FreeIPA with vSphere 6

      No Comments on FreeIPA with vSphere 6

In case you happen to use vsphere to manage users and want to use FreeIPA as the source for user and group info below is a synopsis of how to get basic functionality working.

Choose OpenLDAP – Configure as appropriate



Users should work without a hitch.  Groups are a bit more complicated and not easy at this time if you have a large organization.  I have tried to use the cn=compat container but I get SSO errors when doing this.  Users and Groups don’t work when I choose that container.

My solution, not pretty but works, was to edit a few options in FreeIPA.

I use AutoMember to have it populate Group entries with the UniqueMember attribute and values.  This works well but you have to make a rule for each group you want to have populated with this info.  Before we start we need to add the objectClass to the Group default.  You do this by going into the IPA Web Interface -> IPA Server -> Configuration.  Look for Group Options down at the bottom.  Click add and type “groupOfUniqueNames”  – Click update at the top when done.  It should look like the following:

Screenshot 2015-08-25 11.30.22

1.  Open up an LDAP editor and connect to your IPA server.  Go to cn=automember,cn=etc,$SUFFIX.  Look for the cn=Group container.

2.  Click on cn=Group and look for the attribute : autoMemberGroupingAttr and change the value from “member:dn” to “uniqueMember:dn”

Screenshot 2015-08-25 11.09.58


3.  Now in the Web GUI for IPA go to Identity – Automember – User Group Rules and add a new rule.  When adding a rule it will give you a dropdown to select from the list.  Choose the group you wish to use in vSphere.  In my case it was called “vsphere-admins”

4.   Once you have added the rule click on it.  Now under “Inclusive” click add.  We will add a regex rule to look for the following:  memberof and the expression is: ^cn=vsphere-admins  – Where vsphere-admins is then name of the group you wish to search for and add members from.

Screenshot 2015-08-25 11.24.11

This should now allow the creation of uniqueMember’s to that specific group.  You can test this by connecting via SSH to your IPA server and authorizing as an IPA admin.  Typically like this “kinit admin”.  Once you have your ticket without admin rights run the following:

ipa automember-rebuild –type=group

This will force the automember process to search the cn=users,cn=accounts,$SUFFIX for any users that have a memberOf=cn=vsphere-admins and then add a uniqueMember entry to the vsphere-admins group.  Double check it is working by using your ldap editor to look at the cn=vsphere-admins group or whatever group name you chose.  You should now see a uniqueMember entry.

If you have made it this far and you are getting uniqueMember values in your group congrats.  Any time you add users via the Web Interface it will automagically add or remove the uniqueMember entries for you.  One last thing is needed before the groups will be recognized in vSphere.

By default, IPA does not allow a query for uniqueMembers on the container cn=groups.  We will need to add that to the corresponding ACI.  To do this use your trusty LDAP editor, I use Apache Directory Studio, and locate the ACI’s on the container cn=groups,cn=accounts,$SUFFIX.

You should see and aci that looks like the following:

Screenshot 2015-08-25 11.39.43

You can see I already added uniqueMember to the ACI.  Make your entry look the same and vsphere should be able to see that attribute value combo when it does a query.  An ldapsearch should look like this.

# vsphere-admins, groups, compat,$SUFFIX

dn: cn=vsphere-admins,cn=groups,cn=compat,$SUFFIX

gidNumber: 2008

memberUid: csilvertooth

objectClass: posixGroup

objectClass: groupOfUniqueNames

objectClass: top

uniqueMember: uid=csilvertooth,cn=users,cn=compat,$SUFFIX

cn: vsphere-admins


You should now be able to use that group inside of vSphere.  If you need additional groups just add additional AutoMember entries with the correct memberof/expression combo’s.



Leave a Reply

Your email address will not be published. Required fields are marked *