Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
I've update the ACI's but am still getting the same error as before. I am guessing this is probably related to the same issue in the other concurrent vsphere 5.5 email thread that is going. I'll just keep my eye on that to see the resolution. On 3/6/2015 at 3:45 PM, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 08:35 AM, Alexander Bokovoy wrote: On Fri, 06 Mar 2015, Martin Kosek wrote: On 03/06/2015 02:24 AM, re...@hushmail.com wrote: Just to confirm I should restart the server after i've run the ldapmodify? Right. It would be safer thing to do, if you modified the Schema Compatibility config. At least to make sure it re-creates the entries from scratch. Also I've used ldap modify to remove the 'uniqueMember' object class from the compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. I get the same 'identity source may be malfunctioning error' from vpshere. The key here is to see the Directory Server access log, to see what kind of LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA with ldapsearch (or any GUI, I use Apache Directory Studio). With this knowledge, you should just need to update either the Schema Compatibility plugin configuration or vSphere configuration. Note also that in 4.1 we have ACIs that only give access to certain attributes within compat tree and not all of them. Adding a new attribute requires to add an ACI to allow serving it. If this is an issue, you'd see the difference when accessing as cn=Directory Manager or as any other authenticated bind. Very good point Alexander! I unfortunately did my tests either as admin or DM. I updated the HOWTO with the new step that fixed it for me. http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_U pdate So reesb, after the update above, you should get it working. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
Ok here is the search result; # ldapsearch -x -D cn=Directory Manager -W -b cn=config cn=groups Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=config with scope subtree # filter: cn=groups # requesting: ALL # # groups, Schema Compatibility, plugins, config dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config cn: groups objectClass: top objectClass: extensibleObject schema-compat-container-group: cn=compat, dc=localdomain,dc=local schema-compat-search-filter: objectclass=posixGroup schema-compat-container-rdn: cn=groups schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=groups, cn=accounts, dc=localdomain,dc=local schema-compat-entry-attribute: %ifeq(ipaanchoruuid,%{ipaanchoruuid},objec tclass=ipaOverrideTarget,) schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: memberUid=%deref_r(member,uid) schema-compat-entry-attribute: %ifeq(ipauniqueid,%{ipauniqueid},ipaanchor uuid=:IPA:cloud.local:%{ipauniqueid},) schema-compat-entry-attribute: memberUid=%{memberUid} schema-compat-entry-attribute: %ifeq(ipauniqueid,%{ipauniqueid},objectcla ss=ipaOverrideTarget,) schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} schema-compat-entry-attribute: objectclass=posixGroup schema-compat-entry-attribute: objectclass=groupOfUniqueNames schema-compat-entry-attribute: uniqueMember=%regsub(%{member},^(.*)accounts (.*),%1compat%2) schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config schema-compat-restrict-subtree: dc=localdomain,dc=local # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 On 3/5/2015 at 3:54 PM, Martin Kosek mko...@redhat.com wrote: On 03/05/2015 02:37 AM, re...@hushmail.com wrote: Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. Here is an example returned from ldapsearch; # admins, groups, compat, localdomain.local dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local gidNumber: 75620 memberUid: admin memberUid: vadmin objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top cn: admins On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote: Hi Martin, Using my vadmin account, uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, Martin Kosek mko...@redhat.com wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin I am also CCing Gialunca who contributed the HOWTO. I checked it again and tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper uniqueMember attribute and groupOfUniqueNames objectclass. I am not sure though why are also users updated (mostly question to Gialunca): dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=uniqueMember - add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=inetOrgPerson - For instance, uniqueMember is not valid objectclass. Also, if you are adding iNetOrgPerson objectclass, you should have all it's MUST attributes also generated - otherwise consuming programs may break if they depend on such attributes to exist. I see that sn is missing in my compat user entries. Can you show the cn=groups,cn=Schema Compatibility,cn=plugins,cn=config entry so that we can see if the uniqueMember attribute is really configured correctly? Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
