Failed to add groups to the “CloudAdminGroup” during HLM
search cancel

Failed to add groups to the “CloudAdminGroup” during HLM

book

Article ID: 302835

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

Symptoms:
  • You are trying to add groups to the “CloudAdminGroup” by using the “Edit Admins” option in the Linked Domains screen.
  • After searching the group and adding it, the process fails with error: “Setting administrator failed with reason: Failed to add groups. Contact support for further assistance”
  • Identity Source Type of “Open LDAP” has been added to the Vcenter.
  • In the HLM logs you see errors like:
    • [2018-05-21T19:50:20.839Z pool-3-thread-824 vmc.local 861c2492-d059-4792-b4a4-c1805bf0a0f5 ERROR com.vmware.identity.idm.server.IdentityManager] Not allowed: awsadmins@xx objectId is null
      [2018-05-21T19:50:20.839Z pool-3-thread-824 vmc.local 861c2492-d059-4792-b4a4-c1805bf0a0f5 ERROR com.vmware.identity.idm.server.IdentityManager] Failed to add group [awsadmins@xx] to group [CloudAdminGroup] in tenant [vmc.local]
      [2018-05-21T19:50:20.839Z pool-3-thread-824 vmc.local 861c2492-d059-4792-b4a4-c1805bf0a0f5 ERROR com.vmware.identity.idm.server.ServerUtils] Exception 'java.lang.IllegalArgumentException: Not allowed: awsadmins@xx objectId is null'
      java.lang.IllegalArgumentException: Not allowed: awsadmins@xx objectId is null
      at com.vmware.identity.idm.server.IdentityManager.validateObjectIdNotNull(IdentityManager.java:5876) ~[vmware-identity-idm-server-7.0.0.jar:?]
    • Note: The above log extract is just an example and the values may change depending upon your environment


Cause

We have this issue because the group that is being added to the “CloudAdminGroup”  has its objectId as null.
The group might be created without a GID i.e. group SID is missing and you would need to verify the group attributes in the LDAP directory.

Resolution

Make sure the LDAP server being used is supported by Vsphere. Please refer OpenLDAP schemas supported in VMware vCenter Single Sign-On (2064977) for details around supporting OpenLDAP as an identity source. 
Currently, vCenter Single Sign-On supports the use of OpenLDAP as an identity source only if it satisfies all of these requirements:
  1.     The OpenLDAP schema is RFC4519 compliant.
  2.     All users have an objectClass of inetOrgPerson.
  3.     All groups have an objectClass of groupOfUniqueNames.
  4.     All groups have a group membership attribute of uniqueMember.
  5.     All users and group objects have entryUUID configured (The objects have a unique GUID and should not be changing)

Note:
The above configuration is required for adding users or groups from OpenLDAP to any group or role apart from vSphere.local.
In vSphere 5.5a and later, entryUUID is no longer a required attribute for OpenLDAP users to authenticate. However, it still remains a requirement for users/groups to add them into vsphere.local groups. Users or objects that are deleted and recreated in the LDAP tree without preserving entryUUID may remove the users from vsphere.local groups.
If any of these requirements are missing or if the schema is non-compliant, the OpenLDAP identity source is unsupported with vCenter Single Sign-On.

If the OpenLDAP server is supported and meets all the requirements mentioned in the associated KB (2064977), make sure the group object has a unique SID.
Once you assign it a unique ID, try adding the group again and the issue should be fixed.

Powered by Wolken Software