Solved: Re: Change ldap user password as local vcsa admini...

zenking · ‎06-03-2022

Stop me if you've heard this one before ( I assume you have, but couldn't find with a search).

We have SSO with an AD identity source. I changed the pw for the ldap read only user yesterday and forgot that same account was used for the VCSA, Now I can only log into the VCSA as local admin, and I can't change the ldap user pw because the local admin apparently doesn't have network access. I get this error when I try to save: "Check the network settings and make sure you have network access to the identity source."

Can I fix this as local admin with a command line or some other way? I do still have the old ldap user password, so I might be able to revert back to that temporarily but I wanted to find out if I have another option first. I'm also not sure if I'll be able to change back to the old password if there's an AD policy to prevent that, but I think I'll be able to with this account if I have to.

Thanks.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.

zenking · ‎06-07-2022

Fixed. The ldap certificate is not marked as a required field, but it apparently is required so it worked as soon as I plugged in the certificate. If anyone from VMware is reading this, I would recommend that the ldap certificate field be marked as required.

I was able to download the ldap cert used by our organization by installing Git for Windows, opening Git Bash and running this openssl command:

echo -n | openssl s_client -connect ldapserver:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.cer

Where ldapserver is either the fqdn or ip address of your organization's ldap server.

Thanks, all.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.

View solution in original post

stadi13 · ‎06-06-2022

Hi @zenking

I had this issue before with some LDAPs configuration. The solution is as simple as to remove it and recreate it.

Regards

Daniel

zenking · ‎06-06-2022

OK, I'll try that. Makes sense since we obviously have to create it as local admin in the first place. Thanks.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.

stadi13 · ‎06-06-2022

Hi @zenking

very good. Let us know the outcome and mark as resolved for house keeping 🙂

Regards

Daniel

zenking · ‎06-06-2022

Will do. Just making sure I have all my info first.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.

zenking · ‎06-06-2022

I removed the ldap identity source, but I'm still getting the "Check the network settings and make sure you have network access to the identity source" error.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.

zenking · ‎06-07-2022

Fixed. The ldap certificate is not marked as a required field, but it apparently is required so it worked as soon as I plugged in the certificate. If anyone from VMware is reading this, I would recommend that the ldap certificate field be marked as required.

I was able to download the ldap cert used by our organization by installing Git for Windows, opening Git Bash and running this openssl command:

echo -n | openssl s_client -connect ldapserver:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.cer

Where ldapserver is either the fqdn or ip address of your organization's ldap server.

Thanks, all.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.

All

Change ldap user password as local vcsa administrator?

LDAPs

VCSA 6.7