On Thu, Mar 5, 2015 at 8:54 AM, Martin Kosek mko...@redhat.com wrote: I am also CCing Gialunca who contributed the HOWTO. I checked it again and tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper uniqueMember attribute and groupOfUniqueNames objectclass. I am not sure though why are also users updated (mostly question to Gialunca): dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=uniqueMember - add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=inetOrgPerson - For instance, uniqueMember is not valid objectclass. Also, if you are adding iNetOrgPerson objectclass, you should have all it's MUST attributes also generated - otherwise consuming programs may break if they depend on such attributes to exist. I see that sn is missing in my compat user entries. Can you show the cn=groups,cn=Schema Compatibility,cn=plugins,cn=config entry so that we can see if the uniqueMember attribute is really configured correctly? Thanks, Martin users' updates were force by vSphere originated queries. For example without adding iNetOrgPerson objectclass, when I wanted to bind a permission to a user and searched for users in vSPhere, I got this error 05/Dec/2014:22:59:21 +0100] conn=1831 op=34 SRCH base=cn=users,cn=compat,dc=localdomain,dc=local scope=2 filter=((objectClass=inetOrgPerson)(objectClass=inetOrgPerson)) attrs=description entryuuid givenName initials mail pwdaccountlockedtime shadowExpire sn title uid userPassword So I verified that adding inetOrgPerson I was then able to add users to permissions. Probably I have to check which are the MUST attributes for it so that we add the too As far as I understood, the use of compat was indeed to add uniqueMember that is expected to be there by vSphere, at least in 5.1 Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
On 03/05/2015 02:37 AM, re...@hushmail.com wrote: Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. Here is an example returned from ldapsearch; # admins, groups, compat, localdomain.local dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local gidNumber: 75620 memberUid: admin memberUid: vadmin objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top cn: admins On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote: Hi Martin, Using my vadmin account, uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, Martin Kosek mko...@redhat.com wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin I am also CCing Gialunca who contributed the HOWTO. I checked it again and tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper uniqueMember attribute and groupOfUniqueNames objectclass. I am not sure though why are also users updated (mostly question to Gialunca): dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=uniqueMember - add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=inetOrgPerson - For instance, uniqueMember is not valid objectclass. Also, if you are adding iNetOrgPerson objectclass, you should have all it's MUST attributes also generated - otherwise consuming programs may break if they depend on such attributes to exist. I see that sn is missing in my compat user entries. Can you show the cn=groups,cn=Schema Compatibility,cn=plugins,cn=config entry so that we can see if the uniqueMember attribute is really configured correctly? Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
Just to confirm I should restart the server after i've run the ldapmodify? Also I've used ldap modify to remove the 'uniqueMember' object class from the compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. I get the same 'identity source may be malfunctioning error' from vpshere. On 3/5/2015 at 5:44 PM, Martin Kosek mko...@redhat.com wrote: Thanks. The configuration looks OK, I wonder why the uniqueMember is not generated for your compat groups - it works on my FreeIPA 4.1.3 server. Did you restart the Directory Server after you changed the Schema Compatibility plugin? On 03/05/2015 09:16 AM, re...@hushmail.com wrote: Ok here is the search result; # ldapsearch -x -D cn=Directory Manager -W -b cn=config cn=groups Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=config with scope subtree # filter: cn=groups # requesting: ALL # # groups, Schema Compatibility, plugins, config dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config cn: groups objectClass: top objectClass: extensibleObject schema-compat-container-group: cn=compat, dc=localdomain,dc=local schema-compat-search-filter: objectclass=posixGroup schema-compat-container-rdn: cn=groups schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=groups, cn=accounts, dc=localdomain,dc=local schema-compat-entry-attribute: %ifeq(ipaanchoruuid,%{ipaanchoruuid},objec tclass=ipaOverrideTarget,) schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: memberUid=%deref_r(member,uid) schema-compat-entry-attribute: %ifeq(ipauniqueid,%{ipauniqueid},ipaanchor uuid=:IPA:cloud.local:%{ipauniqueid},) schema-compat-entry-attribute: memberUid=%{memberUid} schema-compat-entry-attribute: %ifeq(ipauniqueid,%{ipauniqueid},objectcla ss=ipaOverrideTarget,) schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} schema-compat-entry-attribute: objectclass=posixGroup schema-compat-entry-attribute: objectclass=groupOfUniqueNames schema-compat-entry-attribute: uniqueMember=%regsub(%{member},^(.