[Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

Dmitri Pal dpal at redhat.com
Mon Dec 8 17:34:17 UTC 2014 

On 12/08/2014 11:44 AM, Gianluca Cecchi wrote:
> Hello,
> I finally was able to configure the integration between what in subject.
> I have made basic tests and all seems ok.
>
> If anyone wants to test further integration scenarios and also test 
> with vSPhere 5.5, he/she then can report here and I will crosscheck 
> eventually.
>
> My environment is based on pure vSphere 5.1 that I'm right now using 
> in trial mode with vcenter server defined as a virtual appliance.
>
> NOTE that there is a bug in this version of vSphere regarding OpenLDAP 
> integration in vShere WebClient, so that you are unable to change Base 
> DN for groups after its initial configuration. In case you need to 
> modify that field, you have to delete and recreate the whole LDAP 
> definition.
> The bug is solved in vsphere 5.1 update 1a.
>
> As suggested in other threads on this and other lists, I 
> used slapi-nis (schema compat) plugin.
> Initially I tested it on CentOS 6.6 with IPA 3.0.0-42 
> and  slapi-nis-0.40-4.
> I was able to get both users and groups enumeration in vSphere client 
> (using cn=accounts for bind definition), but then no authentication of 
> defined users due to inability of IPA 3.0 to do bind on compat tree.
>
> I read on this list that I had to use IPA 3.3 and slapi-nis >= 0.47.5, 
> how is indeed provided now in CentOS 7 with:
>
> ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64
> slapi-nis-0.52-4.el7.x86_64
>
> So I migrated my IPA test server from CentOS 6.6 to another server in 
> CentOS 7.0, following the chapter 6 of the detailed guide here (only 
> some typos and use of "systemctl" commands for version 6 that should 
> be read as "service" commands instead):
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>
> After update these were my two ldif files to adapt schema compat 
> entries for vSphere
>
> 1) vsphere_usermod.ldif
>
> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
> changetype: modify
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: objectclass=uniqueMember
> -
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: objectclass=inetOrgPerson
> -
>
> 2) vsphere_groupmod.ldif
>
> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
> changetype: modify
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: objectclass=groupOfUniqueNames
> -
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: 
> uniqueMember=%regsub("%{member}","^(.*)accounts(.*)","%1compat%2")
> -
>
> Applied with the command:
> ldapmodify -x -D "cn=Directory Manager" -f /root/vsphere_usermod.ldif 
> -W vsphere_usermod.ldif
>
> and
> ldapmodify -x -D "cn=Directory Manager" -f /root/vsphere_usermod.ldif 
> -W vsphere_groupmod.ldif
>
>
> Configuration in vSphere Web Client under Identity Sources of
> Administration --> Sign-On and Discovery --> Configuration
> was this one
>
> Primary server URL: ldaps://c7server.localdomain.local:636
> Base DN for users: cn=users,cn=compat,dc=localdomain,dc=local
> Domain name: localdomain.local
> Base DN for groups: cn=groups,cn=compat,dc=localdomain,dc=local
> Authentication type: Password
> Username: uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local
>
> NOTE: vadmin is a normal IPA user I created only for bind with no ESX 
> permissions (it is only part of the default ipausers IPA group)
>
> NOTE: I used ldaps and as certificate I had to use the file 
> /etc/ipa/ca.crt on IPA server, after copying to client where running 
> the browser and renaming it to ca.cer without any modification at all. 
> vSphere accepted it without any problem.
>
> My tests at the moment have been ok both in vSphere fat client (5.1 
> 1471691) and vSphere Web Client (Version 5.1.0 Build 869765). I tried 
> this:
>
> - add gcecchi IPA user at top vcenter server permissions level as a 
> virtual machine user (sample) default role
> - verify gcecchi is able to connect both in fat and web clients
> - edit settings of the vm VC1 and verify that the "add..." button in 
> hardware tab is greyed out
> - add the defined esxpower IPA group at VC1 permissions level granting 
