VMware Cloud Community
mjpagan
Enthusiast
Enthusiast
‎03-15-2013 07:54 AM

LDAP user access in vCOPS for View

I have installed the addon for View to my vCOPS and that is working but I'd like to enable read only access for a group of LDAP (AD) users.  I can see where I can enter my LDAP information but when I click on Lookup I get an error message.  So far my searching has not found a reference or manual for the required settings so if anyone has an idea on what I'm doing wrong I'd appreciate some guidance.

Attached are a sample of my LDAP settings and the error that I receive when I do a Lookup.

Mike Pagán MCITP:EA, MCSE, VCAP5-DCA, VCAP5-DCD,VCP 5, VCP5-DT, CCNA, A+
Tags (4)
Preview file
11 KB
Preview file
10 KB
0 Kudos
5 Replies
gradinka
VMware Employee
VMware Employee
‎03-15-2013 04:52 PM

have you tried with SSL enabled?

are you sure credentials are correct...

LDAP Error code 49 is usually due to bad credentials.

hope that helps.

MHAV
Hot Shot
Hot Shot
‎03-20-2013 01:33 PM

Hi mjpagan,

Im wondering about the user to connect to ldap you are using. The Domainextension is missing in my opinion something like domain\username and not online username

You should check your Windows Security Eventlog and see if there is a user Administrator with a access denied event.

Regards

Michael

Regards Michael Haverbeck Check out my blog www.the-virtualizer.com
mjpagan
Enthusiast
Enthusiast
‎03-20-2013 01:38 PM

I figured out what my issue was.  Although it didn't specify, on a whim i tried entering my username in the DC=administrator, DC=domain, DC=local format and it worked.  I did not try the domain\username method though so that might have worked also.

Mike Pagán MCITP:EA, MCSE, VCAP5-DCA, VCAP5-DCD,VCP 5, VCP5-DT, CCNA, A+
0 Kudos
TammieD
Enthusiast
Enthusiast
‎04-12-2013 09:11 AM

We have LDAP authentication configured to load users from several AD groups, depending on the access we want them to have (read only, admin, power users).

In Manage LDAP Host, we use sAMAccountName for the username field, because when we used UID, it created the user name in vCOps as "name.domain.com".  When we were setting this up, our AD team was moving people around domains and some of our pilot team were moved and their user ID was no longer the same, so they couldn't log in.

In the Base DN, we use an AD OU that contains the AD groups that we set up for vCOps users.  We then import the users from the AD groups into the corresponding vCOps groups.

Username, we used the domain\username format, so yes, that does work also.

0 Kudos
mlebied
Enthusiast
Enthusiast
‎04-12-2013 09:23 AM

One thing to note is that if you subsequently move a user object in AD to another OU, which changes the DN (directory name) you will need to delete the user from vcops and let the LDAP import run. The reason for this is that vcops identifies the logon with the DN, but the LDAP import does not update the DN when the object moves to another OU. hopefully, this will be fixed when vcops externalizes auth/authz to vCenter SSO.

We also use sAMAccountName with good results.

Another issue we have discovered is that the LDAP import does not recursively parse nested groups, which means the groups used to permission users in vcops only recognizes user objects, not groups. Have others had the same experience?

0 Kudos