<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Gianluca's method not working for me, always get this error<br>
<br>
Error: Idm client exception: control not found<br>
<br>
and also try using this:<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update">http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update</a>
<br>
<br>
<div class="moz-cite-prefix">On 3/6/15 7:49 PM, Martin Kosek wrote:<br>
</div>
<blockquote cite="mid:54F9A253.2090403@redhat.com" type="cite">I am
glad you have it working. However, I would like to discourage from
this another method as this way, you would need to maintain
uniqueMember attribute yourself. FreeIPA only maintains the
"member" attribute.
<br>
<br>
I would recommend using the Gianluca's method in
<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/HowTo/vsphere5_integration">http://www.freeipa.org/page/HowTo/vsphere5_integration</a>
<br>
<br>
with taking users and groups from compat tree. This way, you will
have uniqueMember populated when you do changes to the group using
FreeIPA CLI or UI.
<br>
<br>
If it was not working for you in the past, note that we identified
a change today that needs to be done with FreeIPA 4.0+:
<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update">http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update</a>
<br>
<br>
Martin
<br>
<br>
<br>
On 03/06/2015 12:11 PM, Herwono W Wijaya wrote:
<br>
<blockquote type="cite">Now all works well, I use another method
<br>
<br>
*FreeIPA:**
<br>
**Users:*
<br>
- admin
<br>
- herwono (member of "ssogroups" group)
<br>
- vcadmin (member of "ssogroups" group)
<br>
<br>
*Group**s:**
<br>
**Only one group for vCenter SSO.*
<br>
- ssogroups
<br>
<br>
*Modif "ssogroups" using ldif file*
<br>
<pre>
<br>
dn: cn=ssogroups,cn=groups,cn=accounts,dc=server,dc=local
<br>
changetype: modify
<br>
add: objectClass
<br>
objectClass: groupOfUniqueNames
<br>
-
<br>
add: uniqueMember
<br>
uniqueMember:
uid=herwono,cn=users,cn=accounts,dc=server,dc=local
<br>
uniqueMember:
uid=vcadmin,cn=users,cn=accounts,dc=server,dc=local
<br>
-
<br>
</pre>
<br>
<br>
*vCenter Identity Source Config:*
<br>
Name: IPA
<br>
Base DN for users: cn=users,cn=accounts,dc=server,dc=local
<br>
Domain name: server.local
<br>
Base DN for groups: cn=groups,cn=accounts,dc=server,dc=local
<br>
Primary server url: <a class="moz-txt-link-freetext" href="ldap://identity.server.local:389">ldap://identity.server.local:389</a>
<br>
Username: uid=admin,cn=users,cn=accounts,dc=server,dc=local
<br>
Password: ******
<br>
<br>
*FreeIPA users and groups for vCenter with Administrator
permission:*
<br>
User: herwono (SERVER.LOCAL\herwono)
<br>
Group: ssogroups (SERVER.LOCAL\ssogroups)
<br>
<br>
<br>
On 3/6/15 3:37 PM, Gianluca Cecchi wrote:
<br>
<blockquote type="cite">On Fri, Mar 6, 2015 at 8:34 AM, Martin
Kosek <<a class="moz-txt-link-abbreviated" href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>
<br>
<a class="moz-txt-link-rfc2396E" href="mailto:mkosek@redhat.com"><mailto:mkosek@redhat.com></a>> wrote:
<br>
<br>
On 03/06/2015 04:38 AM, Herwono W Wijaya wrote:
<br>
<br>
Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO,
only the admin
<br>
user can be
<br>
used and always get an error for other users.
<br>
<br>
<br>
You mean admin user from vCenter, not admin user from
FreeIPA, right?
<br>
<br>
Did you follow this HOWTO:
<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/HowTo/vsphere5_integration">http://www.freeipa.org/page/HowTo/vsphere5_integration</a>
<br>
<br>
Note that the vSphere integration topic is being discussed
this week,
<br>
CCing also Gialunca (author of the HOWTO), he may have
some ideas where
<br>
the problem is too.
<br>
<br>
Martin
<br>
<br>
<br>
<br>
The logs that let us know the kind of queries generated b
vSPhere are in
<br>
/var/log/dirsrv/slapd-REALM-NAME/
<br>
(at least for 3.3.3)
<br>
<br>
Also, searching through my e-mails I found one direct contact
using vSphere
<br>
5.5 and that was doing some tests with VMware support
connected to his systems.
<br>
It seems they found out that it almost all worked correctly
when using
<br>
accounts instead of compat BUT
<br>
you can't log in.
<br>
<br>
An action was the to add objectclass=groupOfUniqueNames to a
single test
<br>
group and they were able to login
<br>
<br>
I asked more information about his setup if still in place and
to eventually
<br>
share with others.
<br>
<br>
Stay tuned...
<br>
<br>
Gianluca
<br>
</blockquote>
<br>
--
<br>
Regards, Herwono W Wijaya <a class="moz-txt-link-freetext" href="https://linuxcoding.org">https://linuxcoding.org</a> | *VMware
vExpert 2014, 2015
<br>
<a class="moz-txt-link-rfc2396E" href="https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr"><https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr></a>*
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Regards,
Herwono W Wijaya
<a class="moz-txt-link-freetext" href="https://linuxcoding.org">https://linuxcoding.org</a> | <b><a
href="https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr">VMware
vExpert 2014, 2015</a></b>
</div>
</body>
</html>