[Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
Gianluca Cecchi
gianluca.cecchi at gmail.com
Mon Dec 8 18:17:53 UTC 2014
OK. I will check requirements to write into The wiki
Il 08/dic/2014 18:36 "Dmitri Pal" <dpal at redhat.com> ha scritto:
> On 12/08/2014 11:44 AM, Gianluca Cecchi wrote:
>
> Hello,
> I finally was able to configure the integration between what in subject.
> I have made basic tests and all seems ok.
>
> If anyone wants to test further integration scenarios and also test with
> vSPhere 5.5, he/she then can report here and I will crosscheck eventually.
>
> My environment is based on pure vSphere 5.1 that I'm right now using in
> trial mode with vcenter server defined as a virtual appliance.
>
> NOTE that there is a bug in this version of vSphere regarding OpenLDAP
> integration in vShere WebClient, so that you are unable to change Base DN
> for groups after its initial configuration. In case you need to modify that
> field, you have to delete and recreate the whole LDAP definition.
> The bug is solved in vsphere 5.1 update 1a.
>
> As suggested in other threads on this and other lists, I used slapi-nis
> (schema compat) plugin.
> Initially I tested it on CentOS 6.6 with IPA 3.0.0-42
> and slapi-nis-0.40-4.
> I was able to get both users and groups enumeration in vSphere client
> (using cn=accounts for bind definition), but then no authentication of
> defined users due to inability of IPA 3.0 to do bind on compat tree.
>
> I read on this list that I had to use IPA 3.3 and slapi-nis >= 0.47.5,
> how is indeed provided now in CentOS 7 with:
>
> ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64
> slapi-nis-0.52-4.el7.x86_64
>
> So I migrated my IPA test server from CentOS 6.6 to another server in
> CentOS 7.0, following the chapter 6 of the detailed guide here (only some
> typos and use of "systemctl" commands for version 6 that should be read as
> "service" commands instead):
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>
> After update these were my two ldif files to adapt schema compat entries
> for vSphere
>
> 1) vsphere_usermod.ldif
>
> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
> changetype: modify
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: objectclass=uniqueMember
> -
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: objectclass=inetOrgPerson
> -
>
> 2) vsphere_groupmod.ldif
>
> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
> changetype: modify
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: objectclass=groupOfUniqueNames
> -
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute:
> uniqueMember=%regsub("%{member}","^(.*)accounts(.*)","%1compat%2")
> -
>
> Applied with the command:
> ldapmodify -x -D "cn=Directory Manager" -f /root/vsphere_usermod.ldif -W
> vsphere_usermod.ldif
>
> and
> ldapmodify -x -D "cn=Directory Manager" -f /root/vsphere_usermod.ldif -W
> vsphere_groupmod.ldif
>
>
> Configuration in vSphere Web Client under Identity Sources of
> Administration --> Sign-On and Discovery --> Configuration
> was this one
>
> Primary server URL: ldaps://c7server.localdomain.local:636
> Base DN for users: cn=users,cn=compat,dc=localdomain,dc=local
> Domain name: localdomain.local
> Base DN for groups: cn=groups,cn=compat,dc=localdomain,dc=local
> Authentication type: Password
> Username: uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local
>
> NOTE: vadmin is a normal IPA user I created only for bind with no ESX
> permissions (it is only part of the default ipausers IPA group)
>
> NOTE: I used ldaps and as certificate I had to use the file
> /etc/ipa/ca.crt on IPA server, after copying to client where running the
> browser and renaming it to ca.cer without any modification at all. vSphere
> accepted it without any problem.
>
> My tests at the moment have been ok both in vSphere fat client (5.1
> 1471691) and vSphere Web Client (Version 5.1.0 Build 869765). I tried this:
>
> - add gcecchi IPA user at top vcenter server permissions level as a
> virtual machine user (sample) default role
> - verify gcecchi is able to connect both in fat and web clients
> - edit settings of the vm VC1 and verify that the "add..." button in
> hardware tab is greyed out
> - add the defined esxpower IPA group at VC1 permissions level granting it
> the virtual machine power user (sample) role
> - logout/login gcecchi and verify nothing changed in his permissions
> - add gcecchi to the IPA group esxpower
> - logout/login gcecchi and verify the user now can select the "add..."
