Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
I've update the ACI's but am still getting the same error as before. I am
guessing this is probably related to the same issue in the other concurrent
vsphere 5.5 email thread that is going. I'll just keep my eye on that to see
the resolution.
On 3/6/2015 at 3:45 PM, Martin Kosek mko...@redhat.com wrote:
On 03/06/2015 08:35 AM, Alexander Bokovoy wrote:
On Fri, 06 Mar 2015, Martin Kosek wrote:
On 03/06/2015 02:24 AM, re...@hushmail.com wrote:
Just to confirm I should restart the server after i've run the
ldapmodify?
Right. It would be safer thing to do, if you modified the Schema
Compatibility config. At least to make sure it re-creates the
entries from
scratch.
Also I've used ldap modify to remove the 'uniqueMember' object
class from
the compat schema and added the 'sn=%{sn}' attribute and I
still am having
no luck. I get the same 'identity source may be malfunctioning
error' from
vpshere.
The key here is to see the Directory Server access log, to see
what kind of
LDAP searches is vSphere doing and then seeing the actual
entries in FreeIPA
with ldapsearch (or any GUI, I use Apache Directory Studio).
With this
knowledge, you should just need to update either the Schema
Compatibility
plugin configuration or vSphere configuration.
Note also that in 4.1 we have ACIs that only give access to
certain
attributes within compat tree and not all of them. Adding a new
attribute requires to add an ACI to allow serving it.
If this is an issue, you'd see the difference when accessing as
cn=Directory Manager or as any other authenticated bind.
Very good point Alexander! I unfortunately did my tests either as
admin or DM.
I updated the HOWTO with the new step that fixed it for me.
http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_U
pdate
So reesb, after the update above, you should get it working.
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
Ok here is the search result;
# ldapsearch -x -D cn=Directory Manager -W -b cn=config cn=groups
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base cn=config with scope subtree
# filter: cn=groups
# requesting: ALL
#
# groups, Schema Compatibility, plugins, config
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
cn: groups
objectClass: top
objectClass: extensibleObject
schema-compat-container-group: cn=compat, dc=localdomain,dc=local
schema-compat-search-filter: objectclass=posixGroup
schema-compat-container-rdn: cn=groups
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=groups, cn=accounts, dc=localdomain,dc=local
schema-compat-entry-attribute: %ifeq(ipaanchoruuid,%{ipaanchoruuid},objec
tclass=ipaOverrideTarget,)
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: memberUid=%deref_r(member,uid)
schema-compat-entry-attribute: %ifeq(ipauniqueid,%{ipauniqueid},ipaanchor
uuid=:IPA:cloud.local:%{ipauniqueid},)
schema-compat-entry-attribute: memberUid=%{memberUid}
schema-compat-entry-attribute: %ifeq(ipauniqueid,%{ipauniqueid},objectcla
ss=ipaOverrideTarget,)
schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
schema-compat-entry-attribute: objectclass=posixGroup
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
schema-compat-entry-attribute: uniqueMember=%regsub(%{member},^(.*)accounts
(.*),%1compat%2)
schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-restrict-subtree: dc=localdomain,dc=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
On 3/5/2015 at 3:54 PM, Martin Kosek mko...@redhat.com wrote:
On 03/05/2015 02:37 AM, re...@hushmail.com wrote:
Opps, I got that wrong, my groups don't show the 'uniqueMember'
attribute. Here is an example returned from ldapsearch;
# admins, groups, compat, localdomain.local
dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
gidNumber: 75620
memberUid: admin
memberUid: vadmin
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: top
cn: admins
On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote:
Hi Martin,
Using my vadmin account,
uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the
search completes successfully and i get a list of my users and
groups however when I've watched the ldap queries between vcenter
and freeipa I can see it's applying a filter to the user search
looking for 'objectClass=groupOfUniqueNames' which my groups don't
seem to contain.
I'm very much an ldap newbie but I thought at step two in the
vsphere integration howto I modified the groups schema to include
that object class?
