Reference Links: 12/19/2006 https://bugzilla.redhat.com/show_bug.cgi?id=220222 Bug 220222 - [RFE] support for RFC 4530 entryUUID attribute [NEEDINFO] Product: Red Hat Enterprise Linux 8 Reported: 2006-12-19 19:40 UTC by Victoriano Giralt Modified: 2020-01-17 05:47 UTC (History)
01/04/2012 https://pagure.io/389-ds-base/issue/137 #137 No support for RFC 4530 entryUUID attribute Last Modified 10/18/2017
04/04/2019 https://christopherdamerau.com/freeipa-as-vcsa-identity-source/ 01/30/2019 https://www.reddit.com/r/redhat/comments/al3no8/does_identity_management_fre... 04/04/2016 https://www.howtovmlinux.com/articles/vmware/vcenter/integrate-freeipa-idm-w... 06/20/2017 https://kb.vmware.com/s/article/2064977 VMware Knowledge Base: OpenLDAP schemas supported in VMware vCenter Single Sign-On (2064977) 11/22/2018 https://www.freeipa.org/page/V4/Data_transformation
I have spent the last two days trying to get vSphere 6.7 SSO to talk to Red Hat Identity Manager (FreeIPA v4.6.5) Group permissions from LDAP do not work in vSphere. Period. It tells me, " "Unable to login because you do not have permission on any vCenter server systems connected to this client"
I can associate an LDAP user to a vSphere role at the global level, but that won’t scale very far.
QUESTION: Does anyone know of an OpenLDAP setup that satisfies the VMware KB description ? I do not believe that such a critter exists unless it is a home-grown, custom cobbled together monstrosity that would be a nightmare to maintain. This was my point to VMware support. They support Active Directory. They should support FreeIPA because their "OpenLDAP" setup probably does not exist.
I am looking for any recent information anyone may have about getting this to work. I am also looking for more detail to support my claim to VMware that they need to support FreeIPA. ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
I gotta say, the unwillingness of large organizations like RedHat to even consider this functionality is pretty amazing to see since there was a bug filed 12 years ago to add properly support for RFC 4530 entryUUID. At some point, it should be a matter of pride for the directory services to add functionality that clearly there is a demand for. I understand a lack of resources, but this looks more like a lack of overall desire when you look at the completely lack of attention this type of stuff gets in Bugzilla.
Having said that, it is pretty strange for vCenter to have LDAP requirements and lack of instructions/testing with hardly any third-party LDAP solutions. That kinda defeats the purpose of supporting an open standard.
In any case, at least there is a solid answer. This would be one worth just putting in the FAQ or on pages referencing vCenter that is basically unsupported and will not be worked.
-- Chris
On Tue, Feb 4, 2020 at 3:49 PM White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Reference Links:
12/19/2006 https://bugzilla.redhat.com/show_bug.cgi?id=220222 Bug 220222 - [RFE] support for RFC 4530 entryUUID attribute [NEEDINFO]
Product: Red Hat Enterprise Linux 8
Reported: 2006-12-19 19:40 UTC by Victoriano Giralt
Modified: 2020-01-17 05:47 UTC (History)
01/04/2012 https://pagure.io/389-ds-base/issue/137 #137 No support for RFC 4530 entryUUID attribute
Last Modified 10/18/2017
04/04/2019 https://christopherdamerau.com/freeipa-as-vcsa-identity-source/
01/30/2019 https://www.reddit.com/r/redhat/comments/al3no8/does_identity_management_fre...
04/04/2016 https://www.howtovmlinux.com/articles/vmware/vcenter/integrate-freeipa-idm-w...
06/20/2017 https://kb.vmware.com/s/article/2064977 VMware Knowledge Base: OpenLDAP schemas supported in VMware vCenter Single Sign-On (2064977)
11/22/2018 https://www.freeipa.org/page/V4/Data_transformation
I have spent the last two days trying to get vSphere 6.7 SSO to talk to Red Hat Identity Manager (FreeIPA v4.6.5)
Group permissions from LDAP do not work in vSphere. Period. It tells me, " "Unable to login because you do not have permission on any vCenter server systems connected to this client"
I can associate an LDAP user to a vSphere role at the global level, but that won’t scale very far.
QUESTION: Does anyone know of an OpenLDAP setup that satisfies the VMware KB description ?
I do not believe that such a critter exists unless it is a home-grown, custom cobbled together monstrosity that would be a nightmare to maintain.
This was my point to VMware support.
They support Active Directory.
They should support FreeIPA because their "OpenLDAP" setup probably does not exist.
I am looking for any recent information anyone may have about getting this to work.
I am also looking for more detail to support my claim to VMware that they need to support FreeIPA.
Daniel E. White daniel.e.white@nasa.gov
NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I am working on the issue from the VMware end, Let's see if I can get them to understand that their current OpenLDAP solution is unusable and needs to be updated. ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: Christopher Young mexigabacho@gmail.com Date: Tuesday, February 4, 2020 at 21:12 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Daniel White daniel.e.white@nasa.gov Subject: [EXTERNAL] Re: [Freeipa-users] VMware vCenter Single Sign-On
I gotta say, the unwillingness of large organizations like RedHat to even consider this functionality is pretty amazing to see since there was a bug filed 12 years ago to add properly support for RFC 4530 entryUUID. At some point, it should be a matter of pride for the directory services to add functionality that clearly there is a demand for. I understand a lack of resources, but this looks more like a lack of overall desire when you look at the completely lack of attention this type of stuff gets in Bugzilla.
