Highlighted
Contributor
Contributor

vCenter Appliance and FreeIPA

We want to have a centralized login system, similar to Active Directory. But we only use Linux, and would prefer not to depend on Windows to provide our user security. The Linux "eqivilent" of Active Directory is FreeIPA (or just IPA).

Most of our enviroment, which is Linux based, can be easily tied to the IPA server. But vCenter is tightly integrated with Active Directory. The appliance, from what I understand, uses "Likewise" to authenticate against Active Directory.

It seem like my options are:

1 - Setup an Active Directory server and syncronize with IPA. (complicated)

2 - Hack the vCenter appliance to use IPA and not Likewise. (difficult, but if possible hard to maintain with updates)

3 - If IPA v3 (currently in beta) supports AD clients, have Likewise authenticate directly to IPA. (best immediate option, if it works)

4 - Stick with local users on vCenter, and hope VMware decides to add support for IPA. (unlikely, but most ideal)

Has anyone here experienced this? What did you end up doing?

In any case, would it be possible to setup certificate based authentication, similar to what you can do with SSH?

0 Kudos
1 Reply
Highlighted
Contributor
Contributor

Hi Luke,

I recently came across this article that brilliantly sheds light on setting up FreeIPA/IDM auth on vCenter. It says tha you need to create a Object in IPA "groupOfUniqueNames" and then you would be able to use groups as well. But before that you need to set the attribute for the users in the SSO group via this command on the IPA/IDM server.

# ipa group-mod ssogroups --addattr="uniqueMember=uid=user1,cn=users,cn=accounts,dc=dev,dc=local"

Got these via this website

http://www.howtovmlinux.com/articles/vmware/vcenter/integrate-freeipa-idm-with-vcsa-vcenter-server-f...

0 Kudos