OMV / FreeIPA Integration

  • Hi,


    Did someone ever managed to make OMV3 and FreeIPA work together ?


    I installed freeipa client on OMV, it's registering OMV on IPA but that's all, i can't use my LDAP users with OMV...


    Is there something else to config to get users / groups from freeipa ?


    Thanx !!

  • Hello,


    Using the omv 4 ldap plugin and a small modification (using nss-ldapd and installing nscd) I managed to have the users displayed in the omv interface.


    I created the ssh group on freeipa and added my users into it and I can log in to omv.


    But now I think I will try to remove the ldap plugin and install directly the freeipa-client.

  • Ok, I followed this:
    http://clusterfrak.com/sysops/…s/#install-the-ipa-client


    to install the freeipa-client, works perfect. Just replace the sources.list line with this one:
    echo -e 'deb http://apt.numeezy.fr stretch main' >> /etc/apt/sources.list


    I can log in my omv box using a freeipa user. But the user is not created locally (not appearing in the passwd file), so I don't really know how OMV will react as a whole to this new user.

  • etique57,
    Could please provide more details what exactly configuration you made here:


    ...small modification (using nss-ldapd and installing nscd) I managed to have the users displayed in the omv interface...


  • I achieved a positive result in this question (OVM & FreeIPA) with a little another approach.


    What steps should be reproduced to achieve this result:


    1) Install clean Debian 10 Buster:
    Update/upgrade all packages

    Bash
    apt-get update
    apt-get upgrade

    2) On the top install OVM 5 latest version, as described here:
    https://forum.openmediavault.o…OMV5-on-Debian-10-Buster/


    Yes, OVM 5 version is not stable and not final release yet, but we need exactly Debian 10 to get installed freeipa-client without any hacks and testing/unstable repos.
    Stable freeipa-client package now is available only in Debian 10 Buster:
    https://packages.debian.org/search?keywords=freeipa


    I have tried install freeipa-client from unstable(sid) repo on OVM 4 (Debian 9 Stretch), the result was very bad, up to OVM GUI portal failing.


    From my side there is question, when OVM 5 will be released as stable version? Please post who have this information.


    3) Adjust your hostname:
    Below are examples, change values *.local and <*> accordingly with your environments

    Bash
    export HNAME="server.ovm5.local"
    hostnamectl set-hostname $HNAME --static
    hostname $HNAME
    echo "$(hostname -I) $HNAME" | tee -a /etc/hosts
    echo "<ipa_server_ip> server.ipa.local" | tee -a /etc/hosts


    4) Install freeipa-client:

    Bash
    apt-get install freeipa-client


    5) Initiate and configure ipa-client:

    Bash
    ipa-client-install --hostname=server.ovm5.local \
    --mkhomedir \
    --server=server.ipa.local \
    --domain ipa.local \
    --realm IPA.LOCAL -N


    After successful ipa client initiating/configuring, check if OVM server see IPA users:

    Bash
    ipa user-find <some_user_from_ipa_ldap>


    or another way how to check:

    Bash
    id <some_user_from_ipa_ldap>


    If you see in outputs correct ldap user data, then you can continue.


    6) At this step need perform some small system modification:


    Modify /etc/login.defs by replacing these lines with parameters UID_MAX and GID_MAX

    Bash
    UID_MAX 60000
    ->
    UID_MAX 200000000
    GID_MAX 60000
    ->
    GID_MAX 200000000


    Modify /etc/sssd/sssd.conf, by adding this line with parameter enumerate on the top on config file:

    Bash
    [domain/ipa.local]
    enumerate = true
    ...


    After changing clear sssd cache and restart service:

    Bash
    systemctl stop sssd && \
    rm -rf /var/lib/sss/db/* &&\
    systemctl restart sssd


    7) Login in OVM GUI and check Users&Groups, there should appear data from your FreeIPA.


    If you want grant to these ldap users ssh access to your OVM, need in FreeIPA create ssh group and assign to this group necessary users.
    To take fast affect in your OVM after some changing in FreeIPA settings, need to clear cache and restart sssd, as described in previous step.


    I have tested NFS share creating and ACL with ldap users, and it's working as expected without any issues.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!