VMware Vsphere client login through UCS server

samba-ad
vmware

#1

I am trying to configure my VMware Vsphere to authenticate from UCS server.
I am getting an error.

Please let me know if any article available.

-Thank You
-Arif


#2

Pleasea help me on this…
I am getting below error…

The “Add identity source” operation failed for the entity with the following error message.

The vCenter Single Sign-On server failed to connect to or failed to authenticate to the service at the specified URL

MY Vcenter is running Photon Linux.

-Arif


#3

Hey,

I don’t know of a guide, but we do have your vCenter 6.5 joined into our UCS-based ActiveDirectory domain. With that setup assigning permissions based on AD users & groups as well as logging in with AD credentials works just fine.

Can you show a screenshot of the settings you’re trying? Unfortunately it’s been quite a while, and I don’t remember clearly what the corresponding dialogs looked like.

Kind regards,
mosu


#4

I had added my UCS based Active directory but after adding the ldap server we are not able to list users/groups.

Here is the Guide…

https://wiki.univention.de/index.php/Cool_Solution_-_Use_VMware_Single_Sign-On_with_UCS


#5

Please find attached file.

Thank You
-Arif


#6

what should be the permission of the user which I am using for ldap in Vcenter? is it required special permissions?

Thank You
-Arif


#7

I just had a quick glance at your screenshot:
if you are connecting to the Samba Active Directory (default LDAP ports 389 or 636) you have to use cn= for the username and not uid=. That’s also used in the guide that you linked to.


#8

Thank You!!!
I am not able to connect to ldap from defaults ports.
I checked in ldap.conf and same URI mentioned in file.
when i am using cn in the place of uid Vcenter is not able to connect to ldap server at all.

Currently the issue is, Vcneter is able to connect ldaps server but not able to list all users/groups.

Thank You
-Arif


#9

can please share your identity server setting from Vsphere Web Client? if possible.

-Arif


#10

Hey,

sure. Here’s what works for us. In the next panel (“upload certificates”) I uploaded the machine certificate for our DC Master if I remember correctly. You can find that on your DC Master in /etc/univention/ssl/<machine-name>/cert.pem.

Kind regards,
mosu


#11

Thank You!!!
whenever I am creating the user it is showing the DN "uid=marif,cn=users,dc=my-tech,dc=intranet".
I am not sure why it is not coming like "cn=marif,cn=users,dc=my-tech,dc=intranet"

-Arif


#12

Hey,

in a UCS system there are two LDAP servers: the one where you create objects in via the UMC (OpenLDAP) and the one provided by Samba. There’s a bi-directional sync between both. Both use slightly different LDAP schemes, and therefore the objects are named slightly differently.

The Samba LDAP is running on ports 389 & 636 and uses cn=… for user objects. The OpenLDAP server runs on ports 7389 & 7636 and uses uid=… for naming user objects. The Samba LDAP server is generally better to work with if you need to evaluate group membership.

You can use the command univention-ldapsearch for searching the OpenLDAP server and univention-s4search for searching the Samba LDAP server if you’re unsure what your object’s named.

Kind regards,
mosu