vCenter Operations 5.x vApp LDAP Configuration

Summary:
I happened to see someone searching for this and coming across my previous post on it’s wonkiness, so I figured I’d make a post showing how I went about configuring it w/ an Active Directory domain.  This only applies to the vcops-custom page.  The standard vCops-vsphere page uses vCenter’s authentication via role permissions.
Details:
  1. Log into your vcops-custom page as an admin. (example http://yourvCOPsUIvmIP/vcops-custom)
  2. Select Admin –> Security
    • Admin-Security
  3. Select the Import from LDAP button
    • ImportfromLDAP
  4. Select the add button
    • ImportUsersDialog
  5. Now see the screenshot below to see how to fill out the configuration screen:
    • ManageLDAPHost
  6. Below details how the auto-sync works:
    • ManageLDAPHost-2
  7. You’re pretty much done @ this point.
Auto Sync occurs once every hour, so once you configure it, it’ll take approx. an hour before users are granted access.  The other caveat is that nested groups are not supported.  Users must be direct members of the security group you setup w/ Auto Sync.
Feel free to ask questions in the comments.  I’m always keeping an eye on those.

Comments

Matt said…
Great guide! Do you have a guide or even a list of the dashboard setup you use in vcops-custom?
Matt said…
Great guide! Do you have a guide or even a list of the dashboard setup you use in vcops-custom?
Zsoldier said…
I don't have any guides yet, but now that you mention it, I did run into something recently that I probably should post.
Anonymous said…
Hi Chris
I got account/password incorrect when login using AD account. Vcops list AD account within that group, I also add those account to vcops group - (users). Any idea why I could not login ?
thanks in advance

Thomas
Zsoldier said…
Anonymous, make sure you login using your full account name:
youruser@yourdomain.usuallycompany.com
Zsoldier said…
Another thought is that the group that your AD account is a member of is not a 'direct' member, but an indirect member.
Anonymous said…
This is great but I stilll dont return anything.
I am using objectCategory=group but zero returned.
Even with nothin entered it returns nothing?
Any suggestions for an example field population to return just groups as cant return anything at the moment but the same account returns for VCD?

Thanks
Zsoldier said…
objectCategory=Group in Active Directory is technically incorrect. I wouldn't recommend using objectCategory that as it will return ALL groups. For your filter to be correct it has to look something like:
objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=myDC,DC=com"
Anonymous said…
Thanks for replying.
I was basing my search on this article by MS
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

It recommends using objectCategory but I still cant see anything. Will need to delve into it a bit more I think.
Anonymous said…
Hi Chris,
after providing all info,
i m getting this error[
java.lang.Exception:javax.naming.directory.InvalidSearchFilterException:Missing'equal', remaining name ] "mydomain.xxx.com.
do i need to create a group reflecting a group in Active Directory, let assume they administrators .
Zsoldier said…
I think that error is referring to your BASE DN entry. You need to have that defined like so:
dc=mydomain,dc=xxx,dc=com
Anonymous said…
Hi Chris,
i m trying to import LDAP users into vCOps but i m not getting the expected results.After importing, in the USERS FOUND, i see no users. I did re check my settings but no changes in the results.
Any ideas?
Unknown said…
not working for me either, using Userprincipalname under username field, base DN is OU=VCenters,OU=Groups,OU=my company,OU=NA-Organizations,DC=na,DC=glb,DC=com, then under group search criteria i have the name of the group: (cn=VCenter_Admin) and Member attribute is: cn, i also tried with objectCategory=Group with no luck
Zsoldier said…
BaseDN should usually be your top level. Like: DC=na,DC=glb,DC=com

cn=vCenter_Admin is probably not a valid search string. SAMAccountName=vCenter_Admin* would probably work.

objectCategory="CN=Group,CN=Schema,CN=na,DC=glb,DC=com" would probably be the correct filter.
Unknown said…
Thank you! the userprincipalname is what i was missing.
Unknown said…
Thank you! userprincipalname is what helped me.
Ben said…
Anyone familiar with this Error I get when I try to load LDAP Groups?

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0]
Zsoldier said…
Ben, you may need to check whether you bind user has appropriate privileges to query AD, that it may be locked or that the password needs to be changed. In all likely likelihood, it's related to your defined bind account.
Unknown said…
Thanks Chris! This worked perfectly!

Popular posts from this blog

NSX-T: Release associated invalid node ID from certificate

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.