Hi,
With the new AD plugin I can connect to two AD domains without an issue, but I have a use case of adding a user from AD 1 to a group in AD 2.
This produces errors if I try and do it:
LDAP: error code 32 - 00000525: NameErr: DSID-031A1292, problem 2001 (NO_OBJECT)
Powershell does it ok, so auth to both AD appears to be fine, is this just something that the AD plugin can't do ?
Cheers
Check this article Troubleshooting LDAP-Erros in vCO
LDAP 32 means that some object related to the task does not exist. So I assume something like the OU object or the group you want to add user to does not exist in the Domain.
Can you share the workflow?
And: What's the domain configuration (trusts, forest, ...)?
Regards
Joerg
Hi,
Thanks, I grab the user & group from the different domains and put them into an AD user & group object, then write them out to system log to check, they are both populated ok. Domain trust is setup for group domain to trust the user domain, in powershell it works ok. Script lines are below, help much appreciated.
Cheers
staffUser=ActiveDirectory.search("User",staffName,adHostStaff )
corpGroups=ActiveDirectory.search("UserGroup",groupName,adHost )
corpGroup=corpGroups[0];
corpGroup.addElements(staffUser)
Can it happen that the ActiveDirectory.search() returns more that one found object (in the wrong domain)? (E.g. when you have the same groupName exists in both domains)
Hi ,
I believe vCenter SSO doesn't support cross domain. It's design based on a single domain. We can add multiple domain for authentication.
Hi,
I think that is the case, the names are unique, works in powershell and through AD interface, just not through vco. For now I'm going to have to drop out to run an external powershell script, would have been nice to keep it in vco.
Cheers
staffUser=ActiveDirectory.search("User",staffName,adHostStaff )
corpGroups=ActiveDirectory.search("UserGroup",groupName,adHost )
corpGroup=corpGroups[0];
corpGroup.addElements(staffUser)
Have you tried either...
staffUser=ActiveDirectory.search("User",staffName,adHostStaff )[0];
corpGroups=ActiveDirectory.search("UserGroup",groupName,adHost );
corpGroup=corpGroups[0];
corpGroup.addElements(staffUser);
Or...
staffUser=ActiveDirectory.search("User",staffName,adHostStaff );
corpGroups=ActiveDirectory.search("UserGroup",groupName,adHost );
corpGroup=corpGroups[0];
corpGroup.addElements(staffUser[0]);
Ad search returns an array even if you find only one object...
Next...
Can you validate your user...
staffUser=ActiveDirectory.search("User",staffName,adHostStaff );
System.log(staffUser[0].distinguishedName); // this is from memory, but I think it is right
corpGroups=ActiveDirectory.search("UserGroup",groupName,adHost );
corpGroup=corpGroups[0];
System.log(corpGroup.name); //also from memory but I think it is right
corpGroup.addElements(staffUser);
The nature of adding it should be an ldap call to the AD that holds the group, specifying the user object. I believe it is the responsibility of the domain to then rationalize the trust. I think this should be working for you, but unfortunately my domains at work that I use in the plugin do not have a trust... so I cannot check. I have had considerable success working with two different domains with accounts that were exactly the same in both. (this accomplished via custom vRO actions that do all lookups/searches and work "byHost" so I can target domains specifically in the workflows.)
At any rate, give those few things a look. Maybe there is something actually to it, and it will work out for you. More logging of the objects might help (if you haven't done that already).