Jer2224
Contributor
Contributor

vCD and LDAP Groups in v5.1.1

I have a customer who wants to use AD groups for vCloud Director authentication, as in their private cloud they have specific OUs for Organisational LDAP lookups.

Obviously, users cannot be members of several OUs within the 2008 AD, so they are using global security groups instead of individual users in these OUs, then importing these groups via the LDAP sync into vCloud organisations.

Only problem is that when assigned a role by the Org Admin (i.e. vAPP User), they cannot login to their organisation using AD credentials.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=200931...

I found this KB article which I assume is the issue, but it's not clear on the steps and implications of using it's workaround for getting group authentication to work. Any thoughts / suggestions?


Cheers.

Jeremy.

Tags (4)
0 Kudos
12 Replies
IamTHEvilONE
Immortal
Immortal

Global Catalog is LDAP port 3268, and doesn't carry all the information required by vCloud Director to successfully create users in an environment.

The two common ports are 389 (LDAP) and 636 (LDAP secured).

In your organization, using the organization specific LDAP configuration, are you able to import a specific user directly?  This is just to test of vCloud can copy data.

Then ensure that the users know to login with the username as specified in that web page.  This should correspond to the Username field of the LDAP configuration.

Hopefully that gives you some guidance.

Best Regards,

Jon Hemming

0 Kudos
richdenis1
Contributor
Contributor

For what it is worth, I am having a similar issue since upgrading to 5.1.1.  I could swear this used to work where individuals within an LDAP group could log into vCloud but now they cannot.  The group's Users list is empty in vCloud.  If I add the individual then things work well again.

0 Kudos
cmbwml1
Enthusiast
Enthusiast

I am having the same issue.  I configured LDAP to use Kerberos and even went through the work of creating an SSPI service principal name and keytab.  I can import users and groups but can't get any LDAP accounts to authenticate at the org level or the global config level.  We have a sub-domain in our forest that contains all of the user accounts for our environment (25K users, 250K+ groups).  I also noticed the issue where groups do not display any users until those users are manually imported.

Without LDAP working I looked at using SSO.  Unfortunately when I enable SSO it gives me the following error when I go to the VCD URL:

HTTP ERROR 500

Problem accessing /cloud/saml/HoKSSO/alias/vcd. Reason:

    Error determining metadata contracts

To get back into vCD I have to manually specify login.jsp at the end of the URL (https://FQDN/cloud/login.jsp)

SSO is working for vCenter logins so I am not sure what to do with authentication options for vCD.  I am also running vCD 5.1.1.868405 with the latest version of vCenter 5.1.
0 Kudos
cvrich
Contributor
Contributor

I have the same issue and have a case open with VMware but have received little to no response. It looks like something to do with metadata from the STS... Either that or something causing that exception... I am seeing this in the error as well... The VMware tech seemed stumped on this one...

Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Metadata for issuer https://servername.domain.com:7444/STS wasn't found
0 Kudos
IamTHEvilONE
Immortal
Immortal

SSO is not LDAP in the case of vCloud director.  If you are using SSO, then the SSO server is the authentication and identity source.

If you use LDAP in vCloud Director, we are going to that.

So just be aware that vCloud uses one or the other, not both.

0 Kudos
cvrich
Contributor
Contributor

It doesn’t matter what credentials I use for this… I get the same error EVERY time… I can make this error happen anytime… There is nothing about it anywhere that I can find… No KB’s, Google, Yahoo, Bing… We can’t be the only people who have ever had this issue… I would just like to see support do something on it…

0 Kudos
IamTHEvilONE
Immortal
Immortal

cna you PM me your ticket number?

it sounds like there is something wrong in the lookup service endpoints.              

0 Kudos
IamTHEvilONE
Immortal
Immortal

for the HoK, holder of key error of SSO ... make sure your public addresses in vCloud are completed correctly.  This needs to be done before registering to the lookup service.

also, make sure that the lookup service has correct and resolvable names, vCloud pulls data from the lookup for forwarding purposes.

if you want ot know what data we pulled, go into the vcloud database and:

select * from config where name like 'lookup%';

If these addresses have incorrect/bad data, like an improper FQDN, then you need to fix the lookup service.

0 Kudos
FGShepherdP10
Enthusiast
Enthusiast

Small heart attack this morning, trying to log in to a brand new build and getting this error.  The /login.jsp "trick" saved me.  Will likely open a ticket, as well, in the meantime, and see if this creates momentum withing VMW to patch/fix this.  Anyway, thanks for the post/help.

0 Kudos
mikwakin
Contributor
Contributor

I had the same issue and after unchecking use SSO as the identity source, the error went away. I had ldap configured and had SSO checked as the identity source, under Administration/Federation

0 Kudos
IamTHEvilONE
Immortal
Immortal

mikwakin ... if you have an issue, please start a new thread for it.

LDAP and SSO are two completely different websites for the purposes of logging into vCloud Director and are mutually exclusive.

0 Kudos
mikwakin
Contributor
Contributor

The thread said “Not Answered”, I was providing my feedback based on my trouble shooting the same issue. I solved it. You’re welcome.

0 Kudos