[Freeipa-users] Adding FreeIPA as a vsphere identity source
reesb at hushmail.com
reesb at hushmail.com
Tue Mar 10 00:22:21 UTC 2015
I've update the ACI's but am still getting the same error as before. I am guessing this is probably related to the same issue in the other concurrent vsphere 5.5 email thread that is going. I'll just keep my eye on that to see the resolution.
On 3/6/2015 at 3:45 PM, "Martin Kosek" <mkosek at redhat.com> wrote:
>
>On 03/06/2015 08:35 AM, Alexander Bokovoy wrote:
>> On Fri, 06 Mar 2015, Martin Kosek wrote:
>>> On 03/06/2015 02:24 AM, reesb at hushmail.com wrote:
>>>> Just to confirm I should restart the server after i've run the
>ldapmodify?
>>>
>>> Right. It would be safer thing to do, if you modified the Schema
>>> Compatibility config. At least to make sure it re-creates the
>entries from
>>> scratch.
>>>
>>>> Also I've used ldap modify to remove the 'uniqueMember' object
>class from
>>>> the compat schema and added the 'sn=%{sn}' attribute and I
>still am having
>>>> no luck. I get the same 'identity source may be malfunctioning
>error' from
>>>> vpshere.
>>>
>>> The key here is to see the Directory Server access log, to see
>what kind of
>>> LDAP searches is vSphere doing and then seeing the actual
>entries in FreeIPA
>>> with ldapsearch (or any GUI, I use Apache Directory Studio).
>With this
>>> knowledge, you should just need to update either the Schema
>Compatibility
>>> plugin configuration or vSphere configuration.
>> Note also that in 4.1 we have ACIs that only give access to
>certain
>> attributes within compat tree and not all of them. Adding a new
>> attribute requires to add an ACI to allow serving it.
>>
>> If this is an issue, you'd see the difference when accessing as
>> cn=Directory Manager or as any other authenticated bind.
>
>Very good point Alexander! I unfortunately did my tests either as
>admin or DM.
>I updated the HOWTO with the new step that fixed it for me.
>
>http://www.freeipa.org/page/HowTo/vsphere5_integration#Permission_U
>pdate
>
>So reesb, after the update above, you should get it working.
>
>Martin
More information about the Freeipa-users
mailing list