[Freeipa-users] one step away from having freeipa work with vsphere ldap

Martin Kosek mkosek at redhat.com
Tue Dec 9 09:22:12 UTC 2014 

On 12/09/2014 10:05 AM, Martin Kosek wrote:
> On 12/07/2014 07:29 PM, Gianluca Cecchi wrote:
>> On Sun, Dec 7, 2014 at 3:44 PM, Gianluca Cecchi <gianluca.cecchi at gmail.com>
>> wrote:
>>
>>> Hello,
>>> I'm quite near to have users and groups working using ipa 3.3 as in CentOS
>>> 7 as this gives ability to do binds against compat tree.
>>> This is with the use of schema compatibility
>>>
>>> The last step I need is getting components of groups so that vSphere con
>>> enforce group membership permission over user set.
>>>
>>> The query from vsphere after my modifications when it searches for users
>>> belonging to groups is sort of
>>>
>>> ldapsearch -x -b "cn=groups,cn=compat,dc=localdomain,dc=local"
>>> "(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local))"
>>>
>>> so I provided ldif modification for cn=groups, cn=compat this way
>>>
>>> schema-compat-entry-attribute: uniqueMember=%{member}
>>>
>>> but this produces somthing like this when I query for example a created
>>> group named esxpower to be used for power users
>>>
>>> # esxpower, groups, compat, localdomain.local
>>> dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local
>>> objectClass: posixGroup
>>> objectClass: groupOfUniqueNames
>>> objectClass: top
>>> gidNumber: 1639600006
>>> memberUid: gcecchi
>>> memberUid: vadmin
>>> uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local
>>> uniqueMember: uid=vadmin,cn=users,cn=accounts,dc=localdomain,dc=local
>>> cn: esxpower
>>>
>>> so the problem is I have to change the entry
>>> schema-compat-entry-attribute: uniqueMember=%{member}
>>>
>>> with a sort of function that gives cn=compat instead of cn=accounts in the
>>> line
>>> uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local
>>>
>>> I read also /usr/share/doc/slapi-nis-0.52/format-specifiers.txt
>>> but I didn't come to a sort of "substitute" function so that I can change
>>> %{member} with the same but with "compat" word instead of "accounts"
>>>
>>> I plan to detail all my steps once I can accomplish this.
>>>
>>> Thanks in advance,
>>>
>>> Gianluca
>>>
>>>
>>
>> Tried with
>> schema-compat-entry-attribute:
>> uniqueMember=%regsub("%{member}","^(.*)accounts(.*)","%1compat%2")
>>
>> but it seems it works with some groups (the system groups) but not with the
>> other ones I have created...
>>
>> ldapsearch -x -b "cn=groups,cn=compat,dc=localdomain,dc=local"
>>
>> gives
>>
>> # admins, groups, compat, localdomain.local
>> dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
>> objectClass: posixGroup
>> objectClass: groupOfUniqueNames
>> objectClass: top
>> gidNumber: 1639600000
>> memberUid: admin
>> uniqueMember: uid=admin,cn=users,cn=compat,dc=localdomain,dc=local
>> cn: admins
>>
>>
>> but in esxpower group I see only the memberUid entry and not the
>> uniqueMember entry
>>
>> # esxpower, groups, compat, localdomain.local
>> dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local
>> objectClass: posixGroup
>> objectClass: groupOfUniqueNames
>> objectClass: top
>> gidNumber: 1639600006
>> memberUid: gcecchi
>> memberUid: vadmin
>> cn: esxpower
>>
>> Gianluca
> 
> CCing Ludwig and Thierry, in case they have some idea.
> 
> BTW, if we manage to resolve the issue, it would be nice if you could
> contribute a howto with the configuration changes to
> 
> http://www.freeipa.org/page/HowTos
> 
> :-)
> 
> Martin
> 

Please ignore my mail above, I see Gianluca informed about resolving the issue
in another thread, "[Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7
finally works! [How I did it...]".

Martin

More information about the Freeipa-users mailing list