vCenter Operations 5.x vApp LDAP Configuration

Summary:
I happened to see someone searching for this and coming across my previous post on it’s wonkiness, so I figured I’d make a post showing how I went about configuring it w/ an Active Directory domain.  This only applies to the vcops-custom page.  The standard vCops-vsphere page uses vCenter’s authentication via role permissions.
Details:
  1. Log into your vcops-custom page as an admin. (example http://yourvCOPsUIvmIP/vcops-custom)
  2. Select Admin –> Security
    • Admin-Security
  3. Select the Import from LDAP button
    • ImportfromLDAP
  4. Select the add button
    • ImportUsersDialog
  5. Now see the screenshot below to see how to fill out the configuration screen:
    • ManageLDAPHost
  6. Below details how the auto-sync works:
    • ManageLDAPHost-2
  7. You’re pretty much done @ this point.
Auto Sync occurs once every hour, so once you configure it, it’ll take approx. an hour before users are granted access.  The other caveat is that nested groups are not supported.  Users must be direct members of the security group you setup w/ Auto Sync.
Feel free to ask questions in the comments.  I’m always keeping an eye on those.

Comments

Matt said…
Great guide! Do you have a guide or even a list of the dashboard setup you use in vcops-custom?
July 11, 2012 at 5:56 PM
Matt said…
Great guide! Do you have a guide or even a list of the dashboard setup you use in vcops-custom?
July 11, 2012 at 5:57 PM
Zsoldier said…
I don't have any guides yet, but now that you mention it, I did run into something recently that I probably should post.
July 12, 2012 at 12:57 PM
Anonymous said…
Hi Chris
I got account/password incorrect when login using AD account. Vcops list AD account within that group, I also add those account to vcops group - (users). Any idea why I could not login ?
thanks in advance

Thomas
December 19, 2012 at 9:51 PM
Zsoldier said…
Anonymous, make sure you login using your full account name:
youruser@yourdomain.usuallycompany.com
December 26, 2012 at 10:25 AM
Zsoldier said…
Another thought is that the group that your AD account is a member of is not a 'direct' member, but an indirect member.
January 3, 2013 at 10:42 AM
Anonymous said…
This is great but I stilll dont return anything.
I am using objectCategory=group but zero returned.
Even with nothin entered it returns nothing?
Any suggestions for an example field population to return just groups as cant return anything at the moment but the same account returns for VCD?

Thanks
June 21, 2013 at 7:43 AM
Zsoldier said…
objectCategory=Group in Active Directory is technically incorrect. I wouldn't recommend using objectCategory that as it will return ALL groups. For your filter to be correct it has to look something like:
objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=myDC,DC=com"
June 21, 2013 at 8:27 AM
Anonymous said…
Thanks for replying.
I was basing my search on this article by MS
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

It recommends using objectCategory but I still cant see anything. Will need to delve into it a bit more I think.
July 2, 2013 at 5:02 AM
Anonymous said…
Hi Chris,
after providing all info,
i m getting this error[
java.lang.Exception:javax.naming.directory.InvalidSearchFilterException:Missing'equal', remaining name ] "mydomain.xxx.com.
do i need to create a group reflecting a group in Active Directory, let assume they administrators .
August 19, 2013 at 10:09 AM
Zsoldier said…
I think that error is referring to your BASE DN entry. You need to have that defined like so:
dc=mydomain,dc=xxx,dc=com
August 19, 2013 at 10:13 AM
Anonymous said…
Hi Chris,
i m trying to import LDAP users into vCOps but i m not getting the expected results.After importing, in the USERS FOUND, i see no users. I did re check my settings but no changes in the results.
Any ideas?
October 7, 2013 at 11:20 AM
Unknown said…
not working for me either, using Userprincipalname under username field, base DN is OU=VCenters,OU=Groups,OU=my company,OU=NA-Organizations,DC=na,DC=glb,DC=com, then under group search criteria i have the name of the group: (cn=VCenter_Admin) and Member attribute is: cn, i also tried with objectCategory=Group with no luck
October 24, 2013 at 5:00 PM
Zsoldier said…
BaseDN should usually be your top level. Like: DC=na,DC=glb,DC=com

cn=vCenter_Admin is probably not a valid search string. SAMAccountName=vCenter_Admin* would probably work.

