在 vCenter Server 6.x 中启动 Inventory Service 时出现“凭据无效 LDAP 错误 49 (invalid credentials LDAP Error 49)”错误
search cancel

在 vCenter Server 6.x 中启动 Inventory Service 时出现“凭据无效 LDAP 错误 49 (invalid credentials LDAP Error 49)”错误

book

Article ID: 315417

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
免责声明:本文为 "invalid credentials LDAP Error 49" error when starting Inventory Services in vCenter Server 6.x (2147280) 的翻译版本。尽管我们会不断努力为本文提供最佳翻译版本,但本地化的内容可能会过时。有关最新内容,请参见英文版本。
 
  • Inventory Service 无法启动
  • inv-svc.log 文件中,您会看到类似以下内容的条目:

    2016-09-21T17:58:16.963Z [WrapperListener_start_runner INFO com.vmware.cis.lotus.LdapConnectionFactory opId=] Creating LDAP connection factory for Lotus host: ldaptestserver.com port: 636
    2016-09-21T17:58:16.970Z [WrapperListener_start_runner INFO com.vmware.cis.lotus.LdapConnectionFactory opId=] Creating new connection
    2016-09-21T17:58:16.972Z [WrapperListener_start_runner INFO com.vmware.cis.lotus.LotusLocator opId=] Successfully refreshed machine account credentials
    2016-09-21T17:58:16.985Z [WrapperListener_start_runner INFO com.vmware.identity.interop.ldap.LinuxLdapClientLibrary opId=] SSL library initialized successfully
    2016-09-21T17:58:17.163Z [WrapperListener_start_runner WARN com.vmware.identity.interop.ldap.LdapErrorChecker opId=] Error received by LDAP client: com.vmware.identity.interop.ldap.LinuxLdapClientLibrary, error code: 49
    2016-09-21T17:58:17.163Z [WrapperListener_start_runner ERROR com.vmware.cis.lotus.LdapUtils opId=] Failed to connect to LDAP; uri: ldaps://ldaptestserver.com:636
    2016-09-21T17:58:17.166Z [WrapperListener_start_runner WARN org.springframework.context.support.ClassPathXmlApplicationContext opId=] Exception encountered during context initialization - cancelling refresh attempt
    org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'vlsi-server' defined in class path resource [server/config/server-config.xml]: Cannot create inner bean 'com.vmware.vim.vmomi.server.http.impl.FilterImpl#2ad6d4be' of type [com.vmware.vim.vmomi.server.http.impl.FilterImpl] while setting bean property 'filters' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'com.vmware.vim.vmomi.server.http.impl.FilterImpl#2ad6d4be' defined in class path resource[server/config/server-config.xml]: Cannot resolve reference to bean 'authFilter' while setting bean property 'filter'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authFilter' defined in class path resource [server/config/server-config.xml]: Cannot resolve reference to bean 'authChecker' while setting bean property 'authChecker'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authChecker' defined in class path resource [server/config/security-config.xml]: Cannot resolve reference to bean 'userSessionManager' while setting bean property 'userSessionManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'userSessionManager' defined in class path resource [server/config/security-config.xml]: Cannot resolve reference to bean 'authorizationManager' while setting bean property 'authorizationManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizationManager' defined in class path resource [server/config/security-config.xml]: Cannot resolve reference to bean 'authProvider' while setting bean property 'dataProvider'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authProvider' defined in class path resource [server/config/security-config.xml]: Cannot resolve reference to bean 'memCache' while setting bean property 'parentChainCache'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'memCache' defined in class path resource [server/config/security-config.xml]: Cannot resolve reference to bean 'globalAclLotusCache' while setting bean property 'globalAclLotusCache'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'aclLotusInitializer' defined in class path resource [server/config/authorization-config.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [com.vmware.vim.query.server.accesscontrol.impl.LotusInitializer]: Constructor threw exception; nested exception is java.lang.RuntimeException: com.vmware.identity.interop.ldap.Invalid
    CredentialsLdapException: Invalid credentials LDAP error [code: 49] at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:287)


    注意:inv-svc.log文件位于:
    • vCenter Server Appliance:%ALLUSERSPROFILE%\VMWare\vCenterServer\logs\invsvc\
    • 安装在 Windows 上的 vCenter Server:/var/log/vmware/invsvc/
       
  • vmdird-syslog.log 文件中,您会看到类似以下内容的条目:

