VMware Cloud Community
mikekask
Contributor
Contributor
‎11-04-2013 05:05 AM

5.5a SSO and LDAP - unable to add users

When on the 5.1 vcenter appliance, we had SSO configured to point to LDAP on a 389-directory server.

When we moved over to the 5.5 applicance, it would no longer recognize our usernames.  It was only looking at our full names.  This part seems to have been fixed with the 5.5a update, but we still cant add users or groups to the server.  Users and groups show up in the list and when we click on "Check names" button, everything checks out.  When I click on ok, to actually add the user/group it gives the error:

Add Principals:  Not allowed: user@company.com's objectId is null


This is the error I get when I try to add an LDAP user to a SSO group on the vSphere Client.  I am able to add the same users and groups  when I go to Administration and then manage permissions.  The LDAP users can then login, but they do not have admin access to the SSO settings in the web client.


We do have a test active directory setup and pointing to AD works fine.

4 Replies
pderuiter
Contributor
Contributor
‎01-03-2014 05:11 AM

Hi Mike, I am having the exact same error, doe you already have a solution for this?

Thanks,

Patrick

0 Kudos
Simeonof
Contributor
Contributor
‎04-28-2014 06:21 AM

Same here, although the setup is a bit different. I'm connecting to eDirectory over LDAP. eDirectory users can login fine through webclient, but I cannot add eDirectory users to the Administrators group in webclient (so they are currently not able to do anything). I suppose the user objects are missing some attribute which is mandatory for vmware, if I know what it is and where it is defined, I would be able to change it to an existing one, or extend the schema and add this attribute to the user objects I need. Any idea anyone?

0 Kudos
Simeonof
Contributor
Contributor
‎05-01-2014 06:50 AM

OK, actually it was working fine, you just cannot administer SSO settings when logged in with eDirectory account, but this is not an issue for me. So, for anybody trying to set it up, here it is:

- Set-up a new openLDAP identity source.

- Name it as you like

- Base DN for users: - enter the appropriate base dn for your needs (e.g. ou=xxx,ou=yyy,o=zzz)

- Domain name: - you may enter your DNS domain name (e.g. company.com)

- Domain alias: - name it as you wish

- Base DN for groups: - enter the appropriate base dn for your needs (e.g. ou=xxx,ou=yyy,o=zzz) - it may be different from the users base dn above.

- Primary server URL: - preferably on the secure port (e.g. ldaps://eDirServerIP:636

- Choose certificate: - only if you've selected the secure port above. Export your Organizational CA Self-signed certificate in BASE64 format and place it on your Desktop for example. When you click on the "Choose certificate" button, note that it only shows files with extension .cer, so you need to write *.* in the "File name" field so your BASE64 file is displayed and you can select it.

- Username: you need a read-only trustee of your base dn (or of your entire tree for example) in ldap format (e.g. cn=someuser,ou=abc,ou=xxx,ou=yyy,o=zzz)

- Password: - as it states

Once you've done that, you'll see your identity source in the list and you can set it up as Default Identity Source (do it).

And voila! Now you may go to vCenter Home -> Hosts and Clusters -> Manage -> Permissions and assign the Administrator role for any object (the whole vcenter, or a single datacenter, or whatever) to a user or (better) a group from eDirectory.

Hopefully VMware will make it possible to assign SSO Administrator from eDirectory as well in a future release, but for the moment I'm fine with this. Definitely a step in the right direction for VMware to support non-MS environments.

fanya
Contributor
Contributor
‎06-14-2014 12:10 AM

5.5U1 Same error

0 Kudos