On 3/4/2015 at 8:32 PM, Martin Kosek mko...@redhat.com wrote:
Given that this HOWTO does not use the vanilla Schema
Compatibility settings
(FreeIPA Compat Tree by default uses posixGroup objectclass and
memberUid
attribute for user membership), I would check if the groups
really have the
right objectclass and uniqueMember generated:
# ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b
cn=groups,cn=compat,dc=localdomain,dc=local
I expect there will be some problem preventing the LDAP search
to succeed. Then
we would know where to look next.
Martin
I am also CCing Gialunca who contributed the HOWTO. I checked it
again and
tried to apply it on my FreeIPA 4.1.3, my compat group now contain
the proper
uniqueMember attribute and groupOfUniqueNames objectclass.
I am not sure though why are also users updated (mostly question
to Gialunca):
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=uniqueMember
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=inetOrgPerson
-
For instance, uniqueMember is not valid objectclass. Also, if
you are adding
iNetOrgPerson objectclass, you should have all it's MUST
attributes also
generated - otherwise consuming programs may break if they depend
on such
attributes to exist. I see that sn is missing in my compat user
entries.
Can you show the cn=groups,cn=Schema
Compatibility,cn=plugins,cn=config entry
so that we can see if the uniqueMember attribute is really
configured correctly?
Thanks,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
On Thu, Mar 5, 2015 at 8:54 AM, Martin Kosek mko...@redhat.com wrote: I am also CCing Gialunca who contributed the HOWTO. I checked it again and tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper uniqueMember attribute and groupOfUniqueNames objectclass. I am not sure though why are also users updated (mostly question to Gialunca): dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=uniqueMember - add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=inetOrgPerson - For instance, uniqueMember is not valid objectclass. Also, if you are adding iNetOrgPerson objectclass, you should have all it's MUST attributes also generated - otherwise consuming programs may break if they depend on such attributes to exist. I see that sn is missing in my compat user entries. Can you show the cn=groups,cn=Schema Compatibility,cn=plugins,cn=config entry so that we can see if the uniqueMember attribute is really configured correctly? Thanks, Martin users' updates were force by vSphere originated queries. For example without adding iNetOrgPerson objectclass, when I wanted to bind a permission to a user and searched for users in vSPhere, I got this error 05/Dec/2014:22:59:21 +0100] conn=1831 op=34 SRCH base=cn=users,cn=compat,dc=localdomain,dc=local scope=2 filter=((objectClass=inetOrgPerson)(objectClass=inetOrgPerson)) attrs=description entryuuid givenName initials mail pwdaccountlockedtime shadowExpire sn title uid userPassword So I verified that adding inetOrgPerson I was then able to add users to permissions. Probably I have to check which are the MUST attributes for it so that we add the too As far as I understood, the use of compat was indeed to add uniqueMember that is expected to be there by vSphere, at least in 5.1 Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
On 03/05/2015 02:37 AM, re...@hushmail.com wrote: Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. Here is an example returned from ldapsearch; # admins, groups, compat, localdomain.local dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local gidNumber: 75620 memberUid: admin memberUid: vadmin objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top cn: admins On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote: Hi Martin, Using my vadmin account, uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, Martin Kosek mko...@redhat.com wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin I am also CCing Gialunca who contributed the HOWTO. I checked it again and tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper uniqueMember attribute and groupOfUniqueNames objectclass. I am not sure though why are also users updated (mostly question to Gialunca): dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=uniqueMember - add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=inetOrgPerson - For instance, uniqueMember is not valid objectclass. Also, if you are adding iNetOrgPerson objectclass, you should have all it's MUST attributes also generated - otherwise consuming programs may break if they depend on such attributes to exist. I see that sn is missing in my compat user entries. Can you show the cn=groups,cn=Schema Compatibility,cn=plugins,cn=config entry so that we can see if the uniqueMember attribute is really configured correctly? Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
Just to confirm I should restart the server after i've run the ldapmodify?
Also I've used ldap modify to remove the 'uniqueMember' object class from the
compat schema and added the 'sn=%{sn}' attribute and I still am having no luck.
I get the same 'identity source may be malfunctioning error' from vpshere.
