<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Now all works well, I use another method<br>
    <br>
    <b>FreeIPA:</b><b><br>
    </b><b>Users:</b><br>
    - admin<br>
    - herwono (member of "ssogroups" group)<br>
    - vcadmin (member of "ssogroups" group)<br>
    <br>
    <b>Group</b><b>s:</b><b><br>
    </b><b>Only one group for vCenter SSO.</b><br>
    - ssogroups<br>
    <br>
    <b>Modif "ssogroups" using ldif file</b><br>
    <pre><br>
    dn: cn=ssogroups,cn=groups,cn=accounts,dc=server,dc=local<br>
    changetype: modify<br>
    add: objectClass<br>
    objectClass: groupOfUniqueNames<br>
    -<br>
    add: uniqueMember<br>
    uniqueMember: uid=herwono,cn=users,cn=accounts,dc=server,dc=local<br>
    uniqueMember: uid=vcadmin,cn=users,cn=accounts,dc=server,dc=local<br>
    -<br>
    </pre><br>
    <br>
    <b>vCenter Identity Source Config:</b><br>
    Name: IPA<br>
    Base DN for users: cn=users,cn=accounts,dc=server,dc=local<br>
    Domain name: server.local<br>
    Base DN for groups: cn=groups,cn=accounts,dc=server,dc=local<br>
    Primary server url: <a class="moz-txt-link-freetext" href="ldap://identity.server.local:389">ldap://identity.server.local:389</a><br>
    Username: uid=admin,cn=users,cn=accounts,dc=server,dc=local<br>
    Password: ******<br>
    <br>
    <b>FreeIPA users and groups for vCenter with Administrator
      permission:</b><br>
    User: herwono (SERVER.LOCAL\herwono)<br>
    Group: ssogroups (SERVER.LOCAL\ssogroups)<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 3/6/15 3:37 PM, Gianluca Cecchi
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAG2kNCxEcdAC4Om5SVw4z_Y5OHu2AV30AdvHaBO=xY_==b21cw@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">On Fri, Mar 6, 2015 at 8:34 AM,
            Martin Kosek <span dir="ltr"><<a moz-do-not-send="true"
                href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span
                class="">On 03/06/2015 04:38 AM, Herwono W Wijaya wrote:<br>
                <blockquote class="gmail_quote" style="margin:0px 0px
                  0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Problems
                  with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the
                  admin user can be<br>
                  used and always get an error for other users.<br>
                </blockquote>
                <br>
              </span>
              You mean admin user from vCenter, not admin user from
              FreeIPA, right?<br>
              <br>
              Did you follow this HOWTO:<br>
              <a moz-do-not-send="true"
                href="http://www.freeipa.org/page/HowTo/vsphere5_integration"
                target="_blank">http://www.freeipa.org/page/HowTo/vsphere5_integration</a><br>
              <br>
              Note that the vSphere integration topic is being discussed
              this week, CCing also Gialunca (author of the HOWTO), he
              may have some ideas where the problem is too.<span
                class=""><font color="#888888"><br>
                  <br>
                  Martin<br>
                </font></span></blockquote>
          </div>
          <br>
        </div>
        <div class="gmail_extra"><br>
        </div>
        <div class="gmail_extra">
          <div class="gmail_extra">The logs that let us know the kind of
            queries generated b vSPhere are in</div>
          <div class="gmail_extra">/var/log/dirsrv/slapd-REALM-NAME/</div>
          <div class="gmail_extra">(at least for 3.3.3)</div>
          <div class="gmail_extra"><br>
          </div>
          <div class="gmail_extra">Also, searching through my e-mails I
            found one direct contact using vSphere 5.5 and that was
            doing some tests with VMware support connected to his
            systems.</div>
          <div class="gmail_extra">It seems they found out that it
            almost all worked correctly when using accounts instead of
            compat BUT</div>
          <div class="gmail_extra">you can't log in.</div>
          <div class="gmail_extra"><br>
          </div>
          <div class="gmail_extra">An action was the to add
            objectclass=groupOfUniqueNames to a single test group and
            they were able to login</div>
          <div class="gmail_extra"><br>
          </div>
          <div class="gmail_extra">I asked more information about his
            setup if still in place and to eventually share with others.</div>
          <div class="gmail_extra"><br>
          </div>
          <div class="gmail_extra">Stay tuned...</div>
          <div class="gmail_extra"><br>
          </div>
          <div class="gmail_extra">Gianluca</div>
        </div>
      </div>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      Regards,
      Herwono W Wijaya
      <a class="moz-txt-link-freetext" href="https://linuxcoding.org">https://linuxcoding.org</a> | <b><a
href="https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr">VMware
          vExpert 2014, 2015</a></b>
    </div>
  </body>
</html>