<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/08/2014 11:44 AM, Gianluca Cecchi
wrote:<br>
</div>
<blockquote
cite="mid:CAG2kNCyXWXxMx0V96bYgMq--9zaBwhWMBENrOgSXnMMr9=F85Q@mail.gmail.com"
type="cite">
<div dir="ltr">Hello,
<div>I finally was able to configure the integration between
what in subject.</div>
<div>I have made basic tests and all seems ok.</div>
<div><br>
</div>
<div>If anyone wants to test further integration scenarios and
also test with vSPhere 5.5, he/she then can report here and I
will crosscheck eventually.</div>
<div><br>
</div>
<div>My environment is based on pure vSphere 5.1 that I'm right
now using in trial mode with vcenter server defined as a
virtual appliance.</div>
<div><br>
</div>
<div>NOTE that there is a bug in this version of vSphere
regarding OpenLDAP integration in vShere WebClient, so that
you are unable to change Base DN for groups after its initial
configuration. In case you need to modify that field, you have
to delete and recreate the whole LDAP definition.</div>
<div>The bug is solved in vsphere 5.1 update 1a.</div>
<div><br>
</div>
<div>As suggested in other threads on this and other lists, I
used slapi-nis (schema compat) plugin.</div>
<div>Initially I tested it on CentOS 6.6 with IPA 3.0.0-42
and slapi-nis-0.40-4.</div>
<div>I was able to get both users and groups enumeration in
vSphere client (using cn=accounts for bind definition), but
then no authentication of defined users due to inability of
IPA 3.0 to do bind on compat tree.</div>
<div><br>
</div>
<div>I read on this list that I had to use IPA 3.3 and slapi-nis
>= 0.47.5, how is indeed provided now in CentOS 7 with:</div>
<div><br>
</div>
<div>
<div>ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64</div>
<div>slapi-nis-0.52-4.el7.x86_64</div>
</div>
<div><br>
</div>
<div>So I migrated my IPA test server from CentOS 6.6 to another
server in CentOS 7.0, following the chapter 6 of the detailed
guide here (only some typos and use of "systemctl" commands
for version 6 that should be read as "service" commands
instead):<br>
</div>
<div><a moz-do-not-send="true"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html</a><br>
</div>
<div><br>
</div>
<div>After update these were my two ldif files to adapt schema
compat entries for vSphere</div>
<div><br>
</div>
<div>
<div>1) vsphere_usermod.ldif</div>
<div><br>
</div>
<div>dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config</div>
<div>changetype: modify</div>
<div>add: schema-compat-entry-attribute</div>
<div>schema-compat-entry-attribute: objectclass=uniqueMember</div>
<div>-</div>
<div>add: schema-compat-entry-attribute</div>
<div>schema-compat-entry-attribute: objectclass=inetOrgPerson</div>
<div>-</div>
<div><br>
</div>
<div>2) vsphere_groupmod.ldif</div>
<div><br>
</div>
<div>dn: cn=groups,cn=Schema
Compatibility,cn=plugins,cn=config</div>
<div>changetype: modify</div>
<div>add: schema-compat-entry-attribute</div>
<div>schema-compat-entry-attribute:
objectclass=groupOfUniqueNames</div>
<div>-</div>
<div>add: schema-compat-entry-attribute</div>
<div>schema-compat-entry-attribute:
uniqueMember=%regsub("%{member}","^(.*)accounts(.*)","%1compat%2")</div>
<div>-</div>
</div>
<div><br>
</div>
<div>Applied with the command:</div>
<div>ldapmodify -x -D "cn=Directory Manager" -f
/root/vsphere_usermod.ldif -W vsphere_usermod.ldif<br>
</div>
<div><br>
</div>
<div>and</div>
<div>ldapmodify -x -D "cn=Directory Manager" -f
/root/vsphere_usermod.ldif -W vsphere_groupmod.ldif<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Configuration in vSphere Web Client under Identity Sources
of</div>
<div>Administration --> Sign-On and Discovery -->
