OMV / FreeIPA Integration

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • OMV / FreeIPA Integration

      Hi,

      Did someone ever managed to make OMV3 and FreeIPA work together ?

      I installed freeipa client on OMV, it's registering OMV on IPA but that's all, i can't use my LDAP users with OMV...

      Is there something else to config to get users / groups from freeipa ?

      Thanx !!
    • Hello,

      Using the omv 4 ldap plugin and a small modification (using nss-ldapd and installing nscd) I managed to have the users displayed in the omv interface.

      I created the ssh group on freeipa and added my users into it and I can log in to omv.

      But now I think I will try to remove the ldap plugin and install directly the freeipa-client.
    • Ok, I followed this:
      clusterfrak.com/sysops/app_ins…s/#install-the-ipa-client

      to install the freeipa-client, works perfect. Just replace the sources.list line with this one:
      echo -e 'deb apt.numeezy.fr stretch main' >> /etc/apt/sources.list

      I can log in my omv box using a freeipa user. But the user is not created locally (not appearing in the passwd file), so I don't really know how OMV will react as a whole to this new user.

      The post was edited 1 time, last by etique57 ().

    • etique57 wrote:

      Hello,

      Using the omv 4 ldap plugin and a small modification (using nss-ldapd and installing nscd) I managed to have the users displayed in the omv interface.

      I created the ssh group on freeipa and added my users into it and I can log in to omv.

      But now I think I will try to remove the ldap plugin and install directly the freeipa-client.
      etique57,
      Could please provide more details what exactly configuration you made here:

      ...small modification (using nss-ldapd and installing nscd) I managed to have the users displayed in the omv interface...


    • I achieved a positive result in this question (OVM & FreeIPA) with a little another approach.

      What steps should be reproduced to achieve this result:

      1) Install clean Debian 10 Buster:
      Update/upgrade all packages

      Shell-Script

      1. apt-get update
      2. apt-get upgrade
      2) On the top install OVM 5 latest version, as described here:
      forum.openmediavault.org/index…OMV5-on-Debian-10-Buster/

      Yes, OVM 5 version is not stable and not final release yet, but we need exactly Debian 10 to get installed freeipa-client without any hacks and testing/unstable repos.
      Stable freeipa-client package now is available only in Debian 10 Buster:
      packages.debian.org/search?keywords=freeipa

      I have tried install freeipa-client from unstable(sid) repo on OVM 4 (Debian 9 Stretch), the result was very bad, up to OVM GUI portal failing.

      From my side there is question, when OVM 5 will be released as stable version? Please post who have this information.

      3) Adjust your hostname:
      Below are examples, change values *.local and <*> accordingly with your environments

      Shell-Script

      1. export HNAME="server.ovm5.local"
      2. hostnamectl set-hostname $HNAME --static
      3. hostname $HNAME
      4. echo "$(hostname -I) $HNAME" | tee -a /etc/hosts
      5. echo "<ipa_server_ip> server.ipa.local" | tee -a /etc/hosts


      4) Install freeipa-client:

      Shell-Script

      1. apt-get install freeipa-client

      5) Initiate and configure ipa-client:

      Shell-Script

      1. ipa-client-install --hostname=server.ovm5.local \
      2. --mkhomedir \
      3. --server=server.ipa.local \
      4. --domain ipa.local \
      5. --realm IPA.LOCAL -N

      After successful ipa client initiating/configuring, check if OVM server see IPA users:

      Shell-Script

      1. ipa user-find <some_user_from_ipa_ldap>

      or another way how to check:

      Shell-Script

      1. id <some_user_from_ipa_ldap>

      If you see in outputs correct ldap user data, then you can continue.

      6) At this step need perform some small system modification:

      Modify /etc/login.defs by replacing these lines with parameters UID_MAX and GID_MAX

      Shell-Script

      1. UID_MAX 60000
      2. ->
      3. UID_MAX 200000000
      4. GID_MAX 60000
      5. ->
      6. GID_MAX 200000000

      Modify /etc/sssd/sssd.conf, by adding this line with parameter enumerate on the top on config file:

      Shell-Script

      1. [domain/ipa.local]
      2. enumerate = true
      3. ...

      After changing clear sssd cache and restart service:

      Shell-Script

      1. systemctl stop sssd && \
      2. rm -rf /var/lib/sss/db/* &&\
      3. systemctl restart sssd


      7) Login in OVM GUI and check Users&Groups, there should appear data from your FreeIPA.

      If you want grant to these ldap users ssh access to your OVM, need in FreeIPA create ssh group and assign to this group necessary users.
      To take fast affect in your OVM after some changing in FreeIPA settings, need to clear cache and restart sssd, as described in previous step.

      I have tested NFS share creating and ACL with ldap users, and it's working as expected without any issues.

      The post was edited 2 times, last by maximd8 ().