> button in hardware tab of VC1
> - logout gcecchi and remove gcecchi from IPA group esxpower
> - login as gcecchi in vSphere and verify that now the "add..." button is
> disabled again
> - create an IPA group named esxnestedpower and insert it in esxpower group
> - login as gcecchi in vSphere and verify he is still unable to add devices
> - modify IPA user gcecchi adding him to esxnestedpower group
> - logout/login gcecchi from vSphere and verify that now gcecchi is able to
> add device to VC1
>
> NOTE: as my tests began in CentOS 6.6, I noticed that the IPA groups
> created in IPA 3.0 and CentOS 6.6 didn't get the uniqueMember property for
> their group members... I didn't investigate more, but I noticed that for
> the system group "admins" and for newly created groups, instead it was ok...
> NOTE: after my migration from IPA 3.0 to 3.3 it seems I lost dna settings,
> so that group addition failed without explicitly specifying its GID. I
> solved as described here adding the missing dnaNextRange:
> 1639600001-1639799999:
> https://www.redhat.com/archives/freeipa-users/2014-December/msg00090.html
>
> Screenshot with permissions of VC1
>
> https://drive.google.com/file/d/0BwoPbcrMv8mvdUgwanQzNWpBbkE/view?usp=sharing
>
> Some outputs of ldapsearch queries:
> [root at c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b
> "cn=groups,cn=compat,dc=localdomain,dc=local" cn=esxpower
> # extended LDIF
> #
> # LDAPv3
> # base <cn=groups,cn=compat,dc=localdomain,dc=local> with scope subtree
> # filter: cn=esxpower
> # requesting: ALL
> #
>
> # esxpower, groups, compat, localdomain.local
> dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local
> objectClass: posixGroup
> objectClass: groupOfUniqueNames
> objectClass: top
> gidNumber: 1639600010
> memberUid: gcecchi
> uniqueMember: cn=esxnestedpower,cn=groups,cn=compat,dc=localdomain,dc=local
> cn: esxpower
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> [root at c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b
> "cn=groups,cn=compat,dc=localdomain,dc=local" cn=esxnestedpower
> # extended LDIF
> #
> # LDAPv3
> # base <cn=groups,cn=compat,dc=localdomain,dc=local> with scope subtree
> # filter: cn=esxnestedpower
> # requesting: ALL
> #
>
> # esxnestedpower, groups, compat, localdomain.local
> dn: cn=esxnestedpower,cn=groups,cn=compat,dc=localdomain,dc=local
> objectClass: posixGroup
> objectClass: groupOfUniqueNames
> objectClass: top
> gidNumber: 1639600012
> memberUid: gcecchi
> uniqueMember: uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local
> cn: esxnestedpower
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> [root at c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b
> "cn=users,cn=compat,dc=localdomain,dc=local" uid=gcecchi
> # extended LDIF
> #
> # LDAPv3
> # base <cn=users,cn=compat,dc=localdomain,dc=local> with scope subtree
> # filter: uid=gcecchi
> # requesting: ALL
> #
>
> # gcecchi, users, compat, localdomain.local
> dn: uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local
> objectClass: posixAccount
> objectClass: uniqueMember
> objectClass: inetOrgPerson
> objectClass: extensibleObject
> objectClass: top
> objectClass: organizationalPerson
> objectClass: person
> gecos: Gianluca Cecchi
> cn: Gianluca Cecchi
> uidNumber: 1639600001
> gidNumber: 1639600001
> loginShell: /bin/sh
> homeDirectory: /home/gcecchi
> uid: gcecchi
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> Hope that this can help others trying to accomplish vSphere/IPA
> integration and feel free to comment as I'm far from an IPA expert and my
> main approach is RTFM and ask help... ;-)
>
> Gianluca Cecchi
>
>
>
>
> Thank you for a detailed summary!
> Would you mind turning it into a wiki page?
> http://www.freeipa.org/page/HowTos
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141208/ad968310/attachment.htm>
More information about the Freeipa-users
mailing list