[Freeipa-users] Adding FreeIPA as a vsphere identity source

reesb at hushmail.com reesb at hushmail.com
Fri Mar 6 01:24:38 UTC 2015 

Just to confirm I should restart the server after i've run the ldapmodify?

Also I've used ldap modify to remove the 'uniqueMember' object class from the compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. I get the same 'identity source may be malfunctioning error' from vpshere.

On 3/5/2015 at 5:44 PM, "Martin Kosek" <mkosek at redhat.com> wrote:
>
>Thanks. The configuration looks OK, I wonder why the uniqueMember 
>is not
>generated for your compat groups - it works on my FreeIPA 4.1.3 
>server.
>
>Did you restart the Directory Server after you changed the Schema 
>Compatibility
>plugin?
>
>On 03/05/2015 09:16 AM, reesb at hushmail.com wrote:
>> Ok here is the search result;
>> # ldapsearch -x  -D "cn=Directory Manager" -W -b "cn=config" 
>cn=groups
>> Enter LDAP Password: 
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=config> with scope subtree
>> # filter: cn=groups
>> # requesting: ALL
>> #
>> 
>> # groups, Schema Compatibility, plugins, config
>> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
>> cn: groups
>> objectClass: top
>> objectClass: extensibleObject
>> schema-compat-container-group: cn=compat, dc=localdomain,dc=local
>> schema-compat-search-filter: objectclass=posixGroup
>> schema-compat-container-rdn: cn=groups
>> schema-compat-entry-rdn: cn=%{cn}
>> schema-compat-search-base: cn=groups, cn=accounts, 
>dc=localdomain,dc=local
>> schema-compat-entry-attribute: 
>%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objec
>>  tclass=ipaOverrideTarget","")
>> schema-compat-entry-attribute: gidNumber=%{gidNumber}
>> schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
>> schema-compat-entry-attribute: 
>%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchor
>>  uuid=:IPA:cloud.local:%{ipauniqueid}","")
>> schema-compat-entry-attribute: memberUid=%{memberUid}
>> schema-compat-entry-attribute: 
>%ifeq("ipauniqueid","%{ipauniqueid}","objectcla
>>  ss=ipaOverrideTarget","")
>> schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
>> schema-compat-entry-attribute: objectclass=posixGroup
>> schema-compat-entry-attribute: objectclass=groupOfUniqueNames
>> schema-compat-entry-attribute: 
>uniqueMember=%regsub("%{member}","^(.*)accounts
>>  (.*)","%1compat%2")
>> schema-compat-restrict-subtree: cn=Schema 
>Compatibility,cn=plugins,cn=config
>> schema-compat-restrict-subtree: dc=localdomain,dc=local
>> 
>> # search result
>> search: 2
>> result: 0 Success
>> 
>> # numResponses: 2
>> # numEntries: 1
>> 
>> On 3/5/2015 at 3:54 PM, "Martin Kosek" <mkosek at redhat.com> wrote:
>>>
>>> On 03/05/2015 02:37 AM, reesb at hushmail.com wrote:
>>>> Opps, I got that wrong, my groups don't show the 
>'uniqueMember' 
>>> attribute. Here is an example returned from ldapsearch;
>>>>
>>>> # admins, groups, compat, localdomain.local
>>>> dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
>>>> gidNumber: 756200000
>>>> memberUid: admin
>>>> memberUid: vadmin
>>>> objectClass: posixGroup
>>>> objectClass: groupOfUniqueNames
>>>> objectClass: top
>>>> cn: admins
>>>>
>>>>
>>>> On 3/5/2015 at 9:15 AM, reesb at hushmail.com wrote:
>>>>
>>>> Hi Martin,
>>>>
>>>> Using my vadmin account, 
>>> "uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local", the 
>>> search completes successfully and i get a list of my users and 
>>> groups however when I've watched the ldap queries between 
>vcenter 
>>> and freeipa I can see it's applying a filter to the user search 
>>> looking for 'objectClass=groupOfUniqueNames' which my groups 
>don't 
>>> seem to contain.
>>>>
>>>>
>>>> I'm very much an ldap newbie but I thought at step two in the 
>>> vsphere integration howto I modified the groups schema to 
>include 
>>> that object class?
>>>>
>>>> On 3/4/2015 at 8:32 PM, "Martin Kosek" <mkosek at redhat.com> 
>wrote:
>>>>
>>>> Given that this HOWTO does not use the vanilla Schema 
>>> Compatibility settings
>>>> (FreeIPA Compat Tree by default uses posixGroup objectclass 
>and 
>>> memberUid
>>>> attribute for user membership), I would check if the groups 
>>> really have the
>>>> right objectclass and uniqueMember generated:
>>>>
>>>> # ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b
>>>> "cn=groups,cn=compat,dc=localdomain,dc=local"
>>>>
>>>> I expect there will be some problem preventing the LDAP search 
>>> to succeed. Then
>>>> we would know where to look next.
>>>>
>>>> Martin
>>>>
>>>
>>> I am also CCing Gialunca who contributed the HOWTO. I checked 
>it 
>>> again and
>>> tried to apply it on my FreeIPA 4.1.3, my compat group now 
>contain 
>>> the proper
>>> uniqueMember attribute and groupOfUniqueNames objectclass.
>>>
>>> I am not sure though why are also users updated (mostly 
>question 
>>> to Gialunca):
>>> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>>> changetype: modify
>>> add: schema-compat-entry-attribute
>>> schema-compat-entry-attribute: objectclass=uniqueMember
>>> -
>>> add: schema-compat-entry-attribute
>>> schema-compat-entry-attribute: objectclass=inetOrgPerson
>>> -
>>>
>>> For instance, "uniqueMember" is not valid objectclass. Also, if 
>>> you are adding
>>> iNetOrgPerson objectclass, you should have all it's MUST 
>>> attributes also
>>> generated - otherwise consuming programs may break if they 
>depend 
>>> on such
>>> attributes to exist. I see that "sn" is missing in my compat 
>user 
>>> entries.
>>>
>>> Can you show the "cn=groups,cn=Schema 
>>> Compatibility,cn=plugins,cn=config" entry
>>> so that we can see if the uniqueMember attribute is really 
>>> configured correctly?
>>>
>>> Thanks,
>>> Martin
>>

More information about the Freeipa-users mailing list