So I am at i believe the last step to get Orchestrator up and running and I have this error. Some background, I am using our production AD for authentication so I did not create any groups or IDs. I am using my ID and the users group for authentication. My question is do I need to create a vCO-Admin group to get past this or can i use one of our existing groups?
Any help would be appreciated.
Joachim
Yes, you can use one of your existing groups. You'll need to specify that group as the "LCM Admins" group under your configuration. Once that is done, verify an account in that group by using the test login tab in the Configuration. You should receive a success message that states that the account is an Admin also. Once you've confirmed this, specify that user and password on the plugins page.
OK so here is the error I am getting when I test the user account
Error : ch.dunes.login.ldap.LdapOrganizationalUnit
Is Orchestrator reverting to its pre VMware days? Dunes...
Does this mean the ID is not in that user group?
Do ANY user accounts authenticate? What have you used as the username for LDAP? Make sure you try user@domain.com (rather than just user).. Also, be sure your LDAP paths are correct.. IE: for Active Directory Users container, the path is CN=users,DC=domain,DC=com
Hello, try to use the same account that you use to install vcenter.
____________________________
Ing. Diego Quintana
VCP-VAC-VTSP-VSP
Wetcom Group
Buenos Aires - Argentina
Grupo de Virtualizacion en español de Linkedin
I sopke with one of our AD folks and the LDAP config looks right. When I test my account here are the errors:
when I used my ID and the correct password I get this:
Error : ch.dunes.login.ldap.LdapDomain
when I use my ID and a incorrect password I get this:
part of the error message shows my ID so the look up is working correctly
I cannot use the vCenter installation/service account, this is a local account.
strange.
Joachim
hi
Do you have a "simple" AD or do you have mutliple domain in your AD?
What you can do (to try) is to set your bases to dc=my,dc=domain and use the Domain Users as the vCO Admin group. then, can you log-in?
Having exactly the same issue:
ch.dunes.login.ldap.LdapOrganizationalUnit - when the login U/P is correct, and
vCenter is installed with a LOCAL admin account, then it was joined to a domain.
All the User/Group and vCO are set (actually to the same group of users) - and still the above errors occur.
Any more ideas?
Thanks
From another forum, I found this small lists:
525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
532 - password expired
533 - account disabled
701 - account expired
773 - user must reset password
Your case is 52e, invalid credentials. Maybe you don't enter the username as LDAP mode for AD want it. The "admin" user you define in the LDAP config must have full username: domain\user (pre-W2k) or user@domain.my (W2k and later).
I think you use the "simple user" form. If not, do you have specal characters in your password? Maybe spaces?
Has anyone foudn a solution to this problem. I am having the exact same problem.
I have a simple AD structure and have set my search groups to just dc=domain,dc=co,dc=uk
This matches my root.
When i test login i get this error using a true account: Error : ch.dunes.login.ldap.LdapDomain
When i try login using a true account with wrong password i get: Cannot login user : CN=username,CN=Users,DC=domain,DC=co,DC=uk (reason : )
Anyone know any reason for this not working.
what is your search users? dc=domain,dc=co,dc=uk?
what form do you use for the administrator user defined in the LDAP?
Yes all lines, search groups, search users and vCO admin groups is set to dc=domain,dc=co,dc=uk
i then set users to
ou=users,dc=domain,dc=co,dc=uk
groups to ou=groups,dc=domain,dc=co,dc=uk
vCO admin group to ou=groups,dc=domain,dc=co,dc=uk
when i ran a test login the error went from : ch.dunes.login.ldap.LdapDomain to ch.dunes.login.ldap.LdapOrganizationalUnit
ok,
what about the users? in my config I have: myUser@myDomain.com. Do you set the user using only the "myUser" form?
i have tried the following:
Domain\MyUser
MyUser@domain
Both return the same message.
ok,
Which type of AD do you have? 2k, 2k3, 2k8?
Do you have more than one domain in your AD tree? If yes, is your user user part of the same domain you are connecting to?
I noticed that you have:
"vCO admin group to ou=groups,dc=domain,dc=co,dc=uk"
when it should be something like:
"cn=vcoadmins,ou=groups,dc=domain,dc=co,dc=uk"
I'm not sure how much that will help, but the VCO Admin group needs to point to the actual group, not just the groups container...
it's a 2k3 domain and single domain.
I have solved my issue:
After playing with name entries in the search boxes i came up with this
User lookup base: ou=users,dc=domain,dc=co,dc=uk
Group lookup base: ou=groups,ou=users,dc=domain,dc=co,dc=uk
vCO Admin group: cn=domain admins,cn=builtin,dc=listening,dc=co,dc=uk
I got this after i tried cn=builtin,dc=listening,dc=co,dc=uk and got ch.dunes.login.ldap.LdapElementGeneric so figured it must be pointed the exact location on just a tier in the structure to be able to find the user. Pretty lame way of doing it, cos if you have a complex AD structure it will take ages to put all naming contexts in.
Great.
You can use the search feature for the ldap config.
Solved.
Its a matter of the structure that you have in AD.
I created a new group under root and was able to get everything working. I'll see if I can drop some screenshots later.