Configuration</div>
<div>was this one</div>
<div><br>
</div>
<div>
<div>Primary server URL:
<a class="moz-txt-link-freetext" href="ldaps://c7server.localdomain.local:636">ldaps://c7server.localdomain.local:636</a></div>
<div>Base DN for users:
cn=users,cn=compat,dc=localdomain,dc=local<br>
</div>
<div>Domain name: localdomain.local<br>
</div>
<div>Base DN for groups:
cn=groups,cn=compat,dc=localdomain,dc=local<br>
</div>
<div>Authentication type: Password<br>
</div>
<div>Username:
uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local<br>
</div>
</div>
<div><br>
</div>
<div>NOTE: vadmin is a normal IPA user I created only for bind
with no ESX permissions (it is only part of the default
ipausers IPA group)</div>
<div><br>
</div>
<div>NOTE: I used ldaps and as certificate I had to use the file
/etc/ipa/ca.crt on IPA server, after copying to client where
running the browser and renaming it to ca.cer without any
modification at all. vSphere accepted it without any problem.</div>
<div><br>
</div>
<div>My tests at the moment have been ok both in vSphere fat
client (5.1 1471691) and vSphere Web Client (Version 5.1.0
Build 869765). I tried this:</div>
<div><br>
</div>
<div>- add gcecchi IPA user at top vcenter server permissions
level as a virtual machine user (sample) default role</div>
<div>- verify gcecchi is able to connect both in fat and web
clients</div>
<div>- edit settings of the vm VC1 and verify that the "add..."
button in hardware tab is greyed out</div>
<div>- add the defined esxpower IPA group at VC1 permissions
level granting it the virtual machine power user (sample) role</div>
<div>- logout/login gcecchi and verify nothing changed in his
permissions</div>
<div>- add gcecchi to the IPA group esxpower</div>
<div>- logout/login gcecchi and verify the user now can select
the "add..." button in hardware tab of VC1</div>
<div>- logout gcecchi and remove gcecchi from IPA group esxpower</div>
<div>- login as gcecchi in vSphere and verify that now the
"add..." button is disabled again</div>
<div>- create an IPA group named esxnestedpower and insert it in
esxpower group</div>
<div>- login as gcecchi in vSphere and verify he is still unable
to add devices</div>
<div>- modify IPA user gcecchi adding him to esxnestedpower
group</div>
<div>- logout/login gcecchi from vSphere and verify that now
gcecchi is able to add device to VC1</div>
<div><br>
</div>
<div>NOTE: as my tests began in CentOS 6.6, I noticed that the
IPA groups created in IPA 3.0 and CentOS 6.6 didn't get the
uniqueMember property for their group members... I didn't
investigate more, but I noticed that for the system group
"admins" and for newly created groups, instead it was ok...</div>
<div>NOTE: after my migration from IPA 3.0 to 3.3 it seems I
lost dna settings, so that group addition failed without
explicitly specifying its GID. I solved as described here
adding the missing<font face="arial, helvetica, sans-serif"> </font><span
style="color:rgb(0,0,0)"><font face="arial, helvetica,
sans-serif">dnaNextRange: 1639600001-1639799999:</font></span></div>
<div><a moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2014-December/msg00090.html">https://www.redhat.com/archives/freeipa-users/2014-December/msg00090.html</a><br>
</div>
<div><br>
</div>
<div>Screenshot with permissions of VC1</div>
<div><a moz-do-not-send="true"
href="https://drive.google.com/file/d/0BwoPbcrMv8mvdUgwanQzNWpBbkE/view?usp=sharing">https://drive.google.com/file/d/0BwoPbcrMv8mvdUgwanQzNWpBbkE/view?usp=sharing</a><br>
</div>
<div><br>
</div>
<div>Some outputs of ldapsearch queries:</div>
<div>[root@c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b
