[Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
Herwono W Wijaya
root at linuxcoding.org
Fri Mar 6 13:09:05 UTC 2015
Gianluca's method not working for me, always get this error
Error: Idm client exception: control not found
and also try using this:
http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update
On 3/6/15 7:49 PM, Martin Kosek wrote:
> I am glad you have it working. However, I would like to discourage
> from this another method as this way, you would need to maintain
> uniqueMember attribute yourself. FreeIPA only maintains the "member"
> attribute.
>
> I would recommend using the Gianluca's method in
> http://www.freeipa.org/page/HowTo/vsphere5_integration
>
> with taking users and groups from compat tree. This way, you will have
> uniqueMember populated when you do changes to the group using FreeIPA
> CLI or UI.
>
> If it was not working for you in the past, note that we identified a
> change today that needs to be done with FreeIPA 4.0+:
>
> http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update
>
> Martin
>
>
> On 03/06/2015 12:11 PM, Herwono W Wijaya wrote:
>> Now all works well, I use another method
>>
>> *FreeIPA:**
>> **Users:*
>> - admin
>> - herwono (member of "ssogroups" group)
>> - vcadmin (member of "ssogroups" group)
>>
>> *Group**s:**
>> **Only one group for vCenter SSO.*
>> - ssogroups
>>
>> *Modif "ssogroups" using ldif file*
>> <pre>
>> dn: cn=ssogroups,cn=groups,cn=accounts,dc=server,dc=local
>> changetype: modify
>> add: objectClass
>> objectClass: groupOfUniqueNames
>> -
>> add: uniqueMember
>> uniqueMember: uid=herwono,cn=users,cn=accounts,dc=server,dc=local
>> uniqueMember: uid=vcadmin,cn=users,cn=accounts,dc=server,dc=local
>> -
>> </pre>
>>
>> *vCenter Identity Source Config:*
>> Name: IPA
>> Base DN for users: cn=users,cn=accounts,dc=server,dc=local
>> Domain name: server.local
>> Base DN for groups: cn=groups,cn=accounts,dc=server,dc=local
>> Primary server url: ldap://identity.server.local:389
>> Username: uid=admin,cn=users,cn=accounts,dc=server,dc=local
>> Password: ******
>>
>> *FreeIPA users and groups for vCenter with Administrator permission:*
>> User: herwono (SERVER.LOCAL\herwono)
>> Group: ssogroups (SERVER.LOCAL\ssogroups)
>>
>>
>> On 3/6/15 3:37 PM, Gianluca Cecchi wrote:
>>> On Fri, Mar 6, 2015 at 8:34 AM, Martin Kosek <mkosek at redhat.com
>>> <mailto:mkosek at redhat.com>> wrote:
>>>
>>> On 03/06/2015 04:38 AM, Herwono W Wijaya wrote:
>>>
>>> Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the
>>> admin
>>> user can be
>>> used and always get an error for other users.
>>>
>>>
>>> You mean admin user from vCenter, not admin user from FreeIPA,
>>> right?
>>>
>>> Did you follow this HOWTO:
>>> http://www.freeipa.org/page/HowTo/vsphere5_integration
>>>
>>> Note that the vSphere integration topic is being discussed this
>>> week,
>>> CCing also Gialunca (author of the HOWTO), he may have some
>>> ideas where
>>> the problem is too.
>>>
>>> Martin
>>>
>>>
>>>
>>> The logs that let us know the kind of queries generated b vSPhere
>>> are in
>>> /var/log/dirsrv/slapd-REALM-NAME/
>>> (at least for 3.3.3)
>>>
>>> Also, searching through my e-mails I found one direct contact using
>>> vSphere
>>> 5.5 and that was doing some tests with VMware support connected to
>>> his systems.
>>> It seems they found out that it almost all worked correctly when using
>>> accounts instead of compat BUT
>>> you can't log in.
>>>
>>> An action was the to add objectclass=groupOfUniqueNames to a single
>>> test
>>> group and they were able to login
>>>
>>> I asked more information about his setup if still in place and to
>>> eventually
>>> share with others.
>>>
>>> Stay tuned...
>>>
>>> Gianluca
>>
>> --
>> Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert
>> 2014, 2015
>> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
>>
>>
>
--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert
2014, 2015
<https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150306/f7ec8b63/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error.png
Type: image/png
Size: 352533 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150306/f7ec8b63/attachment.png>
More information about the Freeipa-users
mailing list