Following steps can help to configure Active directory LDAPs Authentication for vCenter servers.
Step 1
Note down the DC (Domain controller) assigned with LDAP. If you want to know all domain controllers following windows command can be used. This can be executed from any windows machine that is joined to AD domain.
nltest /dclist:DomainName
Step 2
Select one of the Domain controller that is configured as LDAP identity source. Login to vCenter appliance using SSH session (use Putty/Terminal access) to get LDAP certificate from DC.
openssl s_client -connect DC1.ad.local:636 -showcerts
Replace DC1.ad.local as the domain controller of your environment. The top most certificate in this chain is the certificate of the domain controller.
-----BEGIN CERTIFICATE----- MIIC4DCCAcigAwIBAgIQJ3hiT2fQzIBLYFPywfvCgjANBgkqhkiG9w0BAQUFADAZ MwMDAwMDBaMBkxFzAVBgNVBAMTDmFkLmdzc2xhYnMub3JnMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7JFQshqvAH+bsej+FE6IYf3LA38EpMmnsCJV nvvX1RXoHs5tr8iwbm6fMggRHZA8jHY3Z/wnLkh1Ct+8MylrGVRL4MB1bXeSH7MT TTCMCI/ikokCO6vkVlG1RP/YcMOIUCLERsgJiZ8qCEZYLdw8ioZuA1kaGQkiJRy8 KZI5lz4nqV9owks1e4TW5TtCTDqorYxBz2x2PsZLTih/fgLf9kRr0QUHc/f8TMuI 3LWdGdodxUKKAP7cHU5awhsOdiDjqWEuYA4gioog0Dd9sE111JvPP0opSPMgnMpf CWOc04z8dqkR15BChG36Gvgqqbnf77vknDe1RgkFhyK6GjKGTQIDAQABoyQwIjAL BgNVHQ8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQAD ggEBAC8sNBB5e5WffE9VjU5zcDqvOQqE24XD1bdFeKW/ud6aYwmF5YV4wFpEGkA9 AnmCDTsxtHiRytwnN8uGll9acBCs8VQaB1HZ33GxdzNfIgtCq4XPlhHrO1+YU3+g bez2zI5TKVnm2XE4mpwyZHSbbiXzh2SbAQI1QTde9slTFTkib0HsMZYxBE5Xsgdq RXUX6xvU2sMbHevj13zkGfoF71T72ddq78LTCbrX3EU0jYbHhrKTqRc6qHAv9fz4 2z8xKysVs+CCx8g+qEm+igMxb9/XdA2HUOA8l+NDlH/qS78e9ty0XNayl8ZC/7bZ cKk5wfWIbFHIIBMbl7PY2eaQK8c= -----END CERTIFICATE-----
Copy the complete string including —–BEGIN CERTIFICATE—– until (including) —–END CERTIFICATE—– into a text file. Remove any additional characters after —–END CERTIFICATE—–. Save that content into Notepad file and save file with as cer extension (e.g. ldap_dc.cer).
Â
Step 3
Open vCenter web client (HTML/Flash). Go to \Home\Administration \ Configuration under Single Sign-on\ click on + sign \ select Active directory as an LDAP server
Give the appropriate name following options.
vCenter 6.0
Name = domain name Base DN for users: dc=domainname,dc=local (This option to search user's in specific organization unit OR container of AD.) Domain name: domainname.local Domain alias: domainname Base DN for groups: dc=domainname,dc=local (This option to search AD group's in a specific organization unit OR container of AD.) Primary server URL: ldaps://DC1.ad.local:636 (You can mentioned domain instead of specific DC if all your domain controller configured to use SSL for LDAP.) Secondary server URL:ldaps://DC2.ad.local:636 (This is optional)
Â
vCenter 6.5/6.7
Name = domain name Base DN for users: dc=domainname,dc=local Base DN for groups: dc=domainname,dc=local Domain name: domainname.local Domain alias: domainname User name = adminuser@domain.local Password ****
When you select Connect to any domain controller in the domain then vCenter connects to DC that is acting as primary domain controller (PDC). NLTest output will tell you the current primary domain controller. This option may not work for version prior to 6.7 U1 OR 6.5 U2D due to known issue. Refer The workaround is to download LDAP certificate for all DC’s (DC list can be obtain from NSTest as mentioned in point 1) then provide certificate in next step of configuration.
You also have ability to specify primary and second LDAP servers.
Primary server URL: ldaps://DC1.ad.local:636 Secondary server URL:ldaps://DC2.ad.local:636
In the next screen, upload the certificate downloaded in step2
If all the configuration is correct then Active Directory as an LDAP server should be added without any issue.
