Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
Herwono W Wijayawrites: > > > Tomorrow I will try to capture Univention LDAP traffic with > wireshark, and if possible I will try also this FreeIPA with vCenter > 6. Since I became one of the private beta testers so I had vCenter Any updates on this? I am getting the same issue in vCenter 6 with IPA 4.1.0 on Centos 7. The realm access logs seem fine no errors showing and doing the search vCenter is doing manually works perfectly. However vCenter is still logging errors with control not found. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
FreeIPA logs: [06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND dn=uid=admin,cn=users,cn=compat,dc=server,dc=local method=128 version=3 [06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=server,dc=local [06/Mar/2015:21:51:15 +0700] conn=30 op=1 SRCH base=cn=users,cn=compat,dc=server,dc=local scope=2 filter=(objectClass=inetOrgPerson) attrs=uid description givenName sn mail useraccountcontrol pwdaccountlockedtime entryuuid [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 nentries=2 etime=0 notes=P [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1 vCenter SSO error: Error: Idm client exception: Control not found On 3/6/15 8:45 PM, Herwono W Wijaya wrote: sorry my mistake, okay I'll check slapd log files and try to figure out what happened On 3/6/15 8:43 PM, Martin Kosek wrote: This is the directory on FreeIPA server that the vCenter is authenticating useres against. On 03/06/2015 02:40 PM, Herwono W Wijaya wrote: there is no directory /var/log/dirsrv/ in 5.5u2b version On 3/6/15 8:34 PM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ah, I am not sure what control do they mean. But in general, when, it is always interesting to check the LDAP access logs to see the last failed request and then try the same search with ldapsearch and fix things. Martin see my previous e-mail: /var/log/dirsrv/slapd-REALM-NAME/ contains log and you will see which kind of queries vSphere is doing. Gianluca -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
Ah, I am not sure what control do they mean. But in general, when, it is always interesting to check the LDAP access logs to see the last failed request and then try the same search with ldapsearch and fix things. Martin On 03/06/2015 02:09 PM, Herwono W Wijaya wrote: Gianluca's method not working for me, always get this error Error: Idm client exception: control not found and also try using this: http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update On 3/6/15 7:49 PM, Martin Kosek wrote: I am glad you have it working. However, I would like to discourage from this another method as this way, you would need to maintain uniqueMember attribute yourself. FreeIPA only maintains the member attribute. I would recommend using the Gianluca's method in http://www.freeipa.org/page/HowTo/vsphere5_integration with taking users and groups from compat tree. This way, you will have uniqueMember populated when you do changes to the group using FreeIPA CLI or UI. If it was not working for you in the past, note that we identified a change today that needs to be done with FreeIPA 4.0+: http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update Martin On 03/06/2015 12:11 PM, Herwono W Wijaya wrote: Now all works well, I use another method *FreeIPA:** **Users:* - admin - herwono (member of ssogroups group) - vcadmin (member of ssogroups group) *Group**s:** **Only one group for vCenter SSO.* - ssogroups *Modif ssogroups using ldif file* pre dn: cn=ssogroups,cn=groups,cn=accounts,dc=server,dc=local changetype: modify add: objectClass objectClass: groupOfUniqueNames - add: uniqueMember uniqueMember: uid=herwono,cn=users,cn=accounts,dc=server,dc=local uniqueMember: uid=vcadmin,cn=users,cn=accounts,dc=server,dc=local - /pre *vCenter Identity Source Config:* Name: IPA Base DN for users: cn=users,cn=accounts,dc=server,dc=local Domain name: server.local Base DN for groups: cn=groups,cn=accounts,dc=server,dc=local Primary server url: ldap://identity.server.local:389 Username: uid=admin,cn=users,cn=accounts,dc=server,dc=local Password: ** *FreeIPA users and groups for vCenter with Administrator permission:* User: herwono (SERVER.LOCAL\herwono) Group: ssogroups (SERVER.LOCAL\ssogroups) On 3/6/15 3:37 PM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 8:34 