[Freeipa-users] Adding FreeIPA as a vsphere identity source

[Alexander Bokovoy]

On Fri, 06 Mar 2015, Martin Kosek wrote:
>On 03/06/2015 02:24 AM, reesb at hushmail.com wrote:
>>Just to confirm I should restart the server after i've run the ldapmodify?
>
>Right. It would be safer thing to do, if you modified the Schema 
>Compatibility config. At least to make sure it re-creates the entries 
>from scratch.
>
>>Also I've used ldap modify to remove the 'uniqueMember' object class from the compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. I get the same 'identity source may be malfunctioning error' from vpshere.
>
>The key here is to see the Directory Server access log, to see what 
>kind of LDAP searches is vSphere doing and then seeing the actual 
>entries in FreeIPA with ldapsearch (or any GUI, I use Apache Directory 
>Studio). With this knowledge, you should just need to update either 
>the Schema Compatibility plugin configuration or vSphere 
>configuration.
Note also that in 4.1 we have ACIs that only give access to certain
attributes within compat tree and not all of them. Adding a new
attribute requires to add an ACI to allow serving it.

If this is an issue, you'd see the difference when accessing as
cn=Directory Manager or as any other authenticated bind.
-- 
/ Alexander Bokovoy