Hi,
In the lifecycle manager installation document it mentions that the appliance runs OpenLDAP (slapd) version 2.3.35. How can I configure VMO to use this rather than the AD? Is there any document that details this? I cant find any info in the install guide on this. Ideally I do not want to have to rely on the AD.
thanks,
Chi
I know...docs aren't the best in the world. I also know that the LCM Appliance uses OpenLDAP. Maybe you could disect it?
Dave
To achieve this you will have to setup the slapd.conf file and an ldif file. There are several examples on the web on how to do this. You can also follow the following procedure that was done for adding users to the applicance:
To add user in the ldap database; Follow the following example (paths are for OSX and have to be adapted for the OS you want to run LDAP on); You will have to find the existing ldif provided in the appliance and change it with new users, groups)
Init the database: look for the ldif provided in the appliance and edit accordingly.
Several tags are available (for more detail see the schemas in schema directory), the most useful are:
dn: distinguished name (composed by cn, ou and dc)
cn: common name
uid: id
name: name (generally, cn,uid and name are the same)
objectClass: determines the class of the entry
member: name of a member of the group if the entry is a group
Example: a) Create a user:
dn: cn=vsoadmin, ou=vso, dc=vsoappliance
cn: vsoadmin
uid: vsoadmin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClas: inetOrgPerson (corresponds to "user" in Active Directory)
name: vsoadmin
userPassword: userPassword: 238Def2RyRMitcHImxm5FVS2IGI6lIDg
(to generate a password, open a terminal and type: "slappasswd" and you can enter
the password)
b) Create a group:
dn: cn=vsoadmins, ou=vso, dc=vsoappliance
cn: vsoadmins
uid: vsoadmins
name: vsoadmins
objectClass: top
objectClass: groupOfNames(specifies that is a group)
member: cn=vsoadmin, ou=vso, dc=vsoappliance
Start the server with the init-database:
In a terminal: (Warning ADAPT TO YOUR OS PATHS !http://communities.vmware.com/!! The commands should be the same. Stop slapd before doing any of this)
cd /etc/openldap
sudo rm -r /var/db/openldap/openldap-data/; sudo mkdir /var/db/openldap/openldap-data/ (clean the database)
sudo slapadd -f slapd.conf -l init-database.ldif (init the server with our init-database)
sudo /usr/libexec/slapd -d 255 (-d 255 is optional, allows to start the server in debug)You can also use an openldap web front-end which will make all of this for you.
Christophe.
I'm configuring VMO to use OpenLDAP (running on RedHat Enterprise Linux 3). I was experiencing failures in my attempts to configure the LDAP and Plugins tabs within the VMware Orchestrator Configuration utility. Specifically, the failures were occuring when attempting to use the "Test Login" capability (of the LDAP tab) and when attempting to authenticate to LDAP from the Plugins tab.
I fixed the problem by adding the "uid" line to my ldif file.
I've included my ldap.conf, slapd.conf, and ldif files below to provide another sample OpenLDAP configuration for others in the future.
Also, it wasn't clear to me during my attempts to get VMO and OpenLDAP configured to work together it wasn't clear to me what credentials that I needed to supply on the LDAP and Plugins tabs. What ultimately worked was using "vmoAdmin" (the short name for my LDAP user account).
ldap.conf
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6 2000/09/05 17:54:38 kurt Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
HOST 127.0.0.1
BASE dc=example,dc=com
URI ldap://localhost
TLS_REQCERT
slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema
password-hash
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
#pidfile //var/run/slapd.pid
#argsfile //var/run/slapd.args
# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile /var/lib/ldap/master-slapd.replog
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#
# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to dn="" by * read
#access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=example,dc=com"
#suffix "o=My Organization Name,c=US"
rootdn "cn=ldapadmin,dc=example,dc=com"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw vmware
# The MD5 password below is 'vmware'
rootpw cXICgynhE87XFanNV9bOA+EYBlY=
# rootpw secret
# rootpw ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
# Replicas to which we should propagate changes
#replica host=ldap-1.example.com:389 tls=yes
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM ldifcXICgynhE87XFanNV9bOA+EYBlY=dn: dc=example,dc=com
dc: example
description: This is an example company.
objectClass: dcObject
objectClass: organization
o: Example
dn: ou=Employees,dc=example,dc=com
ou: Employees
description: All the employees in Example, Inc.
objectClass: organizationalUnit
dn: ou=Groups,dc=example,dc=com
ou: Groups
description: Groups in Example, Inc.
objectClass: organizationalUnit
dn: cn=vmoAdmin,ou=Employees,dc=example,dc=com
objectClass: person
objectClass: OrganizationalPerson
objectClass: inetOrgPerson
cn: vmoAdmin
sn: vmoAdmin
uid: vmoAdmin
userpassword:
dn: cn=vmoAdmins,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
cn: vmoAdmins
member: cn=vmoAdmin,ou=Employees,dc=example,dc=com
The formatting of the LDIF file in the example above is incorrect.
You need a blank line before each dn: entry.