· When UAA authentication is configured for multiple LDAP URLs with