[Freeipa-users] Adding FreeIPA as a vsphere identity source
Gianluca Cecchi
gianluca.cecchi at gmail.com
Thu Mar 5 08:29:58 UTC 2015
On Thu, Mar 5, 2015 at 8:54 AM, Martin Kosek <mkosek at redhat.com> wrote:
>
> I am also CCing Gialunca who contributed the HOWTO. I checked it again and
> tried to apply it on my FreeIPA 4.1.3, my compat group now contain the
> proper
> uniqueMember attribute and groupOfUniqueNames objectclass.
>
> I am not sure though why are also users updated (mostly question to
> Gialunca):
> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
> changetype: modify
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: objectclass=uniqueMember
> -
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: objectclass=inetOrgPerson
> -
>
> For instance, "uniqueMember" is not valid objectclass. Also, if you are
> adding
> iNetOrgPerson objectclass, you should have all it's MUST attributes also
> generated - otherwise consuming programs may break if they depend on such
> attributes to exist. I see that "sn" is missing in my compat user entries.
>
> Can you show the "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config"
> entry
> so that we can see if the uniqueMember attribute is really configured
> correctly?
>
> Thanks,
> Martin
>
users' updates were force by vSphere originated queries.
For example without adding iNetOrgPerson objectclass, when I wanted to bind
a permission to a user and searched for users in vSPhere, I got this error
05/Dec/2014:22:59:21 +0100] conn=1831 op=34 SRCH
base="cn=users,cn=compat,dc=localdomain,dc=local" scope=2
filter="(&(objectClass=inetOrgPerson)(objectClass=inetOrgPerson))"
attrs="description entryuuid givenName initials mail pwdaccountlockedtime
shadowExpire sn title uid userPassword"
So I verified that adding inetOrgPerson I was then able to add users to
permissions.
Probably I have to check which are the MUST attributes for it so that we
add the too
As far as I understood, the use of compat was indeed to add uniqueMember
that is expected to be there by vSphere, at least in 5.1
Gianluca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150305/deea2a44/attachment.htm>
More information about the Freeipa-users
mailing list