    2016-09-21T18:47:48.024511+00:00 err vmdird t@140107551946496: SASLSessionStep: sasl error (-13)(SASL(-13): authentication failure: client evidence does not match what we calculated. Probably a password error)
    2016-09-21T18:47:48.024533+00:00 err vmdird t@140107551946496: VmDirSendLdapResult: Request (96), Error (49), Message ((49)(SASL step failed.)), (0) socket ([17] 10.105.217.85:389<-10.105.212.102:54753)
    2016-09-21T18:47:48.024538+00:00 err vmdird t@140107551946496: Bind Request Failed ([17] 10.105.217.85:389<-10.105.212.102:54753) error 49: Protocol version: 3, Bind DN: "cn=accountname,ou=Computers,dc=vsphere,dc=local", Method: 163


    注意vmdird-syslog.log 文件位于:
    • vCenter Server Appliance:/var/log/vmware/vmdird/vmdird-syslog.log
    • 安装在 Windows 上的 vCenter Server:"%VMWARE_LOG_DIR%"\vmdird\vmdir.log


Environment

VMware vCenter Server 6.0.x
VMware vCenter Server 6.5.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.5.x

Cause

当 Inventory Service 因为 vmdird 中 vmdird syslog.log 所列帐户的密码不匹配导致其失去信任时,会出现此问题。
 
如果将 vCenter Server 从备份或旧快照还原到早期版本,则可能会出现此问题。

Resolution

要解决此问题,请重置 vmdird syslog.lo g文件中所列用户帐户的密码。
 
vCenter Server Appliance
  1. 创建 vCenter Server 和 Platform Services Controller 的快照。
  2. 使用 SSH 会话和 root 凭据连接到 Platform Services Controller。
  3. 运行以下命令以启用对 Bash shell 的访问:

    shell.set –enabled true
     
  4. 键入 shell,然后按 Enter。
  5. 运行以下命令以打开vdcadmintool:

    /usr/lib/vmware-vmdir/bin/vdcadmintool

    将显示以下选项:
    ================================
    Please select:
    0. exit
    1. Test LDAP connectivity
    2. Force start replication cycle
    3. Reset account password
    4. Set log level and mask
    5. Set vmdir state
    ================================

     
  6. 选择选项 3。
  7. 输入 vmdird syslog.log 文件中列出的用户帐户。

    注意:这是FQDN@SSO DOmain格式的计算机帐户。

    例如:

    [email protected]
     
  8. 输入此用户的新密码。
  9. 使用 SSH 会话 和 root 凭据连接到 vCenter Server Appliance。
  10. 运行以下命令以启用对 Bash shell 的访问:

    shell.set –enabled true
     
  11. 键入 shell,然后按 Enter。
  12. 运行这些命令以更新密码:

    /opt/likewise/bin/lwregshell
    cd HKEY_THIS_MACHINE\services\vmdir\
    set_value dcAccountPassword "new password"
    quit

     
  13. 重新启动 vCenter Server Appliance 服务。有关详细信息,请参见 Stopping, starting, or restarting VMware vCenter Server Appliance 6 services (2109887)
安装在 Windows 上的 vCenter Server
  1. 创建 vCenter Server 和 Platform Services Controller 的快照。
  2. 在 Platform Service Controller 上打开提升的命令提示符。
  3. 运行以下命令:

    %VMWARE_CIS_HOME%\vmdird\vdcadmintool.exe

    将显示以下选项

    ================================
    Please select:
    0. exit
    1. Test LDAP connectivity
    2. Force start replication cycle
    3. Reset account password
    4. Set log level and mask
    5. Set vmdir state
    ================================

     
  4. 选择选项 3。
  5. 输入 vmdir.log 文件中列出的用户帐户。

    注意:这是 FQDN@SSO DOmain 格式的计算机帐户。

    例如:

    [email protected]
  6. 连接到 vCenter Server 并打开 regedit。

    注意:在进行任何注册表修改之前,请确保拥有最新的有效注册表和虚拟机备份。有关备份和还原注册表的详细信息,请参见 Microsoft 文章 136393
     
  7. 导航到:HLKM\System\CurrentControlset\Services\VMwareDirectoryService\
     
  8. 更新密钥 dcAccountPassword 的密码。
  9. 保存更改并退出。
  10. 重新启动 vCenter Server 服务。有关详细信息,请参见 Stopping, starting, or restarting VMware vCenter Server 6.x services (2109881)


Additional Information

"invalid credentials LDAP Error 49" error when starting Inventory Services in vCenter Server 6.x