[Freeipa-users] Adding FreeIPA as a vsphere identity source
Martin Kosek
mkosek at redhat.com
Fri Mar 6 07:44:54 UTC 2015
On 03/06/2015 08:35 AM, Alexander Bokovoy wrote:
> On Fri, 06 Mar 2015, Martin Kosek wrote:
>> On 03/06/2015 02:24 AM, reesb at hushmail.com wrote:
>>> Just to confirm I should restart the server after i've run the ldapmodify?
>>
>> Right. It would be safer thing to do, if you modified the Schema
>> Compatibility config. At least to make sure it re-creates the entries from
>> scratch.
>>
>>> Also I've used ldap modify to remove the 'uniqueMember' object class from
>>> the compat schema and added the 'sn=%{sn}' attribute and I still am having
>>> no luck. I get the same 'identity source may be malfunctioning error' from
>>> vpshere.
>>
>> The key here is to see the Directory Server access log, to see what kind of
>> LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA
>> with ldapsearch (or any GUI, I use Apache Directory Studio). With this
>> knowledge, you should just need to update either the Schema Compatibility
>> plugin configuration or vSphere configuration.
> Note also that in 4.1 we have ACIs that only give access to certain
> attributes within compat tree and not all of them. Adding a new
> attribute requires to add an ACI to allow serving it.
>
> If this is an issue, you'd see the difference when accessing as
> cn=Directory Manager or as any other authenticated bind.
Very good point Alexander! I unfortunately did my tests either as admin or DM.
I updated the HOWTO with the new step that fixed it for me.
http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update
So reesb, after the update above, you should get it working.
Martin
More information about the Freeipa-users
mailing list