VMware Cloud Community
mobcdi
Enthusiast
Enthusiast
‎08-07-2012 05:12 AM

Inital config: vCO admin group membership/ ldap / plugin permissions

I think I'm circling round the solution to my issue but just can't put it all together so I hope the community can help me once again. I'm configuring ldap and copied the distinguished name of an existing security group to use for the vCO admin group and pasted it into the ldap config. I set the user lookup base to an OU further up the AD path

  • vCO Admin group: CN=ManagevCO,OU=AccessGroup,OU=SecurityGroups,OU=Staff,DC=company,DC=domain
  • Group lookup base: OU=AccessGroup,OU=SecurityGroups,OU=Staff,DC=company,DC=domain
  • User lookup base: OU=Users,OU=Staff,DC=company,DC=domain

When I Test login with my domain account I get User logged successfully, UserAccount User is NOT a member of vCO administration group.

I check the AD properties of my domain account and under "Member of" the vCO Admin group is listed. the group contains 3 users from OU=Users,OU=Staff,DC=company,DC=domain but they are unavailable to try logging in at this time.

I tried changing the vCO Admin group to a broader group but got the same error where the user is authenticated but not recognised as a member of the vCO Admin group

Reply
0 Kudos
2 Replies
KiwiDave
Enthusiast
Enthusiast
‎08-08-2012 11:43 PM

Try changing your user lookup base to "dc=company,dc=domain".

I found similar issues when the group lookup and vco admin group are not part of the sub-tree for the user lookup base.

Hope that helps.

Reply
mobcdi
Enthusiast
Enthusiast
‎08-09-2012 01:29 AM

changed user base to dc=company,dc=domain but that didn't resolve it

I changed the username used to query ldap and then was able to validate users were members of the vCO admin group so it looks like a permissions issue with the service account used to search ldap directory which appears not to be allowed to read membership details

Reply
0 Kudos