3 Replies Latest reply on Jul 26, 2019 4:41 AM by NRay

    Error configuring LDAPS for vCenter

    runnyyolk Novice

      We're trying to configure our vCenter 6.5 appliance to use an LDAPS source as the an SSO identity source. When we use LDAP (non-TLS) over port 389, everything seems to work fine. When we switch to ldaps, the web user interface gives the following error:

       

      The SSO server either failed to connect to or authenticate to the service at the specified URI

       

      Furthermore, in /var/log/vmware/sso/ssoAdminServer.log, we see this error:

      [2017-08-09T21:33:31.169Z pool-6-thread-3 opId=8d1782aa-a5c8-4f2f-83d9-28e008eae95b INFO  com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl] The provided credentials for authentication against LDAP server ldaps://ipa01.ops.iodinesoftware.com:636 are not valid.

      com.vmware.vim.sso.admin.exception.DirectoryServiceConnectionException: The provided credentials for authentication against LDAP server ldaps://example.com:636 are not valid.

      at com.vmware.identity.admin.server.ims.impl.DomainManagementImpl.probeConnectivity(DomainManagementImpl.java:145) ~[sso-adminserver.jar:?]

      at com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl.probeConnectivity(IdentitySourceManagementImpl.java:668) ~[sso-adminserver.jar:?]

      at com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl$13.call(IdentitySourceManagementServiceImpl.java:408) ~[sso-adminserver.jar:?]

      at com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl$13.call(IdentitySourceManagementServiceImpl.java:398) ~[sso-adminserver.jar:?]

      at com.vmware.identity.admin.vlsi.util.VmodlEnhancer.invokeVmodlMethod(VmodlEnhancer.java:160) [sso-adminserver.jar:?]

      at com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl.probeConnectivity(IdentitySourceManagementServiceImpl.java:398) [sso-adminserver.jar:?]

      at sun.reflect.GeneratedMethodAccessor244.invoke(Unknown Source) ~[?:?]

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_131]

      at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_131]

      at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:65) [vlsi-server.jar:?]

      at com.vmware.vim.vmomi.server.common.impl.RunnableWrapper$1.run(RunnableWrapper.java:47) [vlsi-server.jar:?]

      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_131]

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_131]

      at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

      Caused by: com.vmware.identity.idm.IDMLoginException: Failed to probe provider connectivity [URI: ldaps://example.com:636]; tenantName [vsphere.local], userName [<our bind uid>]

      at com.vmware.identity.idm.server.ServerUtils.getRemoteException(ServerUtils.java:117) ~[?:?]

      at com.vmware.identity.idm.server.IdentityManager.probeProviderConnectivity(IdentityManager.java:9681) ~[?:?]

      at sun.reflect.GeneratedMethodAccessor61.invoke(Unknown Source) ~[?:?]

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_131]

       

      I've exported the certificate from our LDAP server, added both the server cert as well as the CA cert to vCenter (I see them both in SSO Administration -> Configuration -> Certificates).

      However, for one reason or another, vCenter doesn't seem to like this setup.

       

      I'm able to connect to the ldap server via ldaps using other software (Apache Directory Studio, for example), so I suspect this is related vCenter and certificates. Any hints on investigating this further? Is there additional tracing I can enable?