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/06/2015 04:38 AM, Herwono W Wijaya wrote: Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the admin user can be used and always get an error for other users. You mean admin user from vCenter, not admin user from FreeIPA, right? Did you follow this HOWTO: http://www.freeipa.org/page/HowTo/vsphere5_integration Note that the vSphere integration topic is being discussed this week, CCing also Gialunca (author of the HOWTO), he may have some ideas where the problem is too. Martin The logs that let us know the kind of queries generated b vSPhere are in /var/log/dirsrv/slapd-REALM-NAME/ (at least for 3.3.3) Also, searching through my e-mails I found one direct contact using vSphere 5.5 and that was doing some tests with VMware support connected to his systems. It seems they found out that it almost all worked correctly when using accounts instead of compat BUT you can't log in. An action was the to add objectclass=groupOfUniqueNames to a single test group and they were able to login I asked more information about his setup if still in place and to eventually share with others. Stay tuned... Gianluca -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com wrote: Ah, I am not sure what control do they mean. But in general, when, it is always interesting to check the LDAP access logs to see the last failed request and then try the same search with ldapsearch and fix things. Martin see my previous e-mail: /var/log/dirsrv/slapd-REALM-NAME/ contains log and you will see which kind of queries vSphere is doing. Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
This is the directory on FreeIPA server that the vCenter is authenticating useres against. On 03/06/2015 02:40 PM, Herwono W Wijaya wrote: there is no directory /var/log/dirsrv/ in 5.5u2b version On 3/6/15 8:34 PM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ah, I am not sure what control do they mean. But in general, when, it is always interesting to check the LDAP access logs to see the last failed request and then try the same search with ldapsearch and fix things. Martin see my previous e-mail: /var/log/dirsrv/slapd-REALM-NAME/ contains log and you will see which kind of queries vSphere is doing. Gianluca -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
there is no directory /var/log/dirsrv/ in 5.5u2b version On 3/6/15 8:34 PM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ah, I am not sure what control do they mean. But in general, when, it is always interesting to check the LDAP access logs to see the last failed request and then try the same search with ldapsearch and fix things. Martin see my previous e-mail: /var/log/dirsrv/slapd-REALM-NAME/ contains log and you will see which kind of queries vSphere is doing. Gianluca -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
sorry my mistake, okay I'll check slapd log files and try to figure out what happened On 3/6/15 8:43 PM, Martin Kosek wrote: This is the directory on FreeIPA server that the vCenter is authenticating useres against. On 03/06/2015 02:40 PM, Herwono W Wijaya wrote: there is no directory /var/log/dirsrv/ in 5.5u2b version On 3/6/15 8:34 PM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ah, I am not sure what control do they mean. But in general, when, it is always interesting to check the LDAP access logs to see the last failed request and then try the same search with ldapsearch and fix things. Martin see my previous e-mail: /var/log/dirsrv/slapd-REALM-NAME/ contains log and you will see which kind of queries vSphere is doing. Gianluca -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On 03/06/2015 07:54 AM, Herwono W Wijaya wrote: FreeIPA logs: [06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND dn=uid=admin,cn=users,cn=compat,dc=server,dc=local method=128 version=3 [06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=server,dc=local [06/Mar/2015:21:51:15 +0700] conn=30 op=1 SRCH base=cn=users,cn=compat,dc=server,dc=local scope=2 filter=(objectClass=inetOrgPerson) attrs=uid description givenName sn mail useraccountcontrol pwdaccountlockedtime entryuuid [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 nentries=2 etime=0 notes=P [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1 vCenter SSO error: Error: Idm client exception: Control not found There's no error log debug level