Join Log in
Score:0
onee avatar Server

VMware Vcenter with FreeIPA - permissions for group

tm flag
onee

I have a problem with permissions for groups in vmware. My configuration in Vmware:

Identity source type: OpenLDAP
Name: FreeIpa
Base distinguished name for users: cn=users,cn=accounts,dc=freeipa,dc=eu1,dc=d
Base distinguished name for group: cn=groups,cn=accounts,dc=freeipa,dc=eu1,dc=d
Domain name: freeipa.example.com
domain alias: freeipa.eu1.d
Username: uid=system-vmware-vcenter,cn=sysaccounts,cn=etc,dc=freeipa,dc=eu1,dc=d
password: XXXX
Primary Server URL: ldap://X.X.X.X

These settings correctly display users and groups in "Global permissions"

The problem is when it grants permissions to the group. Even though the user is in a group, he does not have permissions.

When I add permissions for a specific user - it works.

Is it possible for the permissions to work for group members?

I tried to change from cn=accounts to cn=compat

Base distinguished name for users: cn=group,cn=compat,dc=freeipa,dc=eu1,dc=d
Base distinguished name for group: cn=users,cn=compat,dc=freeipa,dc=eu1,dc=d

But then it finds neither groups nor users.

Example group from cn=compat

ldapsearch -x -b "cn=groups,cn=compat,dc=freeipa,dc=eu1,dc=d" cn=testvc
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=compat,dc=freeipa,dc=eu1,dc=d> with scope subtree
# filter: cn=testvc
# requesting: ALL
#

# testvc, groups, compat, freeipa.eu1.d
dn: cn=testvc,cn=groups,cn=compat,dc=freeipa,dc=eu1,dc=d
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: groupOfUniqueNames
objectClass: top
gidNumber: 1059900518
memberUid: testvc1
ipaAnchorUUID:: OklQQTpmcmVlaXBhLmV1MS5kOmQwYTYwYWQ2LTE0OTEtMTFlYy05NDAzLTAwNT
 A1NmFkZjA3Nw==
uniqueMember: uid=testvc1,cn=users,cn=compat,dc=freeipa,dc=eu1,dc=d
cn: testvc

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

example from cn=accounts

ldapsearch -x -b "cn=groups,cn=accounts,dc=freeipa,dc=eu1,dc=d" cn=access.vmware.all-admin

# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=accounts,dc=freeipa,dc=eu1,dc=d> with scope subtree
# filter: cn=access.vmware.all-admin
# requesting: ALL
#

# access.vmware.all-admin, groups, accounts, freeipa.eu1.d
dn: cn=access.vmware.all-admin,cn=groups,cn=accounts,dc=freeipa,dc=eu1,dc=d
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: groupOfUniqueNames
cn: access.vmware.all-admin
ipaUniqueID: 1bcbf37a-1467-11ec-a8b3-005056adf077

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I saw that

https://www.freeipa.org/page/HowTo/vsphere5_integration#vSphere_Configuration

https://cloudalbania.com/2021/05/28/creating-new-openldap-server-with/

https://howtovmlinux.com/articles/vmware/vcenter/integrate-freeipa-idm-with-vcsa-vcenter-server-for-user-authentications.html

206
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.