"cn=groups,cn=compat,dc=localdomain,dc=local" cn=esxpower</div>
<div># extended LDIF</div>
<div>#</div>
<div># LDAPv3</div>
<div># base <cn=groups,cn=compat,dc=localdomain,dc=local>
with scope subtree</div>
<div># filter: cn=esxpower</div>
<div># requesting: ALL</div>
<div>#</div>
<div><br>
</div>
<div># esxpower, groups, compat, localdomain.local</div>
<div>dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local</div>
<div>objectClass: posixGroup</div>
<div>objectClass: groupOfUniqueNames</div>
<div>objectClass: top</div>
<div>gidNumber: 1639600010</div>
<div>memberUid: gcecchi</div>
<div>uniqueMember:
cn=esxnestedpower,cn=groups,cn=compat,dc=localdomain,dc=local</div>
<div>cn: esxpower</div>
<div><br>
</div>
<div># search result</div>
<div>search: 2</div>
<div>result: 0 Success</div>
<div><br>
</div>
<div># numResponses: 2</div>
<div># numEntries: 1</div>
<div><br>
</div>
<div><br>
</div>
<div>[root@c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b
"cn=groups,cn=compat,dc=localdomain,dc=local"
cn=esxnestedpower</div>
<div># extended LDIF</div>
<div>#</div>
<div># LDAPv3</div>
<div># base <cn=groups,cn=compat,dc=localdomain,dc=local>
with scope subtree</div>
<div># filter: cn=esxnestedpower</div>
<div># requesting: ALL</div>
<div>#</div>
<div><br>
</div>
<div># esxnestedpower, groups, compat, localdomain.local</div>
<div>dn:
cn=esxnestedpower,cn=groups,cn=compat,dc=localdomain,dc=local</div>
<div>objectClass: posixGroup</div>
<div>objectClass: groupOfUniqueNames</div>
<div>objectClass: top</div>
<div>gidNumber: 1639600012</div>
<div>memberUid: gcecchi</div>
<div>uniqueMember:
uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local</div>
<div>cn: esxnestedpower</div>
<div><br>
</div>
<div># search result</div>
<div>search: 2</div>
<div>result: 0 Success</div>
<div><br>
</div>
<div># numResponses: 2</div>
<div># numEntries: 1</div>
<div> </div>
<div>
<div>[root@c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b
"cn=users,cn=compat,dc=localdomain,dc=local" uid=gcecchi</div>
<div># extended LDIF</div>
<div>#</div>
<div># LDAPv3</div>
<div># base <cn=users,cn=compat,dc=localdomain,dc=local>
with scope subtree</div>
<div># filter: uid=gcecchi</div>
<div># requesting: ALL</div>
<div>#</div>
<div><br>
</div>
<div># gcecchi, users, compat, localdomain.local</div>
<div>dn:
uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local</div>
<div>objectClass: posixAccount</div>
<div>objectClass: uniqueMember</div>
<div>objectClass: inetOrgPerson</div>
<div>objectClass: extensibleObject</div>
<div>objectClass: top</div>
<div>objectClass: organizationalPerson</div>
<div>objectClass: person</div>
<div>gecos: Gianluca Cecchi</div>
<div>cn: Gianluca Cecchi</div>
<div>uidNumber: 1639600001</div>
<div>gidNumber: 1639600001</div>
<div>loginShell: /bin/sh</div>
<div>homeDirectory: /home/gcecchi</div>
<div>uid: gcecchi</div>
<div><br>
</div>
<div># search result</div>
<div>search: 2</div>
<div>result: 0 Success</div>
<div><br>
</div>
<div># numResponses: 2</div>
<div># numEntries: 1</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Hope that this can help others trying to accomplish
vSphere/IPA integration and feel free to comment as I'm far
from an IPA expert and my main approach is RTFM and ask
help... ;-)</div>
<div><br>
</div>
<div>Gianluca Cecchi</div>
<div> </div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Thank you for a detailed summary!<br>
Would you mind turning it into a wiki page?<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/HowTos">http://www.freeipa.org/page/HowTos</a><br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>