On Tue, Aug 31, 2021, 14:11 Rob Crittenden <rcritten(a)redhat.com> wrote:
> Ciro Iriarte via FreeIPA-users wrote:
> > Good afternoon,
>
> > I'm looking for integrating VMware Identity
Manager with FreeIPA and it
> > looks better than vCenter so far because there are options to customize
> > filters and map attributes.
>
> > The only missing bit seems to be the
"domain" attribute that vIDM
> > expects to be present in users & groups. Would that be something that
> > can be accommodated with the stock schemas?, I can not find any
> > reference to it.
> The VMWare docs that I found are very opaque about what
this attribute
> is or should contain. We generally don't recommend re-purposing
> attributes to mean something in a different context because there is no
> guarantee that IPA won't use it for its own purposes in the future.
> If you can obtain more information on what the domain
attribute is for
> and why it might contain that would be very helpful.
> Or hopefully someone else on the list has already done
this integration
> and can help out.
> rob
Hello,
The document mentioning the integration is
https://docs.vmware.com/en/VMware-Workspace-ONE-Access/19.03/vidm_dir_int...
It seems it can be an arbitrary string but many examples show it as the
kerberos REALM and/or the DNS domain attached to the directory.
Regards,
CI.-
To elaborate a little more, it seems to be used as a filter for user &
groups sync/replication.
Feels like a funky implementation, I would just use different Base DNs or
REALM (I recall it being possible with openLDAP, which is used for their
generic LDAP integration tests. Not sure about FreeIPA though) or group
membership.
Tested the integration setting up all the filters & mappings I could,
leaving the domain mapping blank lead to 0 users & groups imported.
Regards,
CI.-