> it the virtual machine power user (sample) role
> - logout/login gcecchi and verify nothing changed in his permissions
> - add gcecchi to the IPA group esxpower
> - logout/login gcecchi and verify the user now can select the "add..." 
> button in hardware tab of VC1
> - logout gcecchi and remove gcecchi from IPA group esxpower
> - login as gcecchi in vSphere and verify that now the "add..." button 
> is disabled again
> - create an IPA group named esxnestedpower and insert it in esxpower group
> - login as gcecchi in vSphere and verify he is still unable to add devices
> - modify IPA user gcecchi adding him to esxnestedpower group
> - logout/login gcecchi from vSphere and verify that now gcecchi is 
> able to add device to VC1
>
> NOTE: as my tests began in CentOS 6.6, I noticed that the IPA groups 
> created in IPA 3.0 and CentOS 6.6 didn't get the uniqueMember property 
> for their group members... I didn't investigate more, but I noticed 
> that for the system group "admins" and for newly created groups, 
> instead it was ok...
> NOTE: after my migration from IPA 3.0 to 3.3 it seems I lost dna 
> settings, so that group addition failed without explicitly specifying 
> its GID. I solved as described here adding the missingdnaNextRange: 
> 1639600001-1639799999:
> https://www.redhat.com/archives/freeipa-users/2014-December/msg00090.html
>
> Screenshot with permissions of VC1
> https://drive.google.com/file/d/0BwoPbcrMv8mvdUgwanQzNWpBbkE/view?usp=sharing
>
> Some outputs of ldapsearch queries:
> [root at c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b 
> "cn=groups,cn=compat,dc=localdomain,dc=local" cn=esxpower
> # extended LDIF
> #
> # LDAPv3
> # base <cn=groups,cn=compat,dc=localdomain,dc=local> with scope subtree
> # filter: cn=esxpower
> # requesting: ALL
> #
>
> # esxpower, groups, compat, localdomain.local
> dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local
> objectClass: posixGroup
> objectClass: groupOfUniqueNames
> objectClass: top
> gidNumber: 1639600010
> memberUid: gcecchi
> uniqueMember: 
> cn=esxnestedpower,cn=groups,cn=compat,dc=localdomain,dc=local
> cn: esxpower
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> [root at c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b 
> "cn=groups,cn=compat,dc=localdomain,dc=local" cn=esxnestedpower
> # extended LDIF
> #
> # LDAPv3
> # base <cn=groups,cn=compat,dc=localdomain,dc=local> with scope subtree
> # filter: cn=esxnestedpower
> # requesting: ALL
> #
>
> # esxnestedpower, groups, compat, localdomain.local
> dn: cn=esxnestedpower,cn=groups,cn=compat,dc=localdomain,dc=local
> objectClass: posixGroup
> objectClass: groupOfUniqueNames
> objectClass: top
> gidNumber: 1639600012
> memberUid: gcecchi
> uniqueMember: uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local
> cn: esxnestedpower
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> [root at c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b 
> "cn=users,cn=compat,dc=localdomain,dc=local" uid=gcecchi
> # extended LDIF
> #
> # LDAPv3
> # base <cn=users,cn=compat,dc=localdomain,dc=local> with scope subtree
> # filter: uid=gcecchi
> # requesting: ALL
> #
>
> # gcecchi, users, compat, localdomain.local
> dn: uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local
> objectClass: posixAccount
> objectClass: uniqueMember
> objectClass: inetOrgPerson
> objectClass: extensibleObject
> objectClass: top
> objectClass: organizationalPerson
> objectClass: person
> gecos: Gianluca Cecchi
> cn: Gianluca Cecchi
> uidNumber: 1639600001
> gidNumber: 1639600001
> loginShell: /bin/sh
> homeDirectory: /home/gcecchi
> uid: gcecchi
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> Hope that this can help others trying to accomplish vSphere/IPA 
> integration and feel free to comment as I'm far from an IPA expert and 
> my main approach is RTFM and ask help... ;-)
>
> Gianluca Cecchi
>
>
>
Thank you for a detailed summary!
Would you mind turning it into a wiki page?
http://www.freeipa.org/page/HowTos


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141208/ebd15f73/attachment.htm>

More information about the Freeipa-users mailing list