which will give us all of the controls received by the server or all of the controls sent back by the server. The TRACE level will give us some information. But the problem appears to be that vCenter is expecting some control. There is no way we can tell what control that might be by analyzing the LDAP protocol, even with wireshark. If the vCenter documentation does not suffice, and VMWare support is not forthcoming, then we might be able to reverse engineer the code. For example, search the code, if scripts, or use something like the strings command on binaries, to look for well known OID prefixes. For example, from dirsrv: # strings /usr/lib64/lib/dirsrv/libslapd.so.0.0.0|grep 1.3.6.1.4 1.3.6.1.4.1.1466.115.121.1.34 1.3.6.1.4.1.1466.115.121.1.12 1.3.6.1.4.1.1466.115.121.1.15 1.3.6.1.4.1.42.2.27.8.5.1 1.3.6.1.4.1.42.2.27.9.5.2 ... If we can narrow down the list of possible control OIDs that vCenter knows about, we can perhaps figure out if 389 supports them. On 3/6/15 8:45 PM, Herwono W Wijaya wrote: sorry my mistake, okay I'll check slapd log files and try to figure out what happened On 3/6/15 8:43 PM, Martin Kosek wrote: This is the directory on FreeIPA server that the vCenter is authenticating useres against. On 03/06/2015 02:40 PM, Herwono W Wijaya wrote: there is no directory /var/log/dirsrv/ in 5.5u2b version On 3/6/15 8:34 PM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ah, I am not sure what control do they mean. But in general, when, it is always interesting to check the LDAP access logs to see the last failed request and then try the same search with ldapsearch and fix things. Martin see my previous e-mail: /var/log/dirsrv/slapd-REALM-NAME/ contains log and you will see which kind of queries vSphere is doing. Gianluca -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
this result from #strings /usr/lib/openldap/slapd | grep 1.3.6.1.4 On 3/6/15 10:40 PM, Rich Megginson wrote: On 03/06/2015 07:54 AM, Herwono W Wijaya wrote: FreeIPA logs: [06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND dn=uid=admin,cn=users,cn=compat,dc=server,dc=local method=128 version=3 [06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=server,dc=local [06/Mar/2015:21:51:15 +0700] conn=30 op=1 SRCH base=cn=users,cn=compat,dc=server,dc=local scope=2 filter=(objectClass=inetOrgPerson) attrs=uid description givenName sn mail useraccountcontrol pwdaccountlockedtime entryuuid [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 nentries=2 etime=0 notes=P [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1 vCenter SSO error: Error: Idm client exception: Control not found There's no error log debug level which will give us all of the controls received by the server or all of the controls sent back by the server. The TRACE level will give us some information. But the problem appears to be that vCenter is expecting some control. There is no way we can tell what control that might be by analyzing the LDAP protocol, even with wireshark. If the vCenter documentation does not suffice, and VMWare support is not forthcoming, then we might be able to reverse engineer the code. For example, search the code, if scripts, or use something like the strings command on binaries, to look for well known OID prefixes. For example, from dirsrv: # strings /usr/lib64/lib/dirsrv/libslapd.so.0.0.0|grep 1.3.6.1.4 1.3.6.1.4.1.1466.115.121.1.34 1.3.6.1.4.1.1466.115.121.1.12 1.3.6.1.4.1.1466.115.121.1.15 1.3.6.1.4.1.42.2.27.8.5.1 1.3.6.1.4.1.42.2.27.9.5.2 ... If we can narrow down the list of possible control OIDs that vCenter knows about, we can perhaps figure out if 389 supports them. On 3/6/15 8:45 PM, Herwono W Wijaya wrote: sorry my mistake, okay I'll check slapd log files and try to figure out what happened On 3/6/15 8:43 PM, Martin Kosek wrote: This is the directory on FreeIPA server that the vCenter is authenticating useres against. On 03/06/2015 02:40 PM, Herwono W Wijaya wrote: there is no directory /var/log/dirsrv/ in 5.5u2b version On 3/6/15 8:34 PM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ah, I am not sure what control do they mean. But in general, when, it is always interesting to check the LDAP access logs to see the last failed request and then try the same search with ldapsearch and fix things. Martin see my previous e-mail: /var/log/dirsrv/slapd-REALM-NAME/ contains log and you will see which kind of queries vSphere is doing. Gianluca -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* 1.3.6.1.4.1.4203.1.12.2 1.3.6.1.4.1.1466.115.121.1 extended=1.3.6.1.4.1.1466.20037 extended=1.3.6.1.4.1.4203.1.11.1 extended=1.3.6.1.4.1.4203.1.11.3 1.3.6.1.4.1.1466.20036 1.3.6.1.4.1.1466.115.121.1.27 1.3.6.1.4.1.1466.115.121.1.34 1.3.6.1.4.1.1466.115.121.1.12 group %s attr %s: inappropriate syntax: %s; must be 1.3.6.1.4.1.1466.115.121.1.12 (DN), 1.3.6.1.4.1.1466.115.121.1.34 (NameUID) or a subtype of labeledURI. 