VMware Cloud Community
jheppner
Enthusiast
Enthusiast

Plug-In Error - Bad credential for plugin installation ch.dunes.login.ldap.LdapOrganizationalUnit

So I am at i believe the last step to get Orchestrator up and running and I have this error. Some background, I am using our production AD for authentication so I did not create any groups or IDs. I am using my ID and the users group for authentication. My question is do I need to create a vCO-Admin group to get past this or can i use one of our existing groups?

Any help would be appreciated.

Joachim

Reply
0 Kudos
20 Replies
Burke-
VMware Employee
VMware Employee

Yes, you can use one of your existing groups. You'll need to specify that group as the "LCM Admins" group under your configuration. Once that is done, verify an account in that group by using the test login tab in the Configuration. You should receive a success message that states that the account is an Admin also. Once you've confirmed this, specify that user and password on the plugins page.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
Reply
0 Kudos
jheppner
Enthusiast
Enthusiast

OK so here is the error I am getting when I test the user account

Error : ch.dunes.login.ldap.LdapOrganizationalUnit

Is Orchestrator reverting to its pre VMware days? Dunes... Smiley Happy

Does this mean the ID is not in that user group?

Reply
0 Kudos
Burke-
VMware Employee
VMware Employee

Do ANY user accounts authenticate? What have you used as the username for LDAP? Make sure you try user@domain.com (rather than just user).. Also, be sure your LDAP paths are correct.. IE: for Active Directory Users container, the path is CN=users,DC=domain,DC=com

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
Reply
0 Kudos
dquintana
Virtuoso
Virtuoso

Hello, try to use the same account that you use to install vcenter.

____________________________

Ing. Diego Quintana

VCP-VAC-VTSP-VSP

Wetcom Group

Buenos Aires - Argentina

www.wetcom.com.ar

Mi empresa

Mi perfil en LinkedIn

Grupo de Virtualizacion en español de Linkedin

Ing. Diego Quintana - VMware Communities Moderator - Co Founder & CEO at Wetcom Group - vEXPERT From 2010 to 2020- VCP, VSP, VTSP, VAC - Twitter: @daquintana - Blog: http://www.wetcom.com-blog & http://www.diegoquintana.net - Enjoy the vmware communities !!!

Reply
0 Kudos
jheppner
Enthusiast
Enthusiast

I sopke with one of our AD folks and the LDAP config looks right. When I test my account here are the errors:

when I used my ID and the correct password I get this:

Error : ch.dunes.login.ldap.LdapDomain

when I use my ID and a incorrect password I get this:

(reason : )

part of the error message shows my ID so the look up is working correctly

I cannot use the vCenter installation/service account, this is a local account.

strange.

Joachim

Reply
0 Kudos
admin
Immortal
Immortal

hi

Do you have a "simple" AD or do you have mutliple domain in your AD?

What you can do (to try) is to set your bases to dc=my,dc=domain and use the Domain Users as the vCO Admin group. then, can you log-in?

Reply
0 Kudos
romant
Contributor
Contributor

Having exactly the same issue:

ch.dunes.login.ldap.LdapOrganizationalUnit - when the login U/P is correct, and

(reason : ) - when incorrect.

vCenter is installed with a LOCAL admin account, then it was joined to a domain.

All the User/Group and vCO are set (actually to the same group of users) - and still the above errors occur.

Any more ideas?

Thanks

Reply
0 Kudos
admin
Immortal
Immortal

From another forum, I found this small lists:

525 - user not found

52e - invalid credentials

530 - not permitted to logon at this time

532 - password expired

533 - account disabled

701 - account expired

773 - user must reset password

Your case is 52e, invalid credentials. Maybe you don't enter the username as LDAP mode for AD want it. The "admin" user you define in the LDAP config must have full username: domain\user (pre-W2k) or user@domain.my (W2k and later).

I think you use the "simple user" form. If not, do you have specal characters in your password? Maybe spaces?

Reply
0 Kudos
grahamwm
Enthusiast
Enthusiast

Has anyone foudn a solution to this problem. I am having the exact same problem.

I have a simple AD structure and have set my search groups to just dc=domain,dc=co,dc=uk

This matches my root.

When i test login i get this error using a true account: Error : ch.dunes.login.ldap.LdapDomain

When i try login using a true account with wrong password i get: Cannot login user : CN=username,CN=Users,DC=domain,DC=co,DC=uk (reason : )

Anyone know any reason for this not working.

Reply
0 Kudos
admin
Immortal
Immortal

what is your search users? dc=domain,dc=co,dc=uk?

what form do you use for the administrator user defined in the LDAP?

Reply
0 Kudos
grahamwm
Enthusiast
Enthusiast

Yes all lines, search groups, search users and vCO admin groups is set to dc=domain,dc=co,dc=uk

i then set users to

ou=users,dc=domain,dc=co,dc=uk

groups to ou=groups,dc=domain,dc=co,dc=uk

vCO admin group to ou=groups,dc=domain,dc=co,dc=uk

when i ran a test login the error went from : ch.dunes.login.ldap.LdapDomain to ch.dunes.login.ldap.LdapOrganizationalUnit

Reply
0 Kudos
admin
Immortal
Immortal

ok,

what about the users? in my config I have: myUser@myDomain.com. Do you set the user using only the "myUser" form?

Reply
0 Kudos
grahamwm
Enthusiast
Enthusiast

i have tried the following:

Domain\MyUser

MyUser@domain

Both return the same message.

Reply
0 Kudos
admin
Immortal
Immortal

ok,

Which type of AD do you have? 2k, 2k3, 2k8?

Do you have more than one domain in your AD tree? If yes, is your user user part of the same domain you are connecting to?

Reply
0 Kudos
Burke-
VMware Employee
VMware Employee

I noticed that you have:

"vCO admin group to ou=groups,dc=domain,dc=co,dc=uk"

when it should be something like:

"cn=vcoadmins,ou=groups,dc=domain,dc=co,dc=uk"

I'm not sure how much that will help, but the VCO Admin group needs to point to the actual group, not just the groups container...

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
Reply
0 Kudos
grahamwm
Enthusiast
Enthusiast

it's a 2k3 domain and single domain.

Reply
0 Kudos
grahamwm
Enthusiast
Enthusiast

I have solved my issue:

After playing with name entries in the search boxes i came up with this

User lookup base: ou=users,dc=domain,dc=co,dc=uk

Group lookup base: ou=groups,ou=users,dc=domain,dc=co,dc=uk

vCO Admin group: cn=domain admins,cn=builtin,dc=listening,dc=co,dc=uk

I got this after i tried cn=builtin,dc=listening,dc=co,dc=uk and got ch.dunes.login.ldap.LdapElementGeneric so figured it must be pointed the exact location on just a tier in the structure to be able to find the user. Pretty lame way of doing it, cos if you have a complex AD structure it will take ages to put all naming contexts in.

Reply
0 Kudos
admin
Immortal
Immortal

Great.

You can use the search feature for the ldap config.

Reply
0 Kudos
romant
Contributor
Contributor

Solved.

Its a matter of the structure that you have in AD.

I created a new group under root and was able to get everything working. I'll see if I can drop some screenshots later.

Reply
0 Kudos