[Freeipa-users] Adding FreeIPA as a vsphere identity source

reesb at hushmail.com reesb at hushmail.com
Thu Mar 5 08:16:03 UTC 2015 

Ok here is the search result;
# ldapsearch -x  -D "cn=Directory Manager" -W -b "cn=config" cn=groups
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: cn=groups
# requesting: ALL
#

# groups, Schema Compatibility, plugins, config
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
cn: groups
objectClass: top
objectClass: extensibleObject
schema-compat-container-group: cn=compat, dc=localdomain,dc=local
schema-compat-search-filter: objectclass=posixGroup
schema-compat-container-rdn: cn=groups
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=groups, cn=accounts, dc=localdomain,dc=local
schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objec
 tclass=ipaOverrideTarget","")
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchor
 uuid=:IPA:cloud.local:%{ipauniqueid}","")
schema-compat-entry-attribute: memberUid=%{memberUid}
schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectcla
 ss=ipaOverrideTarget","")
schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
schema-compat-entry-attribute: objectclass=posixGroup
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
schema-compat-entry-attribute: uniqueMember=%regsub("%{member}","^(.*)accounts
 (.*)","%1compat%2")
schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-restrict-subtree: dc=localdomain,dc=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

On 3/5/2015 at 3:54 PM, "Martin Kosek" <mkosek at redhat.com> wrote:
>
>On 03/05/2015 02:37 AM, reesb at hushmail.com wrote:
>> Opps, I got that wrong, my groups don't show the 'uniqueMember' 
>attribute. Here is an example returned from ldapsearch;
>> 
>> # admins, groups, compat, localdomain.local
>> dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
>> gidNumber: 756200000
>> memberUid: admin
>> memberUid: vadmin
>> objectClass: posixGroup
>> objectClass: groupOfUniqueNames
>> objectClass: top
>> cn: admins
>> 
>> 
>> On 3/5/2015 at 9:15 AM, reesb at hushmail.com wrote:
>> 
>> Hi Martin,
>> 
>> Using my vadmin account, 
>"uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local", the 
>search completes successfully and i get a list of my users and 
>groups however when I've watched the ldap queries between vcenter 
>and freeipa I can see it's applying a filter to the user search 
>looking for 'objectClass=groupOfUniqueNames' which my groups don't 
>seem to contain.
>> 
>> 
>> I'm very much an ldap newbie but I thought at step two in the 
>vsphere integration howto I modified the groups schema to include 
>that object class?
>> 
>> On 3/4/2015 at 8:32 PM, "Martin Kosek" <mkosek at redhat.com> wrote:
>> 
>> Given that this HOWTO does not use the vanilla Schema 
>Compatibility settings
>> (FreeIPA Compat Tree by default uses posixGroup objectclass and 
>memberUid
>> attribute for user membership), I would check if the groups 
>really have the
>> right objectclass and uniqueMember generated:
>> 
>> # ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b
>> "cn=groups,cn=compat,dc=localdomain,dc=local"
>> 
>> I expect there will be some problem preventing the LDAP search 
>to succeed. Then
>> we would know where to look next.
>> 
>> Martin
>> 
>
>I am also CCing Gialunca who contributed the HOWTO. I checked it 
>again and
>tried to apply it on my FreeIPA 4.1.3, my compat group now contain 
>the proper
>uniqueMember attribute and groupOfUniqueNames objectclass.
>
>I am not sure though why are also users updated (mostly question 
>to Gialunca):
>dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>changetype: modify
>add: schema-compat-entry-attribute
>schema-compat-entry-attribute: objectclass=uniqueMember
>-
>add: schema-compat-entry-attribute
>schema-compat-entry-attribute: objectclass=inetOrgPerson
>-
>
>For instance, "uniqueMember" is not valid objectclass. Also, if 
>you are adding
>iNetOrgPerson objectclass, you should have all it's MUST 
>attributes also
>generated - otherwise consuming programs may break if they depend 
>on such
>attributes to exist. I see that "sn" is missing in my compat user 
>entries.
>
>Can you show the "cn=groups,cn=Schema 
>Compatibility,cn=plugins,cn=config" entry
>so that we can see if the uniqueMember attribute is really 
>configured correctly?
>
>Thanks,
>Martin

More information about the Freeipa-users mailing list