1.3.6.1.4.1.4203.666.5.15 1.3.6.1.4.1.4203.1.10.1 1.3.6.1.4.1.4203.666.5.2 1.3.6.1.4.1.4203.666.5.12 1.3.6.1.4.1.1466.101.119.1 1.3.6.1.4.1.4203.1.11.1 1.3.6.1.4.1.4203.1.11.3 1.3.6.1.4.1.4203.666.11.2.1 1.3.6.1.4.1.1466.115.121.1.8 1.3.6.1.4.1.1466.115.121.1.9 1.3.6.1.4.1.1466.115.121.1.44 1.3.6.1.4.1.1466.115.121.1.17 1.3.6.1.4.1.1466.115.121.1.38 1.3.6.1.4.1.1466.115.121.1.3 1.3.6.1.4.1.1466.115.121.1.16 1.3.6.1.4.1.1466.115.121.1.54 1.3.6.1.4.1.1466.115.121.1.30 1.3.6.1.4.1.1466.115.121.1.31 1.3.6.1.4.1.1466.115.121.1.35 1.3.6.1.4.1.1466.115.121.1.37 1.3.6.1.4.1.4203.666.4.4 1.3.6.1.4.1.4203.666.4.5 1.3.6.1.4.1.1466.115.121.1.15 1.3.6.1.4.1.1466.115.121.1.26 1.3.6.1.4.1.4203.666.11.10.2.1 ( 1.3.6.1.4.1.1466.115.121.1.1 DESC 'ACI Item' X-BINARY-TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' ) ( 1.3.6.1.4.1.1466.115.121.1.2 DESC 'Access Point' X-NOT-HUMAN-READABLE 'TRUE' ) ( 1.3.6.1.4.1.1466.115.121.1.3 DESC 'Attribute Type Description' ) ( 1.3.6.1.4.1.1466.115.121.1.4 DESC 'Audio'
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
vCenter SSO works well with Univention LDAP. Here I want to make sure if FreeIPA can work with vCenter SSO, because I read it on this page: http://www.freeipa.org/page/HowTo/vsphere5_integration And thanks for the help and answer any questions from me. Have a nice day. On 3/6/15 11:23 PM, Rich Megginson wrote: On 03/06/2015 09:13 AM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 4:40 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 nentries=2 etime=0 notes=P [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1 vCenter SSO error: Error: Idm client exception: Control not found There's no error log debug level which will give us all of the controls received by the server or all of the controls sent back by the server. The TRACE level will give us some information. Could it be that the Control not found somehow related with page results control as described in https://bugzilla.redhat.com/show_bug.cgi?id=558099 Could be. Is the notes=P in ipa logs a setting managed by the server or by the type of the query done by the client? Yes. It means the client is requesting a Simple Paged Search by using that control. In my past IPA 3.3.3 logs I didn't find it at the end of the log line with nentries... It has everything to do with the client. The server has supported Simple Paged Search for a long time. Perhaps some newer version of the client is requesting paged results? Just an attempt... One more thing - does vCenter work with another LDAP server, like openldap or active directory? If so, try capturing a wireshark trace of a successful search operation, then capture a wireshark trace of a session using ipa, and we can compare them to see which controls the working server is sending back that ipa is not. -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On Fri, Mar 6, 2015 at 4:40 PM, Rich Megginson rmegg...@redhat.com wrote: [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 nentries=2 etime=0 notes=P [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1 vCenter SSO error: Error: Idm client exception: Control not found There's no error log debug level which will give us all of the controls received by the server or all of the controls sent back by the server. The TRACE level will give us some information. Could it be that the Control not found somehow related with page results control as described in https://bugzilla.redhat.com/show_bug.cgi?id=558099 Is the notes=P in ipa logs a setting managed by the server or by the type of the query done by the client? In my past IPA 3.3.3 logs I didn't find it at the end of the log line with nentries... Just an attempt... