Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. Here is an example returned from ldapsearch;
# admins, groups, compat, localdomain.local dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local gidNumber: 756200000 memberUid: admin memberUid: vadmin objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top cn: admins On 3/5/2015 at 9:15 AM, [email protected] wrote: Hi Martin, Using my vadmin account, "uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local", the search completes successfully and i get a list of my users and groups however when I've watched the ldap queries between vcenter and freeipa I can see it's applying a filter to the user search looking for 'objectClass=groupOfUniqueNames' which my groups don't seem to contain. I'm very much an ldap newbie but I thought at step two in the vsphere integration howto I modified the groups schema to include that object class? On 3/4/2015 at 8:32 PM, "Martin Kosek" <[email protected]> wrote: Given that this HOWTO does not use the vanilla Schema Compatibility settings (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid attribute for user membership), I would check if the groups really have the right objectclass and uniqueMember generated: # ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b "cn=groups,cn=compat,dc=localdomain,dc=local" I expect there will be some problem preventing the LDAP search to succeed. Then we would know where to look next. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
