VMware Cloud Community
Chlsmith
Contributor
Contributor

ESXi 5 not allowing me to bind to LDAP

I have several ESXi hosts and I'm trying to get them to join AD so I can roll out administrative permissions through AD groups.   I have joined the servers to the domain and that part worked as expected.

Now, when I go into Permissions to add a group, as soon as I choose my domain in the dropdown, I get the following error:

"A general system error occurred: Error accessing directory: Can't bind to LDAP server for domain <domain name>.   Call "UserDirectory.RetrieveUserGroups" for object "ha-user-directory" on ESXi "<hostname>" failed."

This is occurring on 5 of my 7 ESXi hosts, and there's nothing that I'm aware of that's different on the other two.  

Could this be a problem with requiring LDAPS on my domain?   If so, why would it work on the other two servers?   Just weird.

Any tips would be appreciated.   Thanks!    

7 Replies
bojanpopovic
Contributor
Contributor

Same thing happened to our servers. Two out of three have the problem mentioned.

There is some workaround though. Domain users can be added manually, without the search through AD, so they are able to log in.

What strike me as strange is: when the domain user has the role of an Administrator it can search through the AD with no problem. But even then that user can not connect through vSphere Client when "Use Windows session credentials" is checked, only when manually providing DOMAIN\username and password, also logging in in a form of username@domain is not working on the servers affected by this issue.

We haven't tried restarting the hosts yet but we will try that when the workload permits us.

Reply
0 Kudos
Chlsmith
Contributor
Contributor

I guess this never was answered.   I ended up having to license vCenter for them all to get this to work completely right.

Reply
0 Kudos
joyb81
Contributor
Contributor

Hi All,

I am having the same issue in my LAB and i am in evaluation period version is esxi5.5 but not working what is the work around as of now

Regards

Joy Banerjee

http://aikitsupport.com

Reply
0 Kudos
Chlsmith
Contributor
Contributor

I never got a resolution to this.   I spent several hours on the phone with support and sent logs several times, trying many things.   The last copout answer I got was that I was plugged into a 100Mbps switch instead of the suggest GigE.   We all know that's just hogwash. 

Once I ordered and activated my ROBO licenses, everything worked with them.   Until then, I just had to use the root account.

Reply
0 Kudos
GMCON
Enthusiast
Enthusiast

As far as I know this just tended to be a problem with the host needing some time to sync with Active directory after joining it to the domain.  From my experience if the host is rebooted after joining to the domain then it immediately syncs and you can add permissions.

Reply
0 Kudos
Mobistek
Contributor
Contributor

On Domain Controller just run "gpupdate /force" - this solved my problem in a minute

DTKirby
Contributor
Contributor

Try going into the Authentication settings and removing then re-adding to the domain. You will have to wait of do a Gpupdate /Force on your Domain Controller to push replication. I had to do this because the host was not recognizing the domain.

Reply
0 Kudos