On 3/5/2015 at 5:44 PM, Martin Kosek mko...@redhat.com wrote:
Thanks. The configuration looks OK, I wonder why the uniqueMember
is not
generated for your compat groups - it works on my FreeIPA 4.1.3
server.
Did you restart the Directory Server after you changed the Schema
Compatibility
plugin?
On 03/05/2015 09:16 AM, re...@hushmail.com wrote:
Ok here is the search result;
# ldapsearch -x -D cn=Directory Manager -W -b cn=config
cn=groups
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base cn=config with scope subtree
# filter: cn=groups
# requesting: ALL
#
# groups, Schema Compatibility, plugins, config
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
cn: groups
objectClass: top
objectClass: extensibleObject
schema-compat-container-group: cn=compat, dc=localdomain,dc=local
schema-compat-search-filter: objectclass=posixGroup
schema-compat-container-rdn: cn=groups
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=groups, cn=accounts,
dc=localdomain,dc=local
schema-compat-entry-attribute:
%ifeq(ipaanchoruuid,%{ipaanchoruuid},objec
tclass=ipaOverrideTarget,)
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: memberUid=%deref_r(member,uid)
schema-compat-entry-attribute:
%ifeq(ipauniqueid,%{ipauniqueid},ipaanchor
uuid=:IPA:cloud.local:%{ipauniqueid},)
schema-compat-entry-attribute: memberUid=%{memberUid}
schema-compat-entry-attribute:
%ifeq(ipauniqueid,%{ipauniqueid},objectcla
ss=ipaOverrideTarget,)
schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
schema-compat-entry-attribute: objectclass=posixGroup
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
schema-compat-entry-attribute:
uniqueMember=%regsub(%{member},^(.*)accounts
(.*),%1compat%2)
schema-compat-restrict-subtree: cn=Schema
Compatibility,cn=plugins,cn=config
schema-compat-restrict-subtree: dc=localdomain,dc=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
On 3/5/2015 at 3:54 PM, Martin Kosek mko...@redhat.com wrote:
On 03/05/2015 02:37 AM, re...@hushmail.com wrote:
Opps, I got that wrong, my groups don't show the
'uniqueMember'
attribute. Here is an example returned from ldapsearch;
# admins, groups, compat, localdomain.local
dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
gidNumber: 75620
memberUid: admin
memberUid: vadmin
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: top
cn: admins
On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote:
Hi Martin,
Using my vadmin account,
uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the
search completes successfully and i get a list of my users and
groups however when I've watched the ldap queries between
vcenter
and freeipa I can see it's applying a filter to the user search
looking for 'objectClass=groupOfUniqueNames' which my groups
don't
seem to contain.
I'm very much an ldap newbie but I thought at step two in the
vsphere integration howto I modified the groups schema to
include
that object class?
On 3/4/2015 at 8:32 PM, Martin Kosek mko...@redhat.com
wrote:
Given that this HOWTO does not use the vanilla Schema
Compatibility settings
(FreeIPA Compat Tree by default uses posixGroup objectclass
and
memberUid
attribute for user membership), I would check if the groups
really have the
right objectclass and uniqueMember generated:
# ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b
cn=groups,cn=compat,dc=localdomain,dc=local
I expect there will be some problem preventing the LDAP search
to succeed. Then
we would know where to look next.
Martin
I am also CCing Gialunca who contributed the HOWTO. I checked
it
again and
tried to apply it on my FreeIPA 4.1.3, my compat group now
contain
the proper
uniqueMember attribute and groupOfUniqueNames objectclass.
I am not sure though why are also users updated (mostly
question
to Gialunca):
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=uniqueMember
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=inetOrgPerson
-
For instance, uniqueMember is not valid objectclass. Also, if
you are adding
iNetOrgPerson objectclass, you should have all it's MUST
attributes also
generated - otherwise consuming programs may break if they
depend
on such
attributes to exist. I see that sn is missing in my compat
user
entries.
Can you show the cn=groups,cn=Schema
Compatibility,cn=plugins,cn=config entry
so that we can
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
On 03/06/2015 08:35 AM, Alexander Bokovoy wrote:
On Fri, 06 Mar 2015, Martin Kosek wrote:
On 03/06/2015 02:24 AM, re...@hushmail.com wrote:
Just to confirm I should restart the server after i've run the ldapmodify?
