I've been attempting to configure vCenter v6.7u3 to use an openLDAP server as a SSO using LDAPS and in the process been unsuccessful. The main problem is that vCenter will establish a tls connection and verify the certificate signatures, but will then close the connection immediately.
Here is an excerpt from when trying to submit the SSO configuration:
af4d4d42-75c4-403b-bdad-79f976bfd9a8 INFO com.vmware.identity.interop.ldap.SslX509EqualityMatchVerificationCallback] Server SSL certificate is a trusted certificate.
af4d4d42-75c4-403b-bdad-79f976bfd9a8 WARN com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: -1
af4d4d42-75c4-403b-bdad-79f976bfd9a8 WARN com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://10.10.35.31, cn=admin,dc=example,dc=com]
af4d4d42-75c4-403b-bdad-79f976bfd9a8 ERROR com.vmware.identity.idm.server.ServerUtils] cannot establish connection with uri: ldaps://10.10.35.31
openLDAP logs show the vCenter establishing a tls connection and them promptly losing the connection.
With openssl s_client, I can connect to the port with the certificates I provide, but I can't find anything else that would be useful. I can also connect on LDAP:// as well, but I want to establish a TLS connection. Is there a particular way that the certificates should be made? I just want to get the LDAPS to work.
Use the connectivity string as ldaps://ip:636
No luck, logs show an attempt to connect to that port, and packet capture show that a TLS connection is established (Handshake finishes). I've run netstat to confirm that the port 636 is open as well, and the openldap server is logging the vCenter IP address.
This is all I see on openLDAP server:
conn=1001 fd=13 ACCEPT from IP=[vCenter IP Address]:34594 (IP=0.0.0.0:636)
conn=1001 fd=13 TLS established tls_ssf=256 ssf=256
conn=1001 fd=13 closed (connection lost)
So it looks like it makes a connection and then just gives up, and on the vCenter server I just have an LDAP error code of -1.
can you specify the User Bind DN?
Yes. I can successfully connect through normal LDAP. So I believe the DNs are correct.