Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

[Martin Kosek]

On 12/10/2014 08:20 PM, Dmitri Pal wrote:
> On 12/10/2014 06:55 AM, Gianluca Cecchi wrote:
>> On Tue, Dec 9, 2014 at 10:50 AM, Martin Kosek > > wrote:
>>
>> On 12/09/2014 12:50 AM, Gianluca Cecchi wrote:
>> > On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi
>> mailto:gianluca.cec...@gmail.com>>
>> > wrote:
>> >
>> >> OK. I will check requirements to write into The wiki
>> >>
>>
>>
>> Hello,
>> now I was able to login and I created this draft page, you can check and feel
>> free to review...
>> http://www.freeipa.org/page/HowTo/vsphere5_integration
> I scanned the page.
> Looks good. Thanks a lot!
> 
> I hope someone with the similar use case can verify the steps.
> 

+1, thanks! I see the page is already linked from

http://www.freeipa.org/page/HowTos#Virtualization

so we are covered on that front.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

[Gianluca Cecchi]

On Thu, Dec 11, 2014 at 10:19 AM, Petr Spacek  wrote:

>
> Link to the how-to was added to:
> http://www.freeipa.org/page/HowTos#Virtualization
>
> --
> Petr^2 Spacek
>
>
>
thanks!
Gianluca
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

[Petr Spacek]

On 10.12.2014 20:20, Dmitri Pal wrote:
> On 12/10/2014 06:55 AM, Gianluca Cecchi wrote:
>> On Tue, Dec 9, 2014 at 10:50 AM, Martin Kosek > > wrote:
>>
>> On 12/09/2014 12:50 AM, Gianluca Cecchi wrote:
>> > On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi
>> mailto:gianluca.cec...@gmail.com>>
>> > wrote:
>> >
>> >> OK. I will check requirements to write into The wiki
>> >>
>>
>>
>> Hello,
>> now I was able to login and I created this draft page, you can check and
>> feel free to review...
>> http://www.freeipa.org/page/HowTo/vsphere5_integration
> I scanned the page.
> Looks good. Thanks a lot!
> 
> I hope someone with the similar use case can verify the steps.

Link to the how-to was added to:
http://www.freeipa.org/page/HowTos#Virtualization

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

[Dmitri Pal]

On 12/10/2014 06:55 AM, Gianluca Cecchi wrote:
On Tue, Dec 9, 2014 at 10:50 AM, Martin Kosek > wrote:


On 12/09/2014 12:50 AM, Gianluca Cecchi wrote:
> On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi
mailto:gianluca.cec...@gmail.com>>
> wrote:
>
>> OK. I will check requirements to write into The wiki
>>


Hello,
now I was able to login and I created this draft page, you can check 
and feel free to review...

http://www.freeipa.org/page/HowTo/vsphere5_integration

I scanned the page.
Looks good. Thanks a lot!

I hope someone with the similar use case can verify the steps.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

[Gianluca Cecchi]

On Tue, Dec 9, 2014 at 10:50 AM, Martin Kosek  wrote:

> On 12/09/2014 12:50 AM, Gianluca Cecchi wrote:
> > On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi <
> gianluca.cec...@gmail.com>
> > wrote:
> >
> >> OK. I will check requirements to write into The wiki
> >>
>

Hello,
now I was able to login and I created this draft page, you can check and
feel free to review...
http://www.freeipa.org/page/HowTo/vsphere5_integration
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

[Martin Kosek]

On 12/09/2014 12:50 AM, Gianluca Cecchi wrote:
> On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi 
> wrote:
> 
>> OK. I will check requirements to write into The wiki
>>
> 
> 
> When I try to login with my Fedora OpenID account and choose as nickname my
> real name and press "login" actually it indefinitely remains on the blank
> page
> http://www.freeipa.org/page/Special:OpenIDLogin/ChooseName
> 
> without enabling me to log in and begin to write anything.
> Tried from both Chrome and Fedora (on my Fedora 20 system)
> Similar problems when I used to use zanata to write oVirt Italian
> translation, but in that case with some difficulty I finally was able then
> to log in and begin to work... no way here

I updated the OpenID plugin on the FreeIPA.org wiki to the latest version. Can
you please try the login now? I wonder of it is related to the latest upgrade I
performed [1]...