Right. It would be safer thing to do, if you modified the Schema
Compatibility config. At least to make sure it re-creates the entries from
scratch.
Also I've used ldap modify to remove the 'uniqueMember' object class from
the compat schema and added the 'sn=%{sn}' attribute and I still am having
no luck. I get the same 'identity source may be malfunctioning error' from
vpshere.
The key here is to see the Directory Server access log, to see what kind of
LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA
with ldapsearch (or any GUI, I use Apache Directory Studio). With this
knowledge, you should just need to update either the Schema Compatibility
plugin configuration or vSphere configuration.
Note also that in 4.1 we have ACIs that only give access to certain
attributes within compat tree and not all of them. Adding a new
attribute requires to add an ACI to allow serving it.
If this is an issue, you'd see the difference when accessing as
cn=Directory Manager or as any other authenticated bind.
Very good point Alexander! I unfortunately did my tests either as admin or DM.
I updated the HOWTO with the new step that fixed it for me.
http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update
So reesb, after the update above, you should get it working.
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
On 03/06/2015 02:24 AM, re...@hushmail.com wrote:
Just to confirm I should restart the server after i've run the ldapmodify?
Right. It would be safer thing to do, if you modified the Schema Compatibility
config. At least to make sure it re-creates the entries from scratch.
Also I've used ldap modify to remove the 'uniqueMember' object class from the
compat schema and added the 'sn=%{sn}' attribute and I still am having no luck.
I get the same 'identity source may be malfunctioning error' from vpshere.
The key here is to see the Directory Server access log, to see what kind of
LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA
with ldapsearch (or any GUI, I use Apache Directory Studio). With this
knowledge, you should just need to update either the Schema Compatibility
plugin configuration or vSphere configuration.
Martin
On 3/5/2015 at 5:44 PM, Martin Kosek mko...@redhat.com wrote:
Thanks. The configuration looks OK, I wonder why the uniqueMember
is not
generated for your compat groups - it works on my FreeIPA 4.1.3
server.
Did you restart the Directory Server after you changed the Schema
Compatibility
plugin?
On 03/05/2015 09:16 AM, re...@hushmail.com wrote:
Ok here is the search result;
# ldapsearch -x -D cn=Directory Manager -W -b cn=config
cn=groups
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base cn=config with scope subtree
# filter: cn=groups
# requesting: ALL
#
# groups, Schema Compatibility, plugins, config
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
cn: groups
objectClass: top
objectClass: extensibleObject
schema-compat-container-group: cn=compat, dc=localdomain,dc=local
schema-compat-search-filter: objectclass=posixGroup
schema-compat-container-rdn: cn=groups
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=groups, cn=accounts,
dc=localdomain,dc=local
schema-compat-entry-attribute:
%ifeq(ipaanchoruuid,%{ipaanchoruuid},objec
tclass=ipaOverrideTarget,)
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: memberUid=%deref_r(member,uid)
schema-compat-entry-attribute:
%ifeq(ipauniqueid,%{ipauniqueid},ipaanchor
uuid=:IPA:cloud.local:%{ipauniqueid},)
schema-compat-entry-attribute: memberUid=%{memberUid}
schema-compat-entry-attribute:
%ifeq(ipauniqueid,%{ipauniqueid},objectcla
ss=ipaOverrideTarget,)
schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
schema-compat-entry-attribute: objectclass=posixGroup
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
schema-compat-entry-attribute:
uniqueMember=%regsub(%{member},^(.*)accounts
(.*),%1compat%2)
schema-compat-restrict-subtree: cn=Schema
Compatibility,cn=plugins,cn=config
schema-compat-restrict-subtree: dc=localdomain,dc=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
On 3/5/2015 at 3:54 PM, Martin Kosek mko...@redhat.com wrote:
On 03/05/2015 02:37 AM, re...@hushmail.com wrote:
Opps, I got that wrong, my groups don't show the
'uniqueMember'
attribute. Here is an example returned from ldapsearch;
# admins, groups, compat, localdomain.local
dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
gidNumber: 75620
memberUid: admin
memberUid: vadmin
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: top
cn: admins
On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote:
Hi Martin,
Using my vadmin account,
uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the
search completes successfully and i get a list of my users and
groups however when I've watched the ldap queries between
vcenter
and freeipa I can see it's applying a filter to the user search
looking for 'objectClass=groupOfUniqueNames' which my groups
don't
seem to contain.
