[Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

Martin Kosek mkosek at redhat.com
Fri Mar 6 13:12:49 UTC 2015 

Ah, I am not sure what control do they mean.

But in general, when, it is always interesting to check the LDAP access logs to 
see the last failed request and then try the same search with ldapsearch and 
fix things.

Martin

On 03/06/2015 02:09 PM, Herwono W Wijaya wrote:
> Gianluca's method not working for me, always get this error
>
> Error: Idm client exception: control not found
>
> and also try using this:
> http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update
>
> On 3/6/15 7:49 PM, Martin Kosek wrote:
>> I am glad you have it working. However, I would like to discourage from this
>> another method as this way, you would need to maintain uniqueMember attribute
>> yourself. FreeIPA only maintains the "member" attribute.
>>
>> I would recommend using the Gianluca's method in
>> http://www.freeipa.org/page/HowTo/vsphere5_integration
>>
>> with taking users and groups from compat tree. This way, you will have
>> uniqueMember populated when you do changes to the group using FreeIPA CLI or UI.
>>
>> If it was not working for you in the past, note that we identified a change
>> today that needs to be done with FreeIPA 4.0+:
>>
>> http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_Update
>>
>> Martin
>>
>>
>> On 03/06/2015 12:11 PM, Herwono W Wijaya wrote:
>>> Now all works well, I use another method
>>>
>>> *FreeIPA:**
>>> **Users:*
>>> - admin
>>> - herwono (member of "ssogroups" group)
>>> - vcadmin (member of "ssogroups" group)
>>>
>>> *Group**s:**
>>> **Only one group for vCenter SSO.*
>>> - ssogroups
>>>
>>> *Modif "ssogroups" using ldif file*
>>> <pre>
>>> dn: cn=ssogroups,cn=groups,cn=accounts,dc=server,dc=local
>>> changetype: modify
>>> add: objectClass
>>> objectClass: groupOfUniqueNames
>>> -
>>> add: uniqueMember
>>> uniqueMember: uid=herwono,cn=users,cn=accounts,dc=server,dc=local
>>> uniqueMember: uid=vcadmin,cn=users,cn=accounts,dc=server,dc=local
>>> -
>>> </pre>
>>>
>>> *vCenter Identity Source Config:*
>>> Name: IPA
>>> Base DN for users: cn=users,cn=accounts,dc=server,dc=local
>>> Domain name: server.local
>>> Base DN for groups: cn=groups,cn=accounts,dc=server,dc=local
>>> Primary server url: ldap://identity.server.local:389
>>> Username: uid=admin,cn=users,cn=accounts,dc=server,dc=local
>>> Password: ******
>>>
>>> *FreeIPA users and groups for vCenter with Administrator permission:*
>>> User: herwono (SERVER.LOCAL\herwono)
>>> Group: ssogroups (SERVER.LOCAL\ssogroups)
>>>
>>>
>>> On 3/6/15 3:37 PM, Gianluca Cecchi wrote:
>>>> On Fri, Mar 6, 2015 at 8:34 AM, Martin Kosek <mkosek at redhat.com
>>>> <mailto:mkosek at redhat.com>> wrote:
>>>>
>>>>     On 03/06/2015 04:38 AM, Herwono W Wijaya wrote:
>>>>
>>>>         Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the admin
>>>>         user can be
>>>>         used and always get an error for other users.
>>>>
>>>>
>>>>     You mean admin user from vCenter, not admin user from FreeIPA, right?
>>>>
>>>>     Did you follow this HOWTO:
>>>> http://www.freeipa.org/page/HowTo/vsphere5_integration
>>>>
>>>>     Note that the vSphere integration topic is being discussed this week,
>>>>     CCing also Gialunca (author of the HOWTO), he may have some ideas where
>>>>     the problem is too.
>>>>
>>>>     Martin
>>>>
>>>>
>>>>
>>>> The logs that let us know the kind of queries generated b vSPhere are in
>>>> /var/log/dirsrv/slapd-REALM-NAME/
>>>> (at least for 3.3.3)
>>>>
>>>> Also, searching through my e-mails I found one direct contact using vSphere
>>>> 5.5 and that was doing some tests with VMware support connected to his
>>>> systems.
>>>> It seems they found out that it almost all worked correctly when using
>>>> accounts instead of compat BUT
>>>> you can't log in.
>>>>
>>>> An action was the to add objectclass=groupOfUniqueNames to a single test
>>>> group and they were able to login
>>>>
>>>> I asked more information about his setup if still in place and to eventually
>>>> share with others.
>>>>
>>>> Stay tuned...
>>>>
>>>> Gianluca
>>>
>>> --
>>> Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015
>>> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
>>>
>>>
>>
>
> --
> Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 2014, 2015
> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
>

More information about the Freeipa-users mailing list