> This OpenID thing doesn't seem very usable in my opinion...

So far, the OpenID log in&account creation this was the only convenience method
we came with to avoid manual account creation by the wiki administrators.
Simple wiki registration method did not work as then we got attacked by spam 
bots.

[1] https://www.redhat.com/archives/freeipa-devel/2014-November/msg00531.html

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

[Petr Spacek]

On 9.12.2014 02:43, Dmitri Pal wrote:
> On 12/08/2014 06:50 PM, Gianluca Cecchi wrote:
>> On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi > > wrote:
>>
>> OK. I will check requirements to write into The wiki
>>
>>
>>
>> When I try to login with my Fedora OpenID account and choose as nickname my
>> real name and press "login" actually it indefinitely remains on the blank 
>> page
>> http://www.freeipa.org/page/Special:OpenIDLogin/ChooseName
>>
>> without enabling me to log in and begin to write anything.
>> Tried from both Chrome and Fedora (on my Fedora 20 system)
>> Similar problems when I used to use zanata to write oVirt Italian
>> translation, but in that case with some difficulty I finally was able then
>> to log in and begin to work... no way here
>>
>> This OpenID thing doesn't seem very usable in my opinion...
>>
>> Gianluca
>>
> 
> Do you manage to pass the Fedora OpenID prompt?
> Are you authenticating with  "giallu" login?
> Is it on the redirect from fedora to wiki when you are stuck or it is some
> other point of the sequence?

You can try to log-in into Fedora Notifications for example, just to make sure
that your account works:
https://apps.fedoraproject.org/notifications/

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

[Dmitri Pal]

On 12/08/2014 06:50 PM, Gianluca Cecchi wrote:
On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi 
mailto:gianluca.cec...@gmail.com>> wrote:


OK. I will check requirements to write into The wiki



When I try to login with my Fedora OpenID account and choose as 
nickname my real name and press "login" actually it indefinitely 
remains on the blank page

http://www.freeipa.org/page/Special:OpenIDLogin/ChooseName

without enabling me to log in and begin to write anything.
Tried from both Chrome and Fedora (on my Fedora 20 system)
Similar problems when I used to use zanata to write oVirt Italian 
translation, but in that case with some difficulty I finally was able 
then to log in and begin to work... no way here


This OpenID thing doesn't seem very usable in my opinion...

Gianluca



Do you manage to pass the Fedora OpenID prompt?
Are you authenticating with  "giallu" 
login?
Is it on the redirect from fedora to wiki when you are stuck or it is 
some other point of the sequence?


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

[Gianluca Cecchi]

On Tue, Dec 9, 2014 at 12:50 AM, Gianluca Cecchi 
wrote:

>
> Tried from both Chrome and Fedora (on my Fedora 20 system)
>
>
Correct:
Tried from both Chrome and Firefox (on my Fedora 20 system)
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

[Gianluca Cecchi]

On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi 
wrote:

> OK. I will check requirements to write into The wiki
>


When I try to login with my Fedora OpenID account and choose as nickname my
real name and press "login" actually it indefinitely remains on the blank
page
http://www.freeipa.org/page/Special:OpenIDLogin/ChooseName

without enabling me to log in and begin to write anything.
Tried from both Chrome and Fedora (on my Fedora 20 system)
Similar problems when I used to use zanata to write oVirt Italian
translation, but in that case with some difficulty I finally was able then
to log in and begin to work... no way here

This OpenID thing doesn't seem very usable in my opinion...

Gianluca
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

[Gianluca Cecchi]

OK. I will check requirements to write into The wiki
Il 08/dic/2014 18:36 "Dmitri Pal"  ha scritto:

>  On 12/08/2014 11:44 AM, Gianluca Cecchi wrote:
>
> Hello,
> I finally was able to configure the integration between what in subject.
> I have made basic tests and all seems ok.
>
>  If anyone wants to test further integration scenarios and also test with
> vSPhere 5.5, he/she then can report here and I will crosscheck eventually.
>
>  My environment is based on pure vSphere 5.1 that I'm right now using in
> trial mode with vcenter server defined as a virtual appliance.
>
>  NOTE that there is a bug in this version of vSphere regarding OpenLDAP
> integration in vShere WebClient, so that you are unable to change Base DN
> for groups after its initial configuration. In case you need to modify that
> field, you have to delete and recreate the whole LDAP definition.
> The bug is solved in vsphere 5.1 update 1a.
>
>  As suggested in other threads on this and other lists, I used slapi-nis
> (schema compat) plugin.
> Initially I tested it on CentOS 6.6 with IPA 3.0.0-42
> and  slapi-nis-0.40-4.
> I was able to get both users and groups enumeration in vSphere client
> (using cn=accounts for bind definition), but then no authentication of
> defined users due to inability of IPA 3.0 to do bind on compat tree.
>
>  I read on this list that I had to use IPA 3.3 and slapi-nis >= 0.47.5,
> how is indeed provided now in CentOS 7 with:
>
>  ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64
> slapi-nis-0.52-4.el7.x86_64
>
>  So I migrated my IPA test server from CentOS 6.6 to another server in
> CentOS 7.0, following the chapter 6 of the detailed guide here (only some
> typos and use of "systemctl" commands for version 6 that should be read as
> "service" commands instead):
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>
>  After update these were my two ldif files to adapt schema compat entries
> for vSphere
>
>  1) vsphere_usermod.ldif
>
>  dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
> changetype: modify
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: objectclass=uniqueMember
> -
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: objectclass=inetOrgPerson
> -
>
>  2) vsphere_groupmod.ldif
>
>  dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
> changetype: modify
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: objectclass=groupOfUniqueNames
> -
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute:
> uniqueMember=%regsub("%{member}","^(.*)accounts(.*)","%1compat%2")
> -
>
>  Applied with the command:
> ldapmodify -x -D "cn=Directory Manager" -f /root/vsphere_usermod.ldif -W
> vsphere_usermod.ldif
>
>  and
> ldapmodify -x -D "cn=Directory Manager" -f /root/vsphere_usermod.ldif -W
> vsphere_groupmod.ldif
>
>
>  Configuration in vSphere Web Client under Identity Sources of
> Administration --> Sign-On and Discovery --> Configuration
> was this one
>
>  Primary server URL: ldaps://c7server.localdomain.local:636
> Base DN for users: cn=users,cn=compat,dc=localdomain,dc=local
>  Domain name: localdomain.local
>  Base DN for groups: cn=groups,cn=compat,dc=localdomain,dc=local
>  Authentication type: Password
>  Username: uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local
>
>  NOTE: vadmin is a normal IPA user I created only for bind with no ESX
> permissions (it is only part of the default ipausers IPA group)
>
>  NOTE: I used ldaps and as certificate I had to use the file
> /etc/ipa/ca.crt on IPA server, after copying to client where running the
> browser and renaming it to ca.cer without any modification at all. vSphere
> accepted it without any problem.
>
>  My tests at the moment have been ok both in vSphere fat client (5.1
> 1471691) and vSphere Web Client (Version 5.1.0 Build 869765). I tried this:
>
>  - add gcecchi IPA user at top vcenter server permissions level as a
> virtual machine user (sample) default role
> - verify gcecchi is able to connect both in fat and web clients
> - edit settings of the vm VC1 and verify that the "add..." button in
> hardware tab is greyed out
> - add the defined esxpower IPA group at VC1 permissions level granting it
> the virtual machine power user (sample) role
> - logout/login gcecchi and verify nothing changed in his permissions
> - add gcecchi to the IPA group esxpower
> - logout/login gcecchi and verify the user now can select the "add..."
> button in hardware tab of VC1
> - logout gcecchi and remove gcecchi from IPA group esxpower
> - login as gcecchi in vSphere and verify that now the "add..." button is
> disabled again
> - create an IPA group named esxnestedpower and insert it in esxpower group
> - login as gcecchi in vSphere and verify he is still unable to add devices
> - modify IPA user gcecchi adding him to esxnestedpower group
> - logout/login gcecchi from vSphere and verif

Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

[Dmitri Pal]

On 12/08/2014 11:44 AM, Gianluca Cecchi wrote:

Hello,
I finally was able to configure the integration between what in subject.
I have made basic tests and all seems ok.