I'm very much an ldap newbie but I thought at step two in the
vsphere integration howto I modified the groups schema to
include
that object class?
On 3/4/2015 at 8:32 PM, Martin Kosek mko...@redhat.com
wrote:
Given that this HOWTO does not use the vanilla Schema
Compatibility settings
(FreeIPA Compat Tree by default uses posixGroup objectclass
and
memberUid
attribute for user membership), I would check if the groups
really have the
right objectclass and uniqueMember generated:
# ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b
cn=groups,cn=compat,dc=localdomain,dc=local
I expect there will be some problem preventing the LDAP search
to succeed. Then
we would know where to look next.
Martin
I am also CCing Gialunca who contributed the HOWTO. I checked
it
again and
tried to apply it on my FreeIPA 4.1.3, my compat group now
contain
the proper
uniqueMember attribute and groupOfUniqueNames objectclass.
I am not sure though why are also users updated (mostly
question
to Gialunca):
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=uniqueMember
-
add:
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
On Fri, 06 Mar 2015, Martin Kosek wrote:
On 03/06/2015 02:24 AM, re...@hushmail.com wrote:
Just to confirm I should restart the server after i've run the ldapmodify?
Right. It would be safer thing to do, if you modified the Schema
Compatibility config. At least to make sure it re-creates the entries
from scratch.
Also I've used ldap modify to remove the 'uniqueMember' object class from the
compat schema and added the 'sn=%{sn}' attribute and I still am having no luck.
I get the same 'identity source may be malfunctioning error' from vpshere.
The key here is to see the Directory Server access log, to see what
kind of LDAP searches is vSphere doing and then seeing the actual
entries in FreeIPA with ldapsearch (or any GUI, I use Apache Directory
Studio). With this knowledge, you should just need to update either
the Schema Compatibility plugin configuration or vSphere
configuration.
Note also that in 4.1 we have ACIs that only give access to certain
attributes within compat tree and not all of them. Adding a new
attribute requires to add an ACI to allow serving it.
If this is an issue, you'd see the difference when accessing as
cn=Directory Manager or as any other authenticated bind.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. Here is an example returned from ldapsearch; # admins, groups, compat, localdomain.local dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local gidNumber: 75620 memberUid: admin memberUid: vadmin objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top cn: admins On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote: Hi Martin, Using my vadmin account, uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, Martin Kosek mko...@redhat.com wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
Hi Martin, Using my vadmin account, uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local, the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, Martin Kosek wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
On 03/04/2015 09:43 AM, re...@hushmail.com wrote: Hi,I've read the thread from Nov and checked out http://www.freeipa.org/page/HowTo/vsphere5_integration however i'm still having trouble getting vpshere to use freeipa as an identity source. I've set the base DN for users and groups, the connection url and username and password and my vadmin account connects correctly however when i try to log in as a user (whom i've assigned permissions to) i get an authentication error that states it may be caused by a malfunctioning identity source. Also I have modified my ldap schema as directed in the howto however (and i'm pretty sure this is the root of my problem) I notice that when I do an ldapsearch for a group which i've assigned administrator permissions it does not have the 'uniqueMember' attribute. The ldapmodify command seemed to run correctly without any complaints. Also i'm running freeipa 4.1. Watching the ldap traffic between the two boxes show that vcenter is binding successfully however when it does a search request with the following filter;Filter: ((objectClass=groupOfUniqueNames)(uniqueMember=uid=adminuser,cn=users,cn=compat,dc=localdomain,dc=local))it returns no results. Does anyone have any suggestions? Cheers, Rees Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D VSPHERE_DN -x -w $VSPHERE_DN_PASSWORD -b cn=groups,cn=compat,dc=localdomain,dc=local I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
