Thanks for the reply.
Yes, I agree, Using “Active Directory (Windows integrated authentication)” is able to join the UCS domain with no problem.
However when I try to search the domain, it fails with the “A vCenter Single Sign-On service error occurred”, and the log continually shows “ServerUtils - cannot bind connection”.
I tried performing an LDAP query from the vCenter server with the following:
ldapsearch -x -H ldaps://taxmducc01-v:636 -b dc=cybertax,dc=cso,dc=com -D cn=administrator,cn=users,dc=cybertax,dc=cso,dc=com -W
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
I also tried without SSL
ldapsearch -x -H ldap://taxmducc01-v:389 -b dc=cybertax,dc=cso,dc=com -D cn=administrator,cn=users,dc=cybertax,dc=cso,dc=com -W
Enter LDAP Password:
ldap_bind: Strong(er) authentication required (8)
** additional info: BindSimple: Transport encryption required.**
The following link, Moritz_Bunkus clearly explains that AD connections via 389 just wont work, and that my 636 is failing due to bad cert trust.
I did a TCP dump, and of course Univention is giving an “unknown CA” error. I have Univention’s rootCA loaded to vCenter, however I dont know how to load vCenter’s rootCA to Univention.
What is the process to load vCenter’s cert to Univention AD SSL store so it will trust the server? Is it done through openssl, or is there some special ucr command to load rootCA’s to Univention’s AD trust store?
I maybe going in the wrong direction, let me know if I am. To be honest if I can just get 389 to work that would be a start, is that even possible?