[Freeipa-users] Adding FreeIPA as a vsphere identity source

Martin Kosek mkosek at redhat.com
Thu Mar 5 07:54:30 UTC 2015 

On 03/05/2015 02:37 AM, reesb at hushmail.com wrote:
> Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. Here is an example returned from ldapsearch;
> 
> # admins, groups, compat, localdomain.local
> dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
> gidNumber: 756200000
> memberUid: admin
> memberUid: vadmin
> objectClass: posixGroup
> objectClass: groupOfUniqueNames
> objectClass: top
> cn: admins
> 
> 
> On 3/5/2015 at 9:15 AM, reesb at hushmail.com wrote:
> 
> Hi Martin,
> 
> Using my vadmin account, "uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local", the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain.
> 
> 
> I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class?
> 
> On 3/4/2015 at 8:32 PM, "Martin Kosek" <mkosek at redhat.com> wrote:
> 
> Given that this HOWTO does not use the vanilla Schema Compatibility settings
> (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid
> attribute for user membership), I would check if the groups really have the
> right objectclass and uniqueMember generated:
> 
> # ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b
> "cn=groups,cn=compat,dc=localdomain,dc=local"
> 
> I expect there will be some problem preventing the LDAP search to succeed. Then
> we would know where to look next.
> 
> Martin
> 

I am also CCing Gialunca who contributed the HOWTO. I checked it again and
tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper
uniqueMember attribute and groupOfUniqueNames objectclass.

I am not sure though why are also users updated (mostly question to Gialunca):
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=uniqueMember
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=inetOrgPerson
-

For instance, "uniqueMember" is not valid objectclass. Also, if you are adding
iNetOrgPerson objectclass, you should have all it's MUST attributes also
generated - otherwise consuming programs may break if they depend on such
attributes to exist. I see that "sn" is missing in my compat user entries.

Can you show the "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config" entry
so that we can see if the uniqueMember attribute is really configured correctly?

Thanks,
Martin

More information about the Freeipa-users mailing list