objectCategory="CN=Group,CN=Schema,CN=na,DC=glb,DC=com" would probably be the correct filter.
October 24, 2013 at 5:42 PM
Unknown said…
Thank you! the userprincipalname is what i was missing.
November 7, 2013 at 3:16 PM
Unknown said…
Thank you! userprincipalname is what helped me.
November 7, 2013 at 3:16 PM
Ben said…
Anyone familiar with this Error I get when I try to load LDAP Groups?

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0]
November 19, 2013 at 2:44 PM
Zsoldier said…
Ben, you may need to check whether you bind user has appropriate privileges to query AD, that it may be locked or that the password needs to be changed. In all likely likelihood, it's related to your defined bind account.
November 21, 2013 at 12:55 PM
Unknown said…
Thanks Chris! This worked perfectly!
February 4, 2014 at 2:01 PM
Post a Comment

Popular posts from this blog

NSX-T: Release associated invalid node ID from certificate

Image
Summary: Basically had an expiring certificate registered in NSX-T that was associated to a node_id that is no longer valid.  Long story short, there wasn't anything obvious in API to delete or disassociate a certificate from a node_id for 3.2.2.  Not sure how things got in this state, but annotating for future reference.  This may change in future revisions, so always check API for latest. Details: Effectively had a stale node associated w/ a certificate that was expiring.  Could not delete certificate until that node was disassociated from the certificate. To get certificate details and associated node_id's, you can use the following curl call (UI works too): curl -k -X GET -H "Content-Type: application/json" -u admin https://<manager ip>/api/v1/trust-management/certificates/<cert UUID> Above will return something like this: Below must be run from one of the manager nodes via elevation to root: ONLY RUN THIS IF YOU ARE ABSOLUTELY SURE OF WHAT YOU ARE DO...
Read more

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

Image
Summary: NSX-T loses synch w/ vCenter inventory, but statuses don't appear to show an issue.  Basically, you add a host to a vCenter cluster, NSX-T bits should start to automatically installing on new host.  Assuming you've created a Transport Node Profile and associated w/ the cluster.  The problem is that NSX-T doesn't see the new host and its link to the compute manager (vCenter) looks fine. Looks fine, Y U NO WORK!? So what's going on here?  This appears to affect NSX-T 2.5 and 2.5.1.  Cause is unknown. Workaround: Restart the cm-inventory service on each NSX-T mgmt/controller node using API or CLI. Details: If you were to query the status of the cm-inventory via API or CLI, you could query all 3 manager/controller nodes and get a status of running.  Even if the primary node associated w/ the VIP, if configured, is not necessarily in charge of inventory.  So you could restart the cm-inventory service till you are blue in the face ...
Read more

MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.

Image
The VPN client was unable to successfully verify the IP forwarding table modification.  A VPN connection will not be established. Summary: I started running into issue utilizing Cisco AnyConnect on my Mac basically complaining about not able to overwrite IP forwarding tables.  This was on 4.6.x.  Since my VPN endpoints were not providing me w/ an updated client and w/ no access to Cisco Anyconnect downloads, my only option was to try openconnect.  It was totally worth it, here is why and how to set it up. PreReqs: Homebrew Installing OpenConnect: Launch MacOS Terminal brew install openconnect Getting VPN IP's/DNS Endpoints from AnyConnect: The information is typically located in your profile xml files located here: /opt/cisco/anyconnect/profile/somethingsomething.xml In the xml file, you are looking for "<HostAddress>typicallyaDNSName.com</HostAddress>" entry.  These are your VPN endpoints that you would need to pass to openconnec...
Read more