Tynenmhorn
Contributor
Contributor

vCenter v6.7u3 openLDAP LDAPS SSO

Hello:

I've been attempting to configure vCenter v6.7u3 to use an openLDAP server as a SSO using LDAPS and in the process been unsuccessful. The main problem is that vCenter will establish a tls connection and verify the certificate signatures, but will then close the connection immediately.

Here is an excerpt from when trying to submit the SSO configuration:

af4d4d42-75c4-403b-bdad-79f976bfd9a8 INFO  com.vmware.identity.interop.ldap.SslX509EqualityMatchVerificationCallback] Server SSL certificate is a trusted certificate.

af4d4d42-75c4-403b-bdad-79f976bfd9a8 WARN  com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: -1

af4d4d42-75c4-403b-bdad-79f976bfd9a8 WARN  com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://10.10.35.31, cn=admin,dc=example,dc=com]

af4d4d42-75c4-403b-bdad-79f976bfd9a8 ERROR com.vmware.identity.idm.server.ServerUtils] cannot establish connection with uri: ldaps://10.10.35.31

openLDAP logs show the vCenter establishing a tls connection and them promptly losing the connection.

With openssl s_client, I can connect to the port with the certificates I provide, but I can't find anything else that would be useful. I can also connect on LDAP:// as well, but I want to establish a TLS connection. Is there a particular way that the certificates should be made? I just want to get the LDAPS to work.

0 Kudos
3 Replies
Lalegre
Virtuoso
Virtuoso

Hey Tynenmhorn​,

Could you please try the next:

  • Use the connectivity string as ldaps://ip:636
  • I do not remember this entirely, but can you specify the User Bind DN?
0 Kudos
Tynenmhorn
Contributor
Contributor

Use the connectivity string as ldaps://ip:636

No luck, logs show an attempt to connect to that port, and packet capture show that a TLS connection is established (Handshake finishes). I've run netstat to confirm that the port 636 is open as well, and the openldap server is logging the vCenter IP address.

This is all I see on openLDAP server:

conn=1001 fd=13 ACCEPT from IP=[vCenter IP Address]:34594 (IP=0.0.0.0:636)

conn=1001 fd=13 TLS established tls_ssf=256 ssf=256

conn=1001 fd=13 closed (connection lost)

So it looks like it makes a connection and then just gives up, and on the vCenter server I just have an LDAP error code of -1.

can you specify the User Bind DN?

Yes. I can successfully connect through normal LDAP. So I believe the DNs are correct.

0 Kudos
Lalegre
Virtuoso
Virtuoso

This is a Linux server right? What can you see on the OpenLDAP server on the /var/log/auth.log and /var/log/secure ?

0 Kudos