[Freeipa-users] vSphere and freeIPA

Martin Kosek mkosek at redhat.com
Tue Jun 2 07:36:56 UTC 2015 

On 05/29/2015 01:59 PM, sam at zy.io wrote:
> Afternoon,
>
> I'm currently attempting to set up an existing vsphere environment to use freeipa 4.1.0 for authentication, following this guide:
>
> http://www.freeipa.org/page/HowTo/vsphere5_integration
>
> I've followed it all through, and for the purposes for testing, I've created a user called sam that's a member of a group called samtest:
>
> [root at ldap1 ~]# ldapsearch -x -D "uid=ldapauth,cn=users,cn=accounts,dc=example,dc=hostname,dc=co,dc=uk" -w passwordgoeshere -b "cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk" cn=samtest
> # extended LDIF
> #
> # LDAPv3
> # base <cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk> with scope subtree
> # filter: cn=samtest
> # requesting: ALL
> #
>
> # samtest, groups, compat, example.hostname.co.uk
> dn: cn=samtest,cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk
> objectClass: groupOfUniqueNames
> objectClass: top
> uniqueMember: uid=sam,cn=users,cn=compat,dc=example,dc=hostname,dc=co,dc=
>   uk
> cn: samtest
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> With only sam in the samtest group, the uniqueMember attribute that vsphere seems to depend on displays fine, and you can log into vsphere as the sam user if samtest has been given the correct permissions.
>
> The issue arises when a second user (chris) is added to the samtest group.
>
> [root at ldap1 ~]# ldapsearch -x -D "uid=ldapauth,cn=users,cn=accounts,dc=example,dc=hostname,dc=co,dc=uk" -w passwordgoeshere -b "cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk" cn=samtest
> # extended LDIF
> #
> # LDAPv3
> # base <cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk> with scope subtree
> # filter: cn=samtest
> # requesting: ALL
> #
>
> # samtest, groups, compat, example.hostname.co.uk
> dn: cn=samtest,cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk
> objectClass: groupOfUniqueNames
> objectClass: top
> cn: samtest
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> This causes the uniqueMember attribute to not display for either sam or chris, and neither user can access vsphere. However if sam is removed from samtest, then uniqueMember is once again shown:
>
> [root at ldap1 ~]# ldapsearch -x -D "uid=ldapauth,cn=users,cn=accounts,dc=example,dc=hostname,dc=co,dc=uk" -w passwordgoeshere -b "cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk" cn=samtest
> # extended LDIF
> #
> # LDAPv3
> # base <cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk> with scope subtree
> # filter: cn=samtest
> # requesting: ALL
> #
>
> # samtest, groups, compat, example.hostname.co.uk
> dn: cn=samtest,cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk
> objectClass: groupOfUniqueNames
> objectClass: top
> uniqueMember: uid=chris,cn=users,cn=compat,dc=example,dc=hostname,dc=co,d
>   c=uk
> cn: samtest
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> If anyone could shed any light on this behaviour, or point out any flaws in my logic/understanding, it would be greatly appreciated.
>
> Kind regards,
>
> Sam
>

CCing Nalin and Alexander. This sounds like the slapi-nis configuration for 
generating uniqueMember attribute does not work with multi-valued "member" 
attribute:

schema-compat-entry-attribute: 
uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2")

Martin

More information about the Freeipa-users mailing list