"dir-cli failed, error= Authorization failed" error when checking vmdir state using "/usr/lib/vmware-vmafd/bin/dir-cli state get" command
Article ID: 315229
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This KB can be used to list and verify any missing permissions for the SSO admin account
Symptoms:
Symptoms:
- Unable to run fixpsc script and/or lsdoctor -t, -r options, "failed to register service" error
- Failed to replace certs, "lstool registerfailed 1" error
- Failed to check vmdir state using "dir-cli state" command but works fine when using "vdcadmintool" command
Environment
VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x
VMware vCenter Server 8.x
Cause
The SSO admin account is not member of the administrators group
Resolution
1. Run the below command to list the groups that the SSO admin account is a member of,
ldapsearch -h localhost -x -D "cn=administrator,cn=users,dc=vsphere,dc=local" -w 'SSOAdminPassword' -b "cn=administrator,cn=users,dc=vsphere,dc=local" memberOf
2. If the highlighted line below is missing from the output then it means that the SSO admin is not a member of the administrators group and we have to add it
# extended LDIF
#
# LDAPv3
# base <cn=administrator,cn=users,dc=vsphere,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: memberOf
#
# Administrator, Users, vsphere.local
dn: cn=Administrator,cn=Users,dc=vsphere,dc=local
memberOf: cn=Users,cn=Builtin,dc=vsphere,dc=local
memberOf: cn=Administrators,cn=Builtin,dc=vsphere,dc=local
memberOf: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local
memberOf: CN=ComponentManager.Administrators,DC=vsphere,DC=local
memberOf: CN=SystemConfiguration.BashShellAdministrators,DC=vsphere,DC=local
memberOf: CN=SystemConfiguration.Administrators,DC=vsphere,DC=local
memberOf: CN=LicenseService.Administrators,DC=vsphere,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
3. We can add it directly from the vCenter UI using any account that is a member of the administrators group, most probably an AD account from the customer side. To add the missing admin permissions from CLI like the below example
ldapmodify -h localhost -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W << EOF
dn: CN=SystemConfiguration.Administrators,dc=vsphere,dc=local
changetype: modify
add: member
member: CN=Administrators,CN=Builtin,dc=vsphere,dc=local
EOF
ldapsearch -h localhost -x -D "cn=administrator,cn=users,dc=vsphere,dc=local" -w 'SSOAdminPassword' -b "cn=administrator,cn=users,dc=vsphere,dc=local" memberOf
2. If the highlighted line below is missing from the output then it means that the SSO admin is not a member of the administrators group and we have to add it
# extended LDIF
#
# LDAPv3
# base <cn=administrator,cn=users,dc=vsphere,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: memberOf
#
# Administrator, Users, vsphere.local
dn: cn=Administrator,cn=Users,dc=vsphere,dc=local
memberOf: cn=Users,cn=Builtin,dc=vsphere,dc=local
memberOf: cn=Administrators,cn=Builtin,dc=vsphere,dc=local
memberOf: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local
memberOf: CN=ComponentManager.Administrators,DC=vsphere,DC=local
memberOf: CN=SystemConfiguration.BashShellAdministrators,DC=vsphere,DC=local
memberOf: CN=SystemConfiguration.Administrators,DC=vsphere,DC=local
memberOf: CN=LicenseService.Administrators,DC=vsphere,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
3. We can add it directly from the vCenter UI using any account that is a member of the administrators group, most probably an AD account from the customer side. To add the missing admin permissions from CLI like the below example
ldapmodify -h localhost -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W << EOF
dn: CN=SystemConfiguration.Administrators,dc=vsphere,dc=local
changetype: modify
add: member
member: CN=Administrators,CN=Builtin,dc=vsphere,dc=local
EOF
Additional Information
Impact/Risks:
Unable to perform any actions that require admin privileges using the SSO admin account
Unable to perform any actions that require admin privileges using the SSO admin account
Feedback
Yes
No
Powered by
