[Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
Gianluca Cecchi
gianluca.cecchi at gmail.com
Mon Dec 8 16:44:28 UTC 2014
Hello,
I finally was able to configure the integration between what in subject.
I have made basic tests and all seems ok.
If anyone wants to test further integration scenarios and also test with
vSPhere 5.5, he/she then can report here and I will crosscheck eventually.
My environment is based on pure vSphere 5.1 that I'm right now using in
trial mode with vcenter server defined as a virtual appliance.
NOTE that there is a bug in this version of vSphere regarding OpenLDAP
integration in vShere WebClient, so that you are unable to change Base DN
for groups after its initial configuration. In case you need to modify that
field, you have to delete and recreate the whole LDAP definition.
The bug is solved in vsphere 5.1 update 1a.
As suggested in other threads on this and other lists, I used slapi-nis
(schema compat) plugin.
Initially I tested it on CentOS 6.6 with IPA 3.0.0-42 and slapi-nis-0.40-4.
I was able to get both users and groups enumeration in vSphere client
(using cn=accounts for bind definition), but then no authentication of
defined users due to inability of IPA 3.0 to do bind on compat tree.
I read on this list that I had to use IPA 3.3 and slapi-nis >= 0.47.5, how
is indeed provided now in CentOS 7 with:
ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64
slapi-nis-0.52-4.el7.x86_64
So I migrated my IPA test server from CentOS 6.6 to another server in
CentOS 7.0, following the chapter 6 of the detailed guide here (only some
typos and use of "systemctl" commands for version 6 that should be read as
"service" commands instead):
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
After update these were my two ldif files to adapt schema compat entries
for vSphere
1) vsphere_usermod.ldif
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=uniqueMember
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=inetOrgPerson
-
2) vsphere_groupmod.ldif
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute:
uniqueMember=%regsub("%{member}","^(.*)accounts(.*)","%1compat%2")
-
Applied with the command:
ldapmodify -x -D "cn=Directory Manager" -f /root/vsphere_usermod.ldif -W
vsphere_usermod.ldif
and
ldapmodify -x -D "cn=Directory Manager" -f /root/vsphere_usermod.ldif -W
vsphere_groupmod.ldif
Configuration in vSphere Web Client under Identity Sources of
Administration --> Sign-On and Discovery --> Configuration
was this one
Primary server URL: ldaps://c7server.localdomain.local:636
Base DN for users: cn=users,cn=compat,dc=localdomain,dc=local
Domain name: localdomain.local
Base DN for groups: cn=groups,cn=compat,dc=localdomain,dc=local
Authentication type: Password
Username: uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local
NOTE: vadmin is a normal IPA user I created only for bind with no ESX
permissions (it is only part of the default ipausers IPA group)
NOTE: I used ldaps and as certificate I had to use the file /etc/ipa/ca.crt
on IPA server, after copying to client where running the browser and
renaming it to ca.cer without any modification at all. vSphere accepted it
without any problem.
My tests at the moment have been ok both in vSphere fat client (5.1
1471691) and vSphere Web Client (Version 5.1.0 Build 869765). I tried this:
- add gcecchi IPA user at top vcenter server permissions level as a virtual
machine user (sample) default role
- verify gcecchi is able to connect both in fat and web clients
- edit settings of the vm VC1 and verify that the "add..." button in
hardware tab is greyed out
- add the defined esxpower IPA group at VC1 permissions level granting it
the virtual machine power user (sample) role
- logout/login gcecchi and verify nothing changed in his permissions
- add gcecchi to the IPA group esxpower
- logout/login gcecchi and verify the user now can select the "add..."
button in hardware tab of VC1
- logout gcecchi and remove gcecchi from IPA group esxpower
- login as gcecchi in vSphere and verify that now the "add..." button is
disabled again
- create an IPA group named esxnestedpower and insert it in esxpower group
- login as gcecchi in vSphere and verify he is still unable to add devices
- modify IPA user gcecchi adding him to esxnestedpower group
- logout/login gcecchi from vSphere and verify that now gcecchi is able to
add device to VC1
NOTE: as my tests began in CentOS 6.6, I noticed that the IPA groups
created in IPA 3.0 and CentOS 6.6 didn't get the uniqueMember property for
their group members... I didn't investigate more, but I noticed that for
the system group "admins" and for newly created groups, instead it was ok...
NOTE: after my migration from IPA 3.0 to 3.3 it seems I lost dna settings,
so that group addition failed without explicitly specifying its GID. I
solved as described here adding the missing dnaNextRange:
1639600001-1639799999:
https://www.redhat.com/archives/freeipa-users/2014-December/msg00090.html
Screenshot with permissions of VC1
https://drive.google.com/file/d/0BwoPbcrMv8mvdUgwanQzNWpBbkE/view?usp=sharing
Some outputs of ldapsearch queries:
[root at c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b
"cn=groups,cn=compat,dc=localdomain,dc=local" cn=esxpower
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=compat,dc=localdomain,dc=local> with scope subtree
# filter: cn=esxpower
# requesting: ALL
#
# esxpower, groups, compat, localdomain.local
dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: top
gidNumber: 1639600010
memberUid: gcecchi
uniqueMember: cn=esxnestedpower,cn=groups,cn=compat,dc=localdomain,dc=local
cn: esxpower
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root at c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b
"cn=groups,cn=compat,dc=localdomain,dc=local" cn=esxnestedpower
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=compat,dc=localdomain,dc=local> with scope subtree
# filter: cn=esxnestedpower
# requesting: ALL
#
# esxnestedpower, groups, compat, localdomain.local
dn: cn=esxnestedpower,cn=groups,cn=compat,dc=localdomain,dc=local
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: top
gidNumber: 1639600012
memberUid: gcecchi
uniqueMember: uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local
cn: esxnestedpower
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root at c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b
"cn=users,cn=compat,dc=localdomain,dc=local" uid=gcecchi
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=compat,dc=localdomain,dc=local> with scope subtree
# filter: uid=gcecchi
# requesting: ALL
#
# gcecchi, users, compat, localdomain.local
dn: uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local
objectClass: posixAccount
objectClass: uniqueMember
objectClass: inetOrgPerson
objectClass: extensibleObject
objectClass: top
objectClass: organizationalPerson
objectClass: person
gecos: Gianluca Cecchi
cn: Gianluca Cecchi
uidNumber: 1639600001
gidNumber: 1639600001
loginShell: /bin/sh
homeDirectory: /home/gcecchi
uid: gcecchi
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Hope that this can help others trying to accomplish vSphere/IPA integration
and feel free to comment as I'm far from an IPA expert and my main approach
is RTFM and ask help... ;-)
Gianluca Cecchi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141208/1a6a1bd4/attachment.htm>
More information about the Freeipa-users
mailing list