I had been having issues w/ our deployment of the vCenter Operations vApp. The Web GUI interface has two pages, https://vCopsServerName/vcops-vsphere and https://vCopsServerName/vcops-custom. It seems vcops-vsphere simply uses vCenter privileges to determine whether you can login and what you can view. vcops-custom however does not and has a separate set of permissions it uses to determine a user’s access authority. They both however utilize the same useraccount table in the postgres database.
This KB contains the steps needed to workaround the LDAP import problem:
Step 2 was incorrect as of this post date, it should read as follows:
# su postgres
# psql -d alivevm
I’ve let VMWare and @VMWareKB know of the typo. So it should get corrected.
I found that when I login into vcops-vsphere, it uses my permissions on VC and creates a user object in the useraccount table on the analytics VM database labeled VC User if it doesn’t match one already found in the table. Although it creates an entry in the useraccount table it does not associate to an ‘account group’ in vcops-custom to allow access. These accounts even though listed, do not show up under ‘Not Grouped’ Account group in the user management section of the vcops-custom page.
This will likely become a larger issue as most users would log into the vcops-vsphere page first, create a crap entry in the useraccount table then LDAP import based on groups would have problems creating an authorized LDAP entry. This can be somewhat mitigated if users log into the vcops-vsphere using their sAMAccountName instead of the UserPrinicipalName(UPN). Then no conflicts should arise in the useraccount table.
Should they login w/ their UPN into vcops-vsphere prior to the import job or that user’s inclusion into an LDAP group, then this issue will likely arise assuming that’s how you configured your LDAP import. The only recourse that I’m aware of is following the steps detailed in the KB.