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On 03/06/2015 09:01 AM, Herwono W Wijaya wrote: this result from #strings /usr/lib/openldap/slapd | grep 1.3.6.1.4 Sorry, I should have been much more explicit about what you need to do: 1) Are you a VMWare customer with a paid support contract? If so, then contact VMWare support - ask them which LDAP controls vCenter knows about and which ones it can expect in an LDAP response. 2) Look for LDAP Control OIDs in the _vCenter_ code, not the openldap code. I can't help you here - I don't have vCenter, and I have no idea what the code/binary layout looks like on disk. For example, here is a list of well known LDAP Control OIDs: https://www.ldap.com/ldap-oid-reference - scroll down to OIDs for Controls On 3/6/15 10:40 PM, Rich Megginson wrote: On 03/06/2015 07:54 AM, Herwono W Wijaya wrote: FreeIPA logs: [06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND dn=uid=admin,cn=users,cn=compat,dc=server,dc=local method=128 version=3 [06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=server,dc=local [06/Mar/2015:21:51:15 +0700] conn=30 op=1 SRCH base=cn=users,cn=compat,dc=server,dc=local scope=2 filter=(objectClass=inetOrgPerson) attrs=uid description givenName sn mail useraccountcontrol pwdaccountlockedtime entryuuid [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 nentries=2 etime=0 notes=P [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1 vCenter SSO error: Error: Idm client exception: Control not found There's no error log debug level which will give us all of the controls received by the server or all of the controls sent back by the server. The TRACE level will give us some information. But the problem appears to be that vCenter is expecting some control. There is no way we can tell what control that might be by analyzing the LDAP protocol, even with wireshark. If the vCenter documentation does not suffice, and VMWare support is not forthcoming, then we might be able to reverse engineer the code. For example, search the code, if scripts, or use something like the strings command on binaries, to look for well known OID prefixes. For example, from dirsrv: # strings /usr/lib64/lib/dirsrv/libslapd.so.0.0.0|grep 1.3.6.1.4 1.3.6.1.4.1.1466.115.121.1.34 1.3.6.1.4.1.1466.115.121.1.12 1.3.6.1.4.1.1466.115.121.1.15 1.3.6.1.4.1.42.2.27.8.5.1 1.3.6.1.4.1.42.2.27.9.5.2 ... If we can narrow down the list of possible control OIDs that vCenter knows about, we can perhaps figure out if 389 supports them. On 3/6/15 8:45 PM, Herwono W Wijaya wrote: sorry my mistake, okay I'll check slapd log files and try to figure out what happened On 3/6/15 8:43 PM, Martin Kosek wrote: This is the directory on FreeIPA server that the vCenter is authenticating useres against. On 03/06/2015 02:40 PM, Herwono W Wijaya wrote: there is no directory /var/log/dirsrv/ in 5.5u2b version On 3/6/15 8:34 PM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ah, I am not sure what control do they mean. But in general, when, it is always interesting to check the LDAP access logs to see the last failed request and then try the same search with ldapsearch and fix things. Martin see my previous e-mail: /var/log/dirsrv/slapd-REALM-NAME/ contains log and you will see which kind of queries vSphere is doing. Gianluca -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On Fri, Mar 6, 2015 at 6:21 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/06/2015 09:39 AM, Herwono W Wijaya wrote: vCenter SSO works well with Univention LDAP. Then set up a wireshark session to capture traffic between vCenter SSO and Univention LDAP, then do the same with vCenter SSO and IPA. Then we can compare the TCP traffic dumps. And so we can then change the preface that at this moment explicitly contains: Preface The environment used to write this document is based on pure vSphere 5.1, used in trial mode with vCenter server configured as a virtual appliance. and update it covering 5.5 and hopefully 6.0 too... ;-) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