*)accounts (.*),%1compat%2) schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config schema-compat-restrict-subtree: dc=localdomain,dc=local # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 On 3/5/2015 at 3:54 PM, Martin Kosek mko...@redhat.com wrote: On 03/05/2015 02:37 AM, re...@hushmail.com wrote: Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. Here is an example returned from ldapsearch; # admins, groups, compat, localdomain.local dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local gidNumber: 75620 memberUid: admin memberUid: vadmin objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top cn: admins On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote: Hi Martin, Using my vadmin account, uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, Martin Kosek mko...@redhat.com wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin I am also CCing Gialunca who contributed the HOWTO. I checked it again and tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper uniqueMember attribute and groupOfUniqueNames objectclass. I am not sure though why are also users updated (mostly question to Gialunca): dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=uniqueMember - add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=inetOrgPerson - For instance, uniqueMember is not valid objectclass. Also, if you are adding iNetOrgPerson objectclass, you should have all it's MUST attributes also generated - otherwise consuming programs may break if they depend on such attributes to exist. I see that sn is missing in my compat user entries. Can you show the cn=groups,cn=Schema Compatibility,cn=plugins,cn=config entry so that we can
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
On 03/06/2015 08:35 AM, Alexander Bokovoy wrote: On Fri, 06 Mar 2015, Martin Kosek wrote: On 03/06/2015 02:24 AM, re...@hushmail.com wrote: Just to confirm I should restart the server after i've run the ldapmodify? Right. It would be safer thing to do, if you modified the Schema Compatibility config. At least to make sure it re-creates the entries from scratch. Also I've used ldap modify to remove the 'uniqueMember' object class from the compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. I get the same 'identity source may be malfunctioning error' from vpshere. The key here is to see the Directory Server access log, to see what kind of LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA with ldapsearch (or any GUI, I use Apache Directory Studio). With this knowledge, you should just need to update either the Schema Compatibility plugin configuration or vSphere configuration. Note also that in 4.1 we have ACIs that only give access to certain attributes within compat tree and not all of them. Adding a new attribute requires to add an ACI to allow serving it. If this is an issue, you'd see the difference when accessing as cn=Directory Manager or as any other authenticated bind. Very good point Alexander! I unfortunately did my tests either as admin or DM. I updated the HOWTO with the new step that fixed it for me. http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update So reesb, after the update above, you should get it working. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
On 03/06/2015 02:24 AM, re...@hushmail.com wrote: Just to confirm I should restart the server after i've run the ldapmodify? Right. It would be safer thing to do, if you modified the Schema Compatibility config. At least to make sure it re-creates the entries from scratch. Also I've used ldap modify to remove the 'uniqueMember' object class from the compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. I get the same 'identity source may be malfunctioning error' from vpshere. The key here is to see the Directory Server access log, to see what kind of LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA with ldapsearch (or any GUI, I use Apache Directory Studio). With this knowledge, you should just need to update either the Schema Compatibility plugin configuration or vSphere configuration. Martin On 3/5/2015 at 5:44 PM, Martin Kosek mko...@redhat.com wrote: Thanks. The configuration looks OK, I wonder why the uniqueMember is not generated for your compat groups - it works on my FreeIPA 4.1.3 server. Did you restart the Directory Server after you changed the Schema Compatibility plugin? On 03/05/2015 09:16 AM, re...@hushmail.com wrote: Ok here is the search result; # ldapsearch -x -D cn=Directory Manager -W -b cn=config cn=groups Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=config with scope subtree # filter: cn=groups # requesting: ALL # # groups, Schema Compatibility, plugins, config dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config cn: groups objectClass: top objectClass: extensibleObject schema-compat-container-group: cn=compat, dc=localdomain,dc=local schema-compat-search-filter: objectclass=posixGroup schema-compat-container-rdn: cn=groups schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=groups, cn=accounts, dc=localdomain,dc=local schema-compat-entry-attribute: %ifeq(ipaanchoruuid,%{ipaanchoruuid},objec tclass=ipaOverrideTarget,) schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: memberUid=%deref_r(member,uid) schema-compat-entry-attribute: %ifeq(ipauniqueid,%{ipauniqueid},ipaanchor uuid=:IPA:cloud.local:%{ipauniqueid},) schema-compat-entry-attribute: memberUid=%{memberUid} schema-compat-entry-attribute: %ifeq(ipauniqueid,%{ipauniqueid},objectcla ss=ipaOverrideTarget,) schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} schema-compat-entry-attribute: objectclass=posixGroup schema-compat-entry-attribute: objectclass=groupOfUniqueNames schema-compat-entry-attribute: uniqueMember=%regsub(%{member},^(.