Having said that, it is pretty strange for vCenter to have LDAP requirements and lack of instructions/testing with hardly any third-party LDAP solutions. That kinda defeats the purpose of supporting an open standard.
In any case, at least there is a solid answer. This would be one worth just putting in the FAQ or on pages referencing vCenter that is basically unsupported and will not be worked.
-- Chris
On ti, 04 helmi 2020, Christopher Young via FreeIPA-users wrote:
I gotta say, the unwillingness of large organizations like RedHat to even consider this functionality is pretty amazing to see since there was a bug filed 12 years ago to add properly support for RFC 4530 entryUUID. At some point, it should be a matter of pride for the directory services to add functionality that clearly there is a demand for. I understand a lack of resources, but this looks more like a lack of overall desire when you look at the completely lack of attention this type of stuff gets in Bugzilla.
I don't think you can claim vCenter interoperability failure on entryUUID support. That one is simply a non-issue. The real issue is inability to reconfigure set of attribute names vCenter uses to query.
FreeIPA has ipaUniqueID attribute which is pretty much an equivalent to entryUUID. However, FreeIPA doesn't support uniqueMember schema because it ensures all IPA groups have unique membership already and memberOf/member schema has much wider use and acceptance.
We looked at the possibility to emulate uniqueMember-based LDAP requests with a number of different approaches and decided not to go this way. You can see all the approaches and their performance characteristics in the FreeIPA wiki page referenced by Daniel below. A general performance degradation just to be able to present the same information in a view required by vCenter while conforming with LDAP protocol client expectations is not worth adding it.
Ability to remap names of attributes requested by vCenter would have helped to solve this difference. Pretty much all LDAP-integrated applications have ability to specify attribute names and objectclass names in their configuration to be able to adopt to various LDAP schemas.
Having said that, it is pretty strange for vCenter to have LDAP requirements and lack of instructions/testing with hardly any third-party LDAP solutions. That kinda defeats the purpose of supporting an open standard.
In any case, at least there is a solid answer. This would be one worth just putting in the FAQ or on pages referencing vCenter that is basically unsupported and will not be worked.
-- Chris
On Tue, Feb 4, 2020 at 3:49 PM White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Reference Links:
12/19/2006 https://bugzilla.redhat.com/show_bug.cgi?id=220222 Bug 220222 - [RFE] support for RFC 4530 entryUUID attribute [NEEDINFO]
Product: Red Hat Enterprise Linux 8
Reported: 2006-12-19 19:40 UTC by Victoriano Giralt
Modified: 2020-01-17 05:47 UTC (History)
01/04/2012 https://pagure.io/389-ds-base/issue/137 #137 No support for RFC 4530 entryUUID attribute
Last Modified 10/18/2017
04/04/2019 https://christopherdamerau.com/freeipa-as-vcsa-identity-source/
01/30/2019 https://www.reddit.com/r/redhat/comments/al3no8/does_identity_management_fre...
04/04/2016 https://www.howtovmlinux.com/articles/vmware/vcenter/integrate-freeipa-idm-w...
06/20/2017 https://kb.vmware.com/s/article/2064977 VMware Knowledge Base: OpenLDAP schemas supported in VMware vCenter Single Sign-On (2064977)
11/22/2018 https://www.freeipa.org/page/V4/Data_transformation
I have spent the last two days trying to get vSphere 6.7 SSO to talk to Red Hat Identity Manager (FreeIPA v4.6.5)
Group permissions from LDAP do not work in vSphere. Period. It tells me, " "Unable to login because you do not have permission on any vCenter server systems connected to this client"
I can associate an LDAP user to a vSphere role at the global level, but that won’t scale very far.
QUESTION: Does anyone know of an OpenLDAP setup that satisfies the VMware KB description ?
I do not believe that such a critter exists unless it is a home-grown, custom cobbled together monstrosity that would be a nightmare to maintain.
This was my point to VMware support.
They support Active Directory.
They should support FreeIPA because their "OpenLDAP" setup probably does not exist.
I am looking for any recent information anyone may have about getting this to work.
I am also looking for more detail to support my claim to VMware that they need to support FreeIPA.
Daniel E. White daniel.e.white@nasa.gov
NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I believe you have stated the issue very precisely, Alexander.
Pretty much all LDAP-integrated applications have ability to specify attribute names and objectclass names in their configuration to be able to adopt to various LDAP schemas.
I am pushing this idea at VMware Support. Ability to remap names of attributes requested by vCenter would have helped to solve this difference.
Many thanks. ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org Reply-To: FreeIPA users list freeipa-users@lists.fedorahosted.org Date: Wednesday, February 5, 2020 at 14:45 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Alexander Bokovoy abokovoy@redhat.com Subject: [EXTERNAL] [Freeipa-users] Re: VMware vCenter Single Sign-On
Ability to remap names of attributes requested by vCenter would have helped to solve this difference.
Pretty much all LDAP-integrated applications have ability to specify attribute names and objectclass names in their configuration to be able to adopt to various LDAP schemas.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Christopher Young -
White, Daniel E. (GSFC-770.0)[NICS]