VMware Cloud Community
michelemase
Contributor
Contributor

vmware orchestrator configuration

hi

i'm trying to evaluate the vmware lifecycle manager.

The installation itself it's pretty easy but i'm not able to confuigure the LDAP part of the orchestrator configuration:

i always receive : Error Bad username or password Cannot login user : my Active Directory user

supposing is mydomain.it i've set the parameters in that way:

Primary LDAP Host: server.mydomain.it

Root: dc=mydomain,dc=it

Username: my usual Active directory username (i'm in the Domain Admins Group so i have all the rights to browse the AD ldap)

but i always get the error Bad username or password Cannot login user :myusername.

Any idea of what i'm doing wrong?

thank you

Reply
0 Kudos
11 Replies
dmtech_com_au
Contributor
Contributor

LDAP part of the orchestrator configuration is not well documented. What you have to do to get LDAP working is to configure VMO Admin group as per instruction below:</span>

Click LDAP tab

·<span style="font: 7pt 'Times New Roman'"> </span>Primary LDAP Host: server.mydomain.it

·<span style="font: 7pt 'Times New Roman'"> </span>Root: dc=mydomain,dc=it

·<span style="font: 7pt 'Times New Roman'"> </span>Username: DOMAIN\&lt;Username&gt;

Click LDAP Lookup Paths tab.

·<span style="font: 7pt 'Times New Roman'"> </span>user lookup base is dc=mydomain,dc=it

·<span style="font: 7pt 'Times New Roman'"> </span>The group lookup base is dc=mydomain,dc=it,

·<span style="font: 7pt 'Times New Roman'"> </span>VMO Admin group is cn=Domain users,cn=users,dc=mydomain,dc=it

Click Test Logon tab:

Enter the name and the password for test user and everything should work fine.

Regards,

Dusan Munizaba

dusan@dmtech.com.au

Reply
0 Kudos
dconvery
Champion
Champion

Hey Dusan -

Does the group need to be named "VMO Admin"? or can it be anything. I have a client with a group called "vmoper".

my user base and group base are set as "dc=subdomain,dc=subdomain,dc=domain,dc=com"

my VMO Admin group is set as "cn=VMOpers,dc=subdomain,dc=subdomain,dc=domain,dc=com"

Dave

Message was edited by: dconvery

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
Reply
0 Kudos
nair
Contributor
Contributor

hi there,

do i need a ldap server to be part of my life cycle manager setup?

please let me know if you have some good documentation with respect to VMware life cycle mamanger.

thx

Reply
0 Kudos
nair
Contributor
Contributor

hi dusan,

i am trying to finsih of the LDAP configuration i tried whts mentioned in the document and also tried the work around as mentioned by you but every time i get a message incorrect administrator password.

I have active directory configured on windows 2003 srv do i need to make some changes on active directory wrt to ldap.

And do i need to create any groups in my domain etc etc..

any details on this will be highly appreciated.

thx

Reply
0 Kudos
rscherer
Contributor
Contributor

You may want a little more secure LDAP configuration,

LDAP HOST: obviously your AD server

Root: This is your AD Domain in LDAP format, for example my domain is AD.SANNET.GOV which would be dc=ad,dc=sannet,dc=gov

On the LDAP lookup paths tab, this is where you specify your USER and GROUP base, along with what your actual VMO Admin group is...for security purposes we created a new Group just for VMO admins.

User Lookup base: OU=USERS,DC=AD,DC=SANNET,DC=GOV

Group Base: OU=GROUPS,DC=AD,DC=SANNET,DC=GOV

VMO Admin Group: CN=VMOADMINS,CN=USERS,DC=AD,DC=SANNET,DC=GOV

Good luck...install/config of VMO is pretty nerve racking.

Reply
0 Kudos
dconvery
Champion
Champion

rscherer -

I have been told that the best thing to do for the user and group bases is to use the root path. So they should be " DC=AD,DC=SANNET,DC=GOV" in your example. Your method was what I was using and it got me into a little trouble at my last installation.

Dave

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
Reply
0 Kudos
rscherer
Contributor
Contributor

I can see how it would be a benefit to do that, but I would be worried about opening OU's that really shouldn't be open. What type of issue(s) did you run into by doing what I suggested?

Rick

Reply
0 Kudos
dconvery
Champion
Champion

I think my issue was the fact that the AD had about 50K objects. VMO choked with it. Will be fixed with the new version, I hear...

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
Reply
0 Kudos
rscherer
Contributor
Contributor

Ahh, good to know.... My installs were into AD with only around 20k objects and it seems to be working OK.

Reply
0 Kudos
dconvery
Champion
Champion

Yes - the current version's LDAP connection doesn't like large ADs..

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
Reply
0 Kudos
mchpis
Contributor
Contributor

Thanks your directions got me going in the right direction. For the VMO I had to use Dsquery to get the complete path for the group.

Here is what I've got:

On the LDAP Tab

Primary and Secondary LDAP (AD DC's)

Root: dc=mydomain,dc=com

Username: mydomain\username

Password: my domain password

On Ldap Lookup Paths Tab

User lookup Base: dc=mydomain,dc=com

Group lookup Base: dc=mydomain,dc=com

VMO Admin Group: CN=Group,OU=Sub OU,OU=Top OU,DC=mydomain,DC=com (used dsquery group -name "Groupname" to get this path)

Tested logon and all was good.

Thanksa again this was kicking my butt...

Reply
0 Kudos