Tomorrow I will try to capture Univention LDAP traffic with wireshark, and if possible I will try also this FreeIPA with vCenter 6. Since I became one of the private beta testers so I had vCenter 6. On 3/7/15 1:34 AM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 7:06 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: And so we can then change the preface that at this moment explicitly contains: Preface The environment used to write this document is based on pure vSphere 5.1, used in trial mode with vCenter server configured as a virtual appliance. and update it covering 5.5 and hopefully 6.0 too... ;-) I'm sorry - which preface? Link? The message was for Herwono... not for you ... He/she referred Here I want to make sure if FreeIPA can work with vCenter SSO, because I read it on this page: http://www.freeipa.org/page/HowTo/vsphere5_integration And at the top of the doc in the link there is the note about only 5.1 tested, while the version here is 5.5u2b. Have a nice weekend, to all the list ;-) Gianluca -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On 03/06/2015 09:39 AM, Herwono W Wijaya wrote: vCenter SSO works well with Univention LDAP. Then set up a wireshark session to capture traffic between vCenter SSO and Univention LDAP, then do the same with vCenter SSO and IPA. Then we can compare the TCP traffic dumps. Here I want to make sure if FreeIPA can work with vCenter SSO, because I read it on this page: http://www.freeipa.org/page/HowTo/vsphere5_integration And thanks for the help and answer any questions from me. Have a nice day. On 3/6/15 11:23 PM, Rich Megginson wrote: On 03/06/2015 09:13 AM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 4:40 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 nentries=2 etime=0 notes=P [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1 vCenter SSO error: Error: Idm client exception: Control not found There's no error log debug level which will give us all of the controls received by the server or all of the controls sent back by the server. The TRACE level will give us some information. Could it be that the Control not found somehow related with page results control as described in https://bugzilla.redhat.com/show_bug.cgi?id=558099 Could be. Is the notes=P in ipa logs a setting managed by the server or by the type of the query done by the client? Yes. It means the client is requesting a Simple Paged Search by using that control. In my past IPA 3.3.3 logs I didn't find it at the end of the log line with nentries... It has everything to do with the client. The server has supported Simple Paged Search for a long time. Perhaps some newer version of the client is requesting paged results? Just an attempt... One more thing - does vCenter work with another LDAP server, like openldap or active directory? If so, try capturing a wireshark trace of a successful search operation, then capture a wireshark trace of a session using ipa, and we can compare them to see which controls the working server is sending back that ipa is not. -- Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015 https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769username=herwonowr* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On Fri, Mar 6, 2015 at 7:06 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/06/2015 11:02 AM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 6:21 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/06/2015 09:39 AM, Herwono W Wijaya wrote: vCenter SSO works well with Univention LDAP. Then set up a wireshark session to capture traffic between vCenter SSO and Univention LDAP, then do the same with vCenter SSO and IPA. Then we can compare the TCP traffic dumps. And so we can then change the preface that at this moment explicitly contains: Preface The environment used to write this document is based on pure vSphere 5.1, used in trial mode with vCenter server configured as a virtual appliance. and update it covering 5.5 and hopefully 6.0 too... ;-) I'm sorry - which preface? Link? http://www.freeipa.org/page/HowTo/vsphere5_integration , I think -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On Fri, Mar 6, 2015 at 7:06 PM, Rich Megginson rmegg...@redhat.com wrote: And so we can then change the preface that at this moment explicitly contains: Preface The environment used to write this document is based on pure vSphere 5.1, used in trial mode with vCenter server configured as a virtual appliance. and update it covering 5.5 and hopefully 6.0 too... ;-) I'm sorry - which preface? Link? The message was for Herwono... not for you ... He/she referred Here I want to make sure if FreeIPA can work with vCenter SSO, because I read it on this page: http://www.freeipa.org/page/HowTo/vsphere5_integration And at the top of the doc in the link there is the note about only 5.1 tested, while the version here is 5.5u2b. Have a nice weekend, to all the list ;-) Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On 03/06/2015 11:02 AM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 6:21 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 03/06/2015 09:39 AM, Herwono W Wijaya wrote: vCenter SSO works well with Univention LDAP. Then set up a wireshark session to capture traffic between vCenter SSO and Univention LDAP, then do the same with vCenter SSO and IPA. Then we can compare the TCP traffic dumps. And so we can then change the preface that at this moment explicitly contains: Preface The environment used to write this document is based on pure vSphere 5.1, used in trial mode with vCenter server configured as a virtual appliance. and update it covering 5.5 and hopefully 6.0 too... ;-) I'm sorry - which preface? Link? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On 03/06/2015 09:13 AM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 4:40 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 nentries=2 etime=0 notes=P [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1 vCenter SSO error: Error: Idm client exception: Control not found There's no error log debug level which will give us all of the controls received by the server or all of the controls sent back by the server. The TRACE level will give us some information. Could it be that the Control not found somehow related with page results control as described in https://bugzilla.redhat.com/show_bug.cgi?id=558099 Could be. Is the notes=P in ipa logs a setting managed by the server or by the type of the query done by the client? Yes. It means the client is requesting a Simple Paged Search by using that control. In my past IPA 3.3.3 logs I didn't find it at the end of the log line with nentries... It has everything to do with the client. The server has supported Simple Paged Search for a long time. Perhaps some newer version of the client is requesting paged results? Just an attempt... One more thing - does vCenter work with another LDAP server, like openldap or active directory? If so, try capturing a wireshark trace of a successful search operation, then capture a wireshark trace of a session using ipa, and we can compare them to see which controls the working server is sending back that ipa is not. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On Fri, Mar 6, 2015 at 8:34 AM, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 04:38 AM, Herwono W Wijaya wrote: Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the admin user can be used and always get an error for other users. You mean admin user from vCenter, not admin user from FreeIPA, right? Did you follow this HOWTO: http://www.freeipa.org/page/HowTo/vsphere5_integration Note that the vSphere integration topic is being discussed this week, CCing also Gialunca (author of the HOWTO), he may have some ideas where the problem is too. Martin The logs that let us know the kind of queries generated b vSPhere are in /var/log/dirsrv/slapd-REALM-NAME/ (at least for 3.3.3) Also, searching through my e-mails I found one direct contact using vSphere 5.5 and that was doing some tests with VMware support connected to his systems. It seems they found out that it almost all worked correctly when using accounts instead of compat BUT you can't log in. An action was the to add objectclass=groupOfUniqueNames to a single test group and they were able to login I asked more information about his setup if still in place and to eventually share with others. Stay tuned... Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On 03/06/2015 04:38 AM, Herwono W Wijaya wrote: Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the admin user can be used and always get an error for other users. You mean admin user from vCenter, not admin user from FreeIPA, right? Did you follow this HOWTO: http://www.freeipa.org/page/HowTo/vsphere5_integration Note that the vSphere integration topic is being discussed this week, CCing also Gialunca (author of the HOWTO), he may have some ideas where the problem is too. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On 03/05/2015 10:38 PM, Herwono W Wijaya wrote: Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the admin user can be used and always get an error for other users. Can you check without full name? It seems like the name is expanded twice. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project