[Freeipa-users] Adding FreeIPA as a vsphere identity source

Martin Kosek mkosek at redhat.com
Fri Mar 6 07:20:30 UTC 2015 

On 03/06/2015 02:24 AM, reesb at hushmail.com wrote:
> Just to confirm I should restart the server after i've run the ldapmodify?

Right. It would be safer thing to do, if you modified the Schema Compatibility 
config. At least to make sure it re-creates the entries from scratch.

> Also I've used ldap modify to remove the 'uniqueMember' object class from the compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. I get the same 'identity source may be malfunctioning error' from vpshere.

The key here is to see the Directory Server access log, to see what kind of 
LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA 
with ldapsearch (or any GUI, I use Apache Directory Studio). With this 
knowledge, you should just need to update either the Schema Compatibility 
plugin configuration or vSphere configuration.

Martin

>
> On 3/5/2015 at 5:44 PM, "Martin Kosek" <mkosek at redhat.com> wrote:
>>
>> Thanks. The configuration looks OK, I wonder why the uniqueMember
>> is not
>> generated for your compat groups - it works on my FreeIPA 4.1.3
>> server.
>>
>> Did you restart the Directory Server after you changed the Schema
>> Compatibility
>> plugin?
>>
>> On 03/05/2015 09:16 AM, reesb at hushmail.com wrote:
>>> Ok here is the search result;
>>> # ldapsearch -x  -D "cn=Directory Manager" -W -b "cn=config"
>> cn=groups
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=config> with scope subtree
>>> # filter: cn=groups
>>> # requesting: ALL
>>> #
>>>
>>> # groups, Schema Compatibility, plugins, config
>>> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
>>> cn: groups
>>> objectClass: top
>>> objectClass: extensibleObject
>>> schema-compat-container-group: cn=compat, dc=localdomain,dc=local
>>> schema-compat-search-filter: objectclass=posixGroup
>>> schema-compat-container-rdn: cn=groups
>>> schema-compat-entry-rdn: cn=%{cn}
>>> schema-compat-search-base: cn=groups, cn=accounts,
>> dc=localdomain,dc=local
>>> schema-compat-entry-attribute:
>> %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objec
>>>   tclass=ipaOverrideTarget","")
>>> schema-compat-entry-attribute: gidNumber=%{gidNumber}
>>> schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
>>> schema-compat-entry-attribute:
>> %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchor
>>>   uuid=:IPA:cloud.local:%{ipauniqueid}","")
>>> schema-compat-entry-attribute: memberUid=%{memberUid}
>>> schema-compat-entry-attribute:
>> %ifeq("ipauniqueid","%{ipauniqueid}","objectcla
>>>   ss=ipaOverrideTarget","")
>>> schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
>>> schema-compat-entry-attribute: objectclass=posixGroup
>>> schema-compat-entry-attribute: objectclass=groupOfUniqueNames
>>> schema-compat-entry-attribute:
>> uniqueMember=%regsub("%{member}","^(.*)accounts
>>>   (.*)","%1compat%2")
>>> schema-compat-restrict-subtree: cn=Schema
>> Compatibility,cn=plugins,cn=config
>>> schema-compat-restrict-subtree: dc=localdomain,dc=local
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>>> On 3/5/2015 at 3:54 PM, "Martin Kosek" <mkosek at redhat.com> wrote:
>>>>
>>>> On 03/05/2015 02:37 AM, reesb at hushmail.com wrote:
>>>>> Opps, I got that wrong, my groups don't show the
>> 'uniqueMember'
>>>> attribute. Here is an example returned from ldapsearch;
>>>>>
>>>>> # admins, groups, compat, localdomain.local
>>>>> dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
>>>>> gidNumber: 756200000
>>>>> memberUid: admin
>>>>> memberUid: vadmin
>>>>> objectClass: posixGroup
>>>>> objectClass: groupOfUniqueNames
>>>>> objectClass: top
>>>>> cn: admins
>>>>>
>>>>>
>>>>> On 3/5/2015 at 9:15 AM, reesb at hushmail.com wrote:
>>>>>
>>>>> Hi Martin,
>>>>>
>>>>> Using my vadmin account,
>>>> "uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local", the
>>>> search completes successfully and i get a list of my users and
>>>> groups however when I've watched the ldap queries between
>> vcenter
>>>> and freeipa I can see it's applying a filter to the user search
>>>> looking for 'objectClass=groupOfUniqueNames' which my groups
>> don't
>>>> seem to contain.
>>>>>
>>>>>
>>>>> I'm very much an ldap newbie but I thought at step two in the
>>>> vsphere integration howto I modified the groups schema to
>> include
>>>> that object class?
>>>>>
>>>>> On 3/4/2015 at 8:32 PM, "Martin Kosek" <mkosek at redhat.com>
>> wrote:
>>>>>
>>>>> Given that this HOWTO does not use the vanilla Schema
>>>> Compatibility settings
>>>>> (FreeIPA Compat Tree by default uses posixGroup objectclass
>> and
>>>> memberUid
>>>>> attribute for user membership), I would check if the groups
>>>> really have the
>>>>> right objectclass and uniqueMember generated:
>>>>>
>>>>> # ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b
>>>>> "cn=groups,cn=compat,dc=localdomain,dc=local"
>>>>>
>>>>> I expect there will be some problem preventing the LDAP search
>>>> to succeed. Then
>>>>> we would know where to look next.
>>>>>
>>>>> Martin
>>>>>
>>>>
>>>> I am also CCing Gialunca who contributed the HOWTO. I checked
>> it
>>>> again and
>>>> tried to apply it on my FreeIPA 4.1.3, my compat group now
>> contain
>>>> the proper
>>>> uniqueMember attribute and groupOfUniqueNames objectclass.
>>>>
>>>> I am not sure though why are also users updated (mostly
>> question
>>>> to Gialunca):
>>>> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>>>> changetype: modify
>>>> add: schema-compat-entry-attribute
>>>> schema-compat-entry-attribute: objectclass=uniqueMember
>>>> -
>>>> add: schema-compat-entry-attribute
>>>> schema-compat-entry-attribute: objectclass=inetOrgPerson
>>>> -
>>>>
>>>> For instance, "uniqueMember" is not valid objectclass. Also, if
>>>> you are adding
>>>> iNetOrgPerson objectclass, you should have all it's MUST
>>>> attributes also
>>>> generated - otherwise consuming programs may break if they
>> depend
>>>> on such
>>>> attributes to exist. I see that "sn" is missing in my compat
>> user
>>>> entries.
>>>>
>>>> Can you show the "cn=groups,cn=Schema
>>>> Compatibility,cn=plugins,cn=config" entry
>>>> so that we can see if the uniqueMember attribute is really
>>>> configured correctly?
>>>>
>>>> Thanks,
>>>> Martin
>>>
>

More information about the Freeipa-users mailing list