[Freeipa-users] Adding FreeIPA as a vsphere identity source

Martin Kosek mkosek at redhat.com
Thu Mar 5 09:43:58 UTC 2015 

Thanks. The configuration looks OK, I wonder why the uniqueMember is not
generated for your compat groups - it works on my FreeIPA 4.1.3 server.

Did you restart the Directory Server after you changed the Schema Compatibility
plugin?

On 03/05/2015 09:16 AM, reesb at hushmail.com wrote:
> Ok here is the search result;
> # ldapsearch -x  -D "cn=Directory Manager" -W -b "cn=config" cn=groups
> Enter LDAP Password: 
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: cn=groups
> # requesting: ALL
> #
> 
> # groups, Schema Compatibility, plugins, config
> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
> cn: groups
> objectClass: top
> objectClass: extensibleObject
> schema-compat-container-group: cn=compat, dc=localdomain,dc=local
> schema-compat-search-filter: objectclass=posixGroup
> schema-compat-container-rdn: cn=groups
> schema-compat-entry-rdn: cn=%{cn}
> schema-compat-search-base: cn=groups, cn=accounts, dc=localdomain,dc=local
> schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objec
>  tclass=ipaOverrideTarget","")
> schema-compat-entry-attribute: gidNumber=%{gidNumber}
> schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
> schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchor
>  uuid=:IPA:cloud.local:%{ipauniqueid}","")
> schema-compat-entry-attribute: memberUid=%{memberUid}
> schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectcla
>  ss=ipaOverrideTarget","")
> schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
> schema-compat-entry-attribute: objectclass=posixGroup
> schema-compat-entry-attribute: objectclass=groupOfUniqueNames
> schema-compat-entry-attribute: uniqueMember=%regsub("%{member}","^(.*)accounts
>  (.*)","%1compat%2")
> schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
> schema-compat-restrict-subtree: dc=localdomain,dc=local
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> On 3/5/2015 at 3:54 PM, "Martin Kosek" <mkosek at redhat.com> wrote:
>>
>> On 03/05/2015 02:37 AM, reesb at hushmail.com wrote:
>>> Opps, I got that wrong, my groups don't show the 'uniqueMember' 
>> attribute. Here is an example returned from ldapsearch;
>>>
>>> # admins, groups, compat, localdomain.local
>>> dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
>>> gidNumber: 756200000
>>> memberUid: admin
>>> memberUid: vadmin
>>> objectClass: posixGroup
>>> objectClass: groupOfUniqueNames
>>> objectClass: top
>>> cn: admins
>>>
>>>
>>> On 3/5/2015 at 9:15 AM, reesb at hushmail.com wrote:
>>>
>>> Hi Martin,
>>>
>>> Using my vadmin account, 
>> "uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local", the 
>> search completes successfully and i get a list of my users and 
>> groups however when I've watched the ldap queries between vcenter 
>> and freeipa I can see it's applying a filter to the user search 
>> looking for 'objectClass=groupOfUniqueNames' which my groups don't 
>> seem to contain.
>>>
>>>
>>> I'm very much an ldap newbie but I thought at step two in the 
>> vsphere integration howto I modified the groups schema to include 
>> that object class?
>>>
>>> On 3/4/2015 at 8:32 PM, "Martin Kosek" <mkosek at redhat.com> wrote:
>>>
>>> Given that this HOWTO does not use the vanilla Schema 
>> Compatibility settings
>>> (FreeIPA Compat Tree by default uses posixGroup objectclass and 
>> memberUid
>>> attribute for user membership), I would check if the groups 
>> really have the
>>> right objectclass and uniqueMember generated:
>>>
>>> # ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b
>>> "cn=groups,cn=compat,dc=localdomain,dc=local"
>>>
>>> I expect there will be some problem preventing the LDAP search 
>> to succeed. Then
>>> we would know where to look next.
>>>
>>> Martin
>>>
>>
>> I am also CCing Gialunca who contributed the HOWTO. I checked it 
>> again and
>> tried to apply it on my FreeIPA 4.1.3, my compat group now contain 
>> the proper
>> uniqueMember attribute and groupOfUniqueNames objectclass.
>>
>> I am not sure though why are also users updated (mostly question 
>> to Gialunca):
>> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>> changetype: modify
>> add: schema-compat-entry-attribute
>> schema-compat-entry-attribute: objectclass=uniqueMember
>> -
>> add: schema-compat-entry-attribute
>> schema-compat-entry-attribute: objectclass=inetOrgPerson
>> -
>>
>> For instance, "uniqueMember" is not valid objectclass. Also, if 
>> you are adding
>> iNetOrgPerson objectclass, you should have all it's MUST 
>> attributes also
>> generated - otherwise consuming programs may break if they depend 
>> on such
>> attributes to exist. I see that "sn" is missing in my compat user 
>> entries.
>>
>> Can you show the "cn=groups,cn=Schema 
>> Compatibility,cn=plugins,cn=config" entry
>> so that we can see if the uniqueMember attribute is really 
>> configured correctly?
>>
>> Thanks,
>> Martin
>

More information about the Freeipa-users mailing list