[Freeipa-users] Adding FreeIPA as a vsphere identity source

[Martin Kosek]

On 03/04/2015 09:43 AM, reesb at hushmail.com wrote:
> Hi,I've read the thread from Nov and checked out
> http://www.freeipa.org/page/HowTo/vsphere5_integration however i'm
> still having trouble getting vpshere to use freeipa as an identity
> source.
> I've set the base DN for users and groups, the connection url and
> username and password and my vadmin account connects correctly however
> when i try to log in as a user (whom i've assigned permissions to) i
> get an authentication error that states it may be caused by a
> malfunctioning identity source.
> Also I have modified my ldap schema as directed in the howto however
> (and i'm pretty sure this is the root of my problem) I notice that
> when I do an ldapsearch for a group which i've assigned administrator
> permissions it does not have the 'uniqueMember' attribute. The
> ldapmodify command seemed to run correctly without any complaints.
> Also i'm running freeipa 4.1.
> Watching the ldap traffic between the two boxes show that vcenter is
> binding successfully however when it does a search request with the
> following filter;"Filter:
> (&(objectClass=groupOfUniqueNames)(uniqueMember=uid=adminuser,cn=users,cn=compat,dc=localdomain,dc=local))"it
> returns no results.
> 
> Does anyone have any suggestions?
> Cheers,
> Rees

Given that this HOWTO does not use the vanilla Schema Compatibility settings
(FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid
attribute for user membership), I would check if the groups really have the
right objectclass and uniqueMember generated:

# ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b
"cn=groups,cn=compat,dc=localdomain,dc=local"

I expect there will be some problem preventing the LDAP search to succeed. Then
we would know where to look next.

Martin