On ti, 04 helmi 2020, Christopher Young via FreeIPA-users wrote:
I gotta say, the unwillingness of large organizations like RedHat to
even consider this functionality is pretty amazing to see since there
was a bug filed 12 years ago to add properly support for RFC 4530
entryUUID. At some point, it should be a matter of pride for the
directory services to add functionality that clearly there is a demand
for. I understand a lack of resources, but this looks more like a
lack of overall desire when you look at the completely lack of
attention this type of stuff gets in Bugzilla.
I don't think you can claim vCenter interoperability failure on
entryUUID support. That one is simply a non-issue. The real issue is
inability to reconfigure set of attribute names vCenter uses to query.
FreeIPA has ipaUniqueID attribute which is pretty much an equivalent to
entryUUID. However, FreeIPA doesn't support uniqueMember schema because
it ensures all IPA groups have unique membership already and
memberOf/member schema has much wider use and acceptance.
We looked at the possibility to emulate uniqueMember-based LDAP requests
with a number of different approaches and decided not to go this way.
You can see all the approaches and their performance characteristics in the
FreeIPA wiki page referenced by Daniel below. A general performance
degradation just to be able to present the same information in a view
required by vCenter while conforming with LDAP protocol client
expectations is not worth adding it.
Ability to remap names of attributes requested by vCenter would have
helped to solve this difference. Pretty much all LDAP-integrated
applications have ability to specify attribute names and objectclass
names in their configuration to be able to adopt to various LDAP
schemas.
Having said that, it is pretty strange for vCenter to have LDAP
requirements and lack of instructions/testing with hardly any
third-party LDAP solutions. That kinda defeats the purpose of
supporting an open standard.
In any case, at least there is a solid answer. This would be one
worth just putting in the FAQ or on pages referencing vCenter that is
basically unsupported and will not be worked.
-- Chris
On Tue, Feb 4, 2020 at 3:49 PM White, Daniel E. (GSFC-770.0)[NICS] via
FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Reference Links:
12/19/2006 https://bugzilla.redhat.com/show_bug.cgi?id=220222 Bug 220222 -
[RFE] support for RFC 4530 entryUUID attribute [NEEDINFO]
Product: Red Hat Enterprise Linux 8
Reported: 2006-12-19 19:40 UTC by Victoriano Giralt
Modified: 2020-01-17 05:47 UTC (History)
01/04/2012 https://pagure.io/389-ds-base/issue/137 #137 No support for RFC
4530 entryUUID attribute
Last Modified 10/18/2017
04/04/2019 https://christopherdamerau.com/freeipa-as-vcsa-identity-source/
01/30/2019
https://www.reddit.com/r/redhat/comments/al3no8/does_identity_management_freeipa_and_vsphere/
04/04/2016
https://www.howtovmlinux.com/articles/vmware/vcenter/integrate-freeipa-idm-with-vcsa-vcenter-server-for-user-authentications.html
06/20/2017 https://kb.vmware.com/s/article/2064977 VMware Knowledge Base:
OpenLDAP schemas supported in VMware vCenter Single Sign-On (2064977)
11/22/2018 https://www.freeipa.org/page/V4/Data_transformation
I have spent the last two days trying to get vSphere 6.7 SSO to talk to Red Hat
Identity Manager (FreeIPA v4.6.5)
Group permissions from LDAP do not work in vSphere. Period. It tells me, " "Unable
to login because you do not have permission on any vCenter server systems connected to this
client"
I can associate an LDAP user to a vSphere role at the global level, but that
won’t scale very far.
QUESTION: Does anyone know of an OpenLDAP setup that satisfies the VMware KB
description ?
I do not believe that such a critter exists unless it is a home-grown, custom
cobbled together monstrosity that would be a nightmare to maintain.
This was my point to VMware support.
They support Active Directory.
They should support FreeIPA because their "OpenLDAP" setup probably does not
exist.
I am looking for any recent information anyone may have about getting this to
work.
I am also looking for more detail to support my claim to VMware that they need
to support FreeIPA.
______________________________________________________________________________________________
Daniel E. White
daniel.e.wh...@nasa.gov
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
