3

I have a vcenter appliance and freeipa running in my environment. There are no windows machines at all, nor will there be. I have setup vca to authenticate via LDAP to IPA and this works PER USER. the issue im having is even when defining the groups context, i can not see any groups, and the freeipa users lack SSO capabilities.

At work, we have vcenter 5.5 with a server 2k12 DC and the domain users have sso and groups work.

Can anyone shed any light? there is a previous question @ VMware vCenter/ESXi with FreeIPA instead of Active Directory?

where this is discussed but the "answer" isn't helpful at all. the final comment on the page does describe my particular issue precisely though.

Community
  • 1
driz
  • 268
  • 1
  • 11

2 Answers2

3

"There are no windows machines at all, nor will there be..."

That's fine, but don't be surprised when things don't work the way you expect them to. The path of least-resistance for directory integration with VMware is Active Directory. I've never seen references to FreeIPA actually being supported for vSphere SSO. Sorry my answers have not been helpful, but I don't think there's any reasonable expectation that this combination should work.

To my knowledge, VMware only SSO supports Active Directory, OpenLDAP and NIS.

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • If you don't follow the rules, don't be surprised if you get bit. Active Directory is a reasonable system requirement... unless you have a religious and irrational hatred for Windows. – Wesley May 17 '14 at 03:16
  • FreeIPA is integrated into VCA via OpenLDAP right now; groups/sso is still lacking. As far as I know, freeipa follows the openldap standard with some extra capability, is this not true? – driz May 17 '14 at 18:06
  • 2
    FreeIPA follows the standard, but I would not rely on VMware being consistent in its approach. The VCSA and SSO functionality has changed considerably in the past two revisions. I'm not excusing VMware's offering, but the changes were enough to impact existing environments. That's why I suggested Active Directory, since that's the primary target for the solution and probably receives the most development/feature/testing attention. – ewwhite May 17 '14 at 18:14
  • ewwhite, thanks for your input, I find everything you said to be insightful, i am hoping someone will reply with a work-around/fix or something else that let's the existing setup work properly! – driz May 18 '14 at 01:15
0

Would attaching your FreeIPA users to vsphere.local groups be an acceptable work around? Use the vsphere.local groups for permissions within vCSA.

At least I think this will work. Our OpenLDAP doesn't match VMware's chosen schema so I wasn't able to test this out fully yet.

vkoolaid
  • 1
  • I attempted this but couldn't add ipa users to local groups.. i did not try doing it manually via the command line.. is this how i would need to do it? What's weird is that in the LDAP settings you can input group DN, but groups dont show up. – driz May 25 '14 at 17:23