For several version of ESX I've used LDAP authentication to tie in authentication to my directory tree (NOT Active Directory). In version 4.1.0, I'm having a very hard time getting it working. I run the following command:
esxcfg-auth --enableldap --enableldapauth --ldapserver=edirectory1.my.domain --enableldaptls --ldapbasedn=dc=it,dc=my,dc=domain
which configures the ldap.conf files correctly and seems to enable everything. After doing this, I can log in via SSH and can see the users under the Add Permissions section of the VI Client, but I cannot log on using LDAP users in the VI Client. The error is invalid login, and, in /var/log/messages, I see the following:
Jan 27 12:49:20 esx2 /usr/lib/vmware/bin/vmware-hostd: pam_ldap: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): Can't contact LDAP server
Jan 27 12:49:20 esx2 /usr/lib/vmware/bin/vmware-hostd: pam_ldap: _set_ssl_default_options failed
Jan 27 12:49:20 esx2 /usr/lib/vmware/bin/vmware-hostd: pam_ldap: ldap_starttls_s: Not Supported
Any ideas what I'm doing wrong?? I've tried changing the config file from TLS (ssl start_tls) to traditional SSL (ssl on), but that just generates different errors. It also seems to only be vmware-hostd that has this issue - sshd works fine with LDAP authentication, and all of the command-line utils recognize the users.
Just bumping this thread - does *anyone* have LDAP SSL working in ESX 4.1.0? I've just updated to update 1, and still no success. Any hints or questions would be greatly appreciated.
Novell eDirectory is my directory tree. It requires TLS or SSL for authentication. I can't remember if I already mentioned, but I have an ESX 4.0.0 machine that authenticates against it without a problem. This appears to be something in 4.1.0 that is broken or changed. I also have a lot of other Linux systems authenticating against the eDirectory tree, so I'm fairly confident it's either something I haven't configured correctly, or a bug in one of the libraries.
Oh, one other interesting note. With LDAP authentication enabled, SSH and anything related to the Linux-based management console (e.g. su) work fine - password is accepted and LDAP authentication occurs. The errors that I'm seeing appear to only happen when the VMware management binaries try to authenticate - primarily vmware-hostd (see messages below). Wonder if something got messed up with the linking of vmware-hostd that has yet to be corrected?
Feb 15 22:08:40 esx2 /usr/lib/vmware/bin/vmware-hostd: pam_ldap: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): Can't contact LDAP server
Feb 15 22:08:40 esx2 /usr/lib/vmware/bin/vmware-hostd: pam_ldap: _set_ssl_default_options failed
Feb 15 22:08:40 esx2 /usr/lib/vmware/bin/vmware-hostd: pam_ldap: ldap_starttls_s: Not Supported
I currently do not have an active support contract, but I'm considering opening a one-time case with VMware on the issue to see if they can resolve it.
Basically I supsect could be the way esxi and the 4.1 autheticate, with the adoption of Likewise Enterprise authentication service I suspect they changed the way the vSphere host connect to LDAP directories.
I found this KB that maybe could help you.
playing a bit around I was lookin at the configuration in the esxi box.. could be a tls authetication issue..you should find in /etc/likewise a couple of conf that could help you.
Try to look at lsass.conf one.
Took a look at the likewise config files and didn't see anything useful in there. I'm not using AD or any sort of AD connector, and likewise appears to be something that helps with AD (Samba/winbind-type connector).
Well, following the suggestions in that KB article reduced my errors from 3 to 1, but it's still enough to prevent it from working correctly. I still get the following:
Feb 16 09:29:38 esx2 /usr/lib/vmware/bin/vmware-hostd: pam_ldap: ldap_set_option(LDAP_OPT_X_TLS) Can't contact LDAP server
Again, SSH and everything else works as expected, just vmware-hostd that has an issue.
Yeah...the difference is that I'm much more hesitant to mess around with the service console packages than with the platform packages of my own O/S. Running a hosted product is a little different from the hypervisor-style ones, so I'm a little more careful as to adding/removing packages. And, you're right, that was my previous post/solution :-).
And the answer from the technical support folks is: ESX 4.1.0 does not support anything but ActiveDirectory authentication. I'm getting a technical document that gives a work-around (which I will post here), but the current direction seems set to move away from supporting anything but AD-based authentication.
Caution, big rant here...
Thank you, VMware, for making my decision to migrate away from VMware ESX all that much easier. I've long been amazed at the ridiculous prices for the advanced features, but the real decision was made by your unwillingness to support non-Windows users. I had a feature request in one of the forums that I filled out three or four years ago for a Linux-based VI Client. This has been totally and completely ignored - even the Linux-based console support via the console plugin is tenous, at best. You now continue this behavior and this attitude by making sure that the only way we can use distributed authentication with VMware is to run ActiveDirectory servers. Well, you have now completely lost my business - I will finish my migration to a different virtualization platform - one that supports true LDAP-based authentication *and* management from non-Windows clients, and I will look back with absolutely no regret. Furthermore, I will enjoy the advanced features, like live migration, without paying the ridiculous prices you demand. You have put the last nail in your own coffin.
Okay, I'm done...I'm going to try the steps in this document that they sent, and I'll post it if it works.
I'm really not sure how I can do otherwise at this point. I'm not going to convert my whole environment to M$ just to keep VMware around as my virtualization platform. VMware has always been a pioneer in the virtualization arena, but they are pushing out the community that gave them their biggest start - the Linux/OSS community. If VMware (EMC, perhaps?) would return to reasonable behavior and maintain their ESX platform as supportable by non-Windows users and Windows users alike, then I'd consider it. At this rate, though, they're defining the market that they want, and I don't fit into that market. That's fine, I'll take my toys and go play (and pay) in someone else's arena.
Oh, and the document they sent was totally and completely worthless in getting LDAP authentication running. They have a bug in their software right now, aren't willing to admit it, and have just decided to go the AD-only route, anyway. So long...
The new (relatively) partnership with Novel could change that though. Combined with Zimbra and Springsource there is some hope for a change in direction. Some SLES licenses are included with vSphere. One can hope.