If anyone wants to test further integration scenarios and also test 
with vSPhere 5.5, he/she then can report here and I will crosscheck 
eventually.


My environment is based on pure vSphere 5.1 that I'm right now using 
in trial mode with vcenter server defined as a virtual appliance.


NOTE that there is a bug in this version of vSphere regarding OpenLDAP 
integration in vShere WebClient, so that you are unable to change Base 
DN for groups after its initial configuration. In case you need to 
modify that field, you have to delete and recreate the whole LDAP 
definition.

The bug is solved in vsphere 5.1 update 1a.

As suggested in other threads on this and other lists, I 
used slapi-nis (schema compat) plugin.
Initially I tested it on CentOS 6.6 with IPA 3.0.0-42 
and  slapi-nis-0.40-4.
I was able to get both users and groups enumeration in vSphere client 
(using cn=accounts for bind definition), but then no authentication of 
defined users due to inability of IPA 3.0 to do bind on compat tree.


I read on this list that I had to use IPA 3.3 and slapi-nis >= 0.47.5, 
how is indeed provided now in CentOS 7 with:


ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64
slapi-nis-0.52-4.el7.x86_64

So I migrated my IPA test server from CentOS 6.6 to another server in 
CentOS 7.0, following the chapter 6 of the detailed guide here (only 
some typos and use of "systemctl" commands for version 6 that should 
be read as "service" commands instead):

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html

After update these were my two ldif files to adapt schema compat 
entries for vSphere


1) vsphere_usermod.ldif

dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=uniqueMember
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=inetOrgPerson
-

2) vsphere_groupmod.ldif

dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute: 
uniqueMember=%regsub("%{member}","^(.*)accounts(.*)","%1compat%2")

-

Applied with the command:
ldapmodify -x -D "cn=Directory Manager" -f /root/vsphere_usermod.ldif 
-W vsphere_usermod.ldif


and
ldapmodify -x -D "cn=Directory Manager" -f /root/vsphere_usermod.ldif 
-W vsphere_groupmod.ldif



Configuration in vSphere Web Client under Identity Sources of
Administration --> Sign-On and Discovery --> Configuration
was this one

Primary server URL: ldaps://c7server.localdomain.local:636
Base DN for users: cn=users,cn=compat,dc=localdomain,dc=local
Domain name: localdomain.local
Base DN for groups: cn=groups,cn=compat,dc=localdomain,dc=local
Authentication type: Password
Username: uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local

NOTE: vadmin is a normal IPA user I created only for bind with no ESX 
permissions (it is only part of the default ipausers IPA group)


NOTE: I used ldaps and as certificate I had to use the file 
/etc/ipa/ca.crt on IPA server, after copying to client where running 
the browser and renaming it to ca.cer without any modification at all. 
vSphere accepted it without any problem.


My tests at the moment have been ok both in vSphere fat client (5.1 
1471691) and vSphere Web Client (Version 5.1.0 Build 869765). I tried 
this:


- add gcecchi IPA user at top vcenter server permissions level as a 
virtual machine user (sample) default role

- verify gcecchi is able to connect both in fat and web clients
- edit settings of the vm VC1 and verify that the "add..." button in 
hardware tab is greyed out
- add the defined esxpower IPA group at VC1 permissions level granting 
it the virtual machine power user (sample) role

- logout/login gcecchi and verify nothing changed in his permissions
- add gcecchi to the IPA group esxpower
- logout/login gcecchi and verify the user now can select the "add..." 
button in hardware tab of VC1

- logout gcecchi and remove gcecchi from IPA group esxpower
- login as gcecchi in vSphere and verify that now the "add..." button 
is disabled again

- create an IPA group named esxnestedpower and insert it in esxpower group
- login as gcecchi in vSphere and verify he is still unable to add devices
- modify IPA user gcecchi adding him to esxnestedpower group
- logout/login gcecchi from vSphere and verify that now gcecchi is 
able to add device to VC1


NOTE: as my tests began in CentOS 6.6, I noticed that the IPA groups 
created in IPA 3.0 and CentOS 6.6 didn't get the uniqueMember property 
for their group members... I didn't investigate more, but I noticed 
that for the system gr