*)accounts (.*),%1compat%2) schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config schema-compat-restrict-subtree: dc=localdomain,dc=local # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 On 3/5/2015 at 3:54 PM, Martin Kosek mko...@redhat.com wrote: On 03/05/2015 02:37 AM, re...@hushmail.com wrote: Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. Here is an example returned from ldapsearch; # admins, groups, compat, localdomain.local dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local gidNumber: 75620 memberUid: admin memberUid: vadmin objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top cn: admins On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote: Hi Martin, Using my vadmin account, uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, Martin Kosek mko...@redhat.com wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin I am also CCing Gialunca who contributed the HOWTO. I checked it again and tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper uniqueMember attribute and groupOfUniqueNames objectclass. I am not sure though why are also users updated (mostly question to Gialunca): dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=uniqueMember - add:
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
On Fri, 06 Mar 2015, Martin Kosek wrote: On 03/06/2015 02:24 AM, re...@hushmail.com wrote: Just to confirm I should restart the server after i've run the ldapmodify? Right. It would be safer thing to do, if you modified the Schema Compatibility config. At least to make sure it re-creates the entries from scratch. Also I've used ldap modify to remove the 'uniqueMember' object class from the compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. I get the same 'identity source may be malfunctioning error' from vpshere. The key here is to see the Directory Server access log, to see what kind of LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA with ldapsearch (or any GUI, I use Apache Directory Studio). With this knowledge, you should just need to update either the Schema Compatibility plugin configuration or vSphere configuration. Note also that in 4.1 we have ACIs that only give access to certain attributes within compat tree and not all of them. Adding a new attribute requires to add an ACI to allow serving it. If this is an issue, you'd see the difference when accessing as cn=Directory Manager or as any other authenticated bind. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. Here is an example returned from ldapsearch; # admins, groups, compat, localdomain.local dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local gidNumber: 75620 memberUid: admin memberUid: vadmin objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top cn: admins On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote: Hi Martin, Using my vadmin account, uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, Martin Kosek mko...@redhat.com wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
Hi Martin, Using my vadmin account, uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, Martin Kosek wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
On 03/04/2015 09:43 AM, re...@hushmail.com wrote: Hi,I've read the thread from Nov and checked out http://www.freeipa.org/page/HowTo/vsphere5_integration however i'm still having trouble getting vpshere to use freeipa as an identity source. I've set the base DN for users and groups, the connection url and username and password and my vadmin account connects correctly however when i try to log in as a user (whom i've assigned permissions to) i get an authentication error that states it may be caused by a malfunctioning identity source. Also I have modified my ldap schema as directed in the howto however (and i'm pretty sure this is the root of my problem) I notice that when I do an ldapsearch for a group which i've assigned administrator permissions it does not have the 'uniqueMember' attribute. The ldapmodify command seemed to run correctly without any complaints. Also i'm running freeipa 4.1. Watching the ldap traffic between the two boxes show that vcenter is binding successfully however when it does a search request with the following filter;Filter: ((objectClass=groupOfUniqueNames)(uniqueMember=uid=adminuser,cn=users,cn=compat,dc=localdomain,dc=local))it returns no results. Does anyone have any suggestions? Cheers, Rees Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project