I was recently working on a vCenter Operations (vCOps) installation at the customer site I work out and ran into an issue importing users from Active Directory (AD).
In case you aren’t familiar with vCenter Operations, there are two UIs that can be accessed; a standard UI and a custom UI. The standard UI uses permissions defined within vCenter to allow a user to authenticate with credentials stored in a directory service (such as AD). On the other hand, the custom UI does not use permissions defined within vCenter. Users for the custom UI must be created manually or can be imported from a directory service using LDAP.
As I said in the first sentence of this post, I had an issue with using LDAP to import users from AD, specifically secure LDAP and AD. I spent a good amount of time trying to figure out how to make this work only to find that there wasn’t much in the way of VMware KBs or blog posts on the process. The vCOps administration guides were also vague. After a few hours of trial and error and piecemealing things together from random blogs and KBs I was finally able to figure out the process. That process is documented below.
- Once logged into the custom UI navigate to security
- Select Import From LDAP
- Select the Add button and enter in the proper data for your LDAP host
Port 3269 is used if you are looking up a user or group that requires help from a global catalog
server within AD to perform the lookup (e.g. user/group from different domain)
- Click OK and then click the Lookup button. Here is where you will receive an error.
The key to understanding this error is “…unable to find valid certification path to requested target”. The documentation does state that you need to load the domain controller certificate into the vCOps trust store, but does not give any other direction, which is where it gets confusing.
In order to get secure LDAP working with AD you will need to get the domain controller client authentication certificate off of the domain controller you are pointing to in the LDAP configuration (in this case it is vlabs-dc01.labs.local), copy it to the vCOps UI virtual machine and add it to the truststore. Once those steps are complete a simple restart of the vCOps admin services and you’ll be up and running. If your domain controller doesn’t already have a client authentication certificate then you need to install a certificate authority in your environment or use some other form of certificate authority to generate one. Here is a post that explains how to setup a certificate authority using Active Directory Certificate Services (AD CS) in a Windows Server 2012 environment.
- First we need to export the certificate from the domain controller. Log onto the domain controller you used when adding the LDAP server previously (in this case vlabs-dc01.labs.local)
- Open up a MMC -> click Add/Remove Snap-in… from the File menu
- Choose Certificates and click the Add > button
- Select Computer account and click Next -> click Finish -> click OK
- From the tree on the left expand Certificates -> expand Personal -> click Certificates
- Right-click the certificate that shows Client Authentication, Server Authentication in the Intended Purposes column -> select All Tasks -> Export…
- A wizard will open, click Next -> click Next -> select the Base-64 encoded option and click Next -> select a filename and click Next -> click Finish
- Copy the certificate you just exported to someplace on the UI virtual machine (such as /tmp). I used WinSCP to transfer the certificate
- SSH into the UI virtual machine and log in with the root credentials
- Once logged in you need to run the following commands to add the domain controller certificate you copied previously to the truststore. The name of the certificate file we’re using in this example is vlabs-dc01.cer
# navigate to directory where truststore is located
# command to import the domain controller certificate into the certificate store (truststore)
keytool -importcert -keystore truststore -storepass oxygen -alias vlabs-dc01 -file /tmp/vlabs-dc01.cer
- Type yes to add the certificate to the trust store
- To verify the certificate was added to the trust store type the following command:
keytool -list -keystore truststore -storepass oxygen
You should see the certificate you just added in the list
- While still SSH’d into the UI virtual machine switch user to ‘admin’ and restart the vCOps service (vcops-admin restart)
- Now go back to the custom UI in vCenter Operations (select Admin -> Security)
- Select the Import From LDAP button -> from the dropdown select the host you created earlier (if you didn’t create one, then create one now; use the example in previous section)
- Click Lookup
Now you should see the the user list populated in the Users Found pane (granted your base DN and search paths are correct)