[Freeipa-users] vSphere and freeIPA

sam at zy.io sam at zy.io
Fri May 29 11:59:10 UTC 2015 

Afternoon,

I'm currently attempting to set up an existing vsphere environment to use freeipa 4.1.0 for authentication, following this guide:

http://www.freeipa.org/page/HowTo/vsphere5_integration

I've followed it all through, and for the purposes for testing, I've created a user called sam that's a member of a group called samtest:

[root at ldap1 ~]# ldapsearch -x -D "uid=ldapauth,cn=users,cn=accounts,dc=example,dc=hostname,dc=co,dc=uk" -w passwordgoeshere -b "cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk" cn=samtest
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk> with scope subtree
# filter: cn=samtest
# requesting: ALL
#

# samtest, groups, compat, example.hostname.co.uk
dn: cn=samtest,cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=sam,cn=users,cn=compat,dc=example,dc=hostname,dc=co,dc=
 uk
cn: samtest

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


With only sam in the samtest group, the uniqueMember attribute that vsphere seems to depend on displays fine, and you can log into vsphere as the sam user if samtest has been given the correct permissions.

The issue arises when a second user (chris) is added to the samtest group.

[root at ldap1 ~]# ldapsearch -x -D "uid=ldapauth,cn=users,cn=accounts,dc=example,dc=hostname,dc=co,dc=uk" -w passwordgoeshere -b "cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk" cn=samtest
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk> with scope subtree
# filter: cn=samtest
# requesting: ALL
#

# samtest, groups, compat, example.hostname.co.uk
dn: cn=samtest,cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk
objectClass: groupOfUniqueNames
objectClass: top
cn: samtest

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

This causes the uniqueMember attribute to not display for either sam or chris, and neither user can access vsphere. However if sam is removed from samtest, then uniqueMember is once again shown:

[root at ldap1 ~]# ldapsearch -x -D "uid=ldapauth,cn=users,cn=accounts,dc=example,dc=hostname,dc=co,dc=uk" -w passwordgoeshere -b "cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk" cn=samtest
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk> with scope subtree
# filter: cn=samtest
# requesting: ALL
#

# samtest, groups, compat, example.hostname.co.uk
dn: cn=samtest,cn=groups,cn=compat,dc=example,dc=hostname,dc=co,dc=uk
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=chris,cn=users,cn=compat,dc=example,dc=hostname,dc=co,d
 c=uk
cn: samtest

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


If anyone could shed any light on this behaviour, or point out any flaws in my logic/understanding, it would be greatly appreciated. 

Kind regards,

Sam

More information about the Freeipa-users mailing list