OMV / FreeIPA Integration

  • Hi,


    Did someone ever managed to make OMV3 and FreeIPA work together ?


    I installed freeipa client on OMV, it's registering OMV on IPA but that's all, i can't use my LDAP users with OMV...


    Is there something else to config to get users / groups from freeipa ?


    Thanx !!

  • Hello,


    Using the omv 4 ldap plugin and a small modification (using nss-ldapd and installing nscd) I managed to have the users displayed in the omv interface.


    I created the ssh group on freeipa and added my users into it and I can log in to omv.


    But now I think I will try to remove the ldap plugin and install directly the freeipa-client.

  • Ok, I followed this:
    http://clusterfrak.com/sysops/…s/#install-the-ipa-client


    to install the freeipa-client, works perfect. Just replace the sources.list line with this one:
    echo -e 'deb http://apt.numeezy.fr stretch main' >> /etc/apt/sources.list


    I can log in my omv box using a freeipa user. But the user is not created locally (not appearing in the passwd file), so I don't really know how OMV will react as a whole to this new user.

  • etique57,
    Could please provide more details what exactly configuration you made here:


    ...small modification (using nss-ldapd and installing nscd) I managed to have the users displayed in the omv interface...

  • I achieved a positive result in this question (OVM & FreeIPA) with a little another approach.


    What steps should be reproduced to achieve this result:


    1) Install clean Debian 10 Buster:
    Update/upgrade all packages

    Bash
    apt-get update
    apt-get upgrade

    2) On the top install OVM 5 latest version, as described here:
    https://forum.openmediavault.o…OMV5-on-Debian-10-Buster/


    Yes, OVM 5 version is not stable and not final release yet, but we need exactly Debian 10 to get installed freeipa-client without any hacks and testing/unstable repos.
    Stable freeipa-client package now is available only in Debian 10 Buster:
    https://packages.debian.org/search?keywords=freeipa


    I have tried install freeipa-client from unstable(sid) repo on OVM 4 (Debian 9 Stretch), the result was very bad, up to OVM GUI portal failing.


    From my side there is question, when OVM 5 will be released as stable version? Please post who have this information.


    3) Adjust your hostname:
    Below are examples, change values *.local and <*> accordingly with your environments

    Bash
    export HNAME="server.ovm5.local"
    hostnamectl set-hostname $HNAME --static
    hostname $HNAME
    echo "$(hostname -I) $HNAME" | tee -a /etc/hosts
    echo "<ipa_server_ip> server.ipa.local" | tee -a /etc/hosts


    4) Install freeipa-client:

    Bash
    apt-get install freeipa-client


    5) Initiate and configure ipa-client:

    Bash
    ipa-client-install --hostname=server.ovm5.local \
     --mkhomedir \
     --server=server.ipa.local \
     --domain ipa.local \
     --realm IPA.LOCAL -N


    After successful ipa client initiating/configuring, check if OVM server see IPA users:

    Bash
    ipa user-find <some_user_from_ipa_ldap>


    or another way how to check:

    Bash
    id <some_user_from_ipa_ldap>


    If you see in outputs correct ldap user data, then you can continue.


    6) At this step need perform some small system modification:


    Modify /etc/login.defs by replacing these lines with parameters UID_MAX and GID_MAX

    Bash
    UID_MAX 60000
    ->
    UID_MAX 200000000
    
    
    GID_MAX 60000
    ->
    GID_MAX 200000000


    Modify /etc/sssd/sssd.conf, by adding this line with parameter enumerate on the top on config file:

    Bash
    [domain/ipa.local]
    
    
    enumerate = true
    
    
    ...


    After changing clear sssd cache and restart service:

    Bash
    systemctl stop sssd && \
    rm -rf /var/lib/sss/db/* &&\
    systemctl restart sssd


    7) Login in OVM GUI and check Users&Groups, there should appear data from your FreeIPA.


    If you want grant to these ldap users ssh access to your OVM, need in FreeIPA create ssh group and assign to this group necessary users.
    To take fast affect in your OVM after some changing in FreeIPA settings, need to clear cache and restart sssd, as described in previous step.


    I have tested NFS share creating and ACL with ldap users, and it's working as expected without any issues.

  • I've got a few nuances on my end and have gotten IPA working on my OS but users are not showing up in in the OMV UI.

    I can su to an IPA user, the home directory is created and id shows the correct UID but in the users panel of OMV...no joy.

    I'm running on Rapspbian based on Debian Bullseye and OMV Shaitan.


    Any suggestions on how to have my IPA users recognized would be greatly appreciated!

  • I am also interested in integrating OMV with freeipa. I followed maximd8 instructions, although using OMV 6 in a virtual machine.

    Just like donsimpson, joining the domain via ipa-client-install is successful and I get a list of local and ipa users using "getent passwd".

    It is just that in OMV UI, the ipa users (and groups) are not shown in the user management section. Interestingly enough, the ipa users are shown in t he ACL dialogue of the shares!

  • As no answers on FreeIPA with OMV have been provided here, maybe a better approach is to follow https://www.freeipa.org/page/Troubleshooting

    omv 6.9.6-2 (Shaitan) on RPi CM4/4GB with 64bit Kernel 6.1.21-v8+

    2x 6TB 3.5'' HDDs (CMR) formatted with ext4 via 2port PCIe SATA card with ASM1061R chipset providing hardware supported RAID1


    omv 6.9.3-1 (Shaitan) on RPi4/4GB with 32bit Kernel 5.10.63 and WittyPi 3 V2 RTC HAT

    2x 3TB 3.5'' HDDs (CMR) formatted with ext4 in Icy Box IB-RD3662-C31 / hardware supported RAID1

    For Read/Write performance of SMB shares hosted on this hardware see forum here

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!