTo/vsphere5_integration


And at the top of the doc in the link there is the note about only 5.1
tested, while the version here is 5.5u2b.
Have a nice weekend, to all the list ;-)
Gianluca
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Rich Megginson]

On 03/06/2015 11:02 AM, Gianluca Cecchi wrote:
On Fri, Mar 6, 2015 at 6:21 PM, Rich Megginson rmegg...@redhat.com 
mailto:rmegg...@redhat.com wrote:


On 03/06/2015 09:39 AM, Herwono W Wijaya wrote:

vCenter SSO works well with Univention LDAP.


Then set up a wireshark session to capture traffic between vCenter
SSO and Univention LDAP, then do the same with vCenter SSO and
IPA.  Then we can compare the TCP traffic dumps.


And so we can then change the preface that at this moment explicitly 
contains:


Preface
The environment used to write this document is based on pure vSphere 
5.1, used in trial mode with vCenter server configured as a virtual 
appliance.


and update it covering 5.5 and hopefully 6.0 too... ;-)



I'm sorry - which preface?  Link?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Rich Megginson]

On 03/06/2015 09:13 AM, Gianluca Cecchi wrote:
On Fri, Mar 6, 2015 at 4:40 PM, Rich Megginson rmegg...@redhat.com 
mailto:rmegg...@redhat.com wrote:





[06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101
nentries=2 etime=0 notes=P
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1

vCenter SSO error:
Error: Idm client exception: Control not found


There's no error log debug level which will give us all of the
controls received by the server or all of the controls sent back
by the server.  The TRACE level will give us some information.



Could it be that the Control not found somehow related with page 
results control as described in

https://bugzilla.redhat.com/show_bug.cgi?id=558099


Could be.


Is the notes=P in ipa logs a setting managed by the server or by the 
type of the query done by the client?


Yes.  It means the client is requesting a Simple Paged Search by using 
that control.


In my past IPA 3.3.3 logs I didn't find it at the end of the log line 
with nentries...


It has everything to do with the client.  The server has supported 
Simple Paged Search for a long time.  Perhaps some newer version of the 
client is requesting paged results?




Just an attempt...



One more thing - does vCenter work with another LDAP server, like 
openldap or active directory?  If so, try capturing a wireshark trace of 
a successful search operation, then capture a wireshark trace of a 
session using ipa, and we can compare them to see which controls the 
working server is sending back that ipa is not.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Gianluca Cecchi]

On Fri, Mar 6, 2015 at 8:34 AM, Martin Kosek mko...@redhat.com wrote:

 On 03/06/2015 04:38 AM, Herwono W Wijaya wrote:

 Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the admin user
 can be
 used and always get an error for other users.


 You mean admin user from vCenter, not admin user from FreeIPA, right?

 Did you follow this HOWTO:
 http://www.freeipa.org/page/HowTo/vsphere5_integration

 Note that the vSphere integration topic is being discussed this week,
 CCing also Gialunca (author of the HOWTO), he may have some ideas where the
 problem is too.

 Martin



The logs that let us know the kind of queries generated b vSPhere are in
/var/log/dirsrv/slapd-REALM-NAME/
(at least for 3.3.3)

Also, searching through my e-mails I found one direct contact using vSphere
5.5 and that was doing some tests with VMware support connected to his
systems.
It seems they found out that it almost all worked correctly when using
accounts instead of compat BUT
you can't log in.

An action was the to add objectclass=groupOfUniqueNames to a single test
group and they were able to login

I asked more information about his setup if still in place and to
eventually share with others.

Stay tuned...

Gianluca
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Martin Kosek]

On 03/06/2015 04:38 AM, Herwono W Wijaya wrote:

Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the admin user can be
used and always get an error for other users.


You mean admin user from vCenter, not admin user from FreeIPA, right?

Did you follow this HOWTO:
http://www.freeipa.org/page/HowTo/vsphere5_integration

Note that the vSphere integration topic is being discussed this week, CCing 
also Gialunca (author of the HOWTO), he may have some ideas where the problem 
is too.


Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

[Dmitri Pal]

On 03/05/2015 10:38 PM, Herwono W Wijaya wrote:
Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the admin 
user can be used and always get an error for other users.




Can you check without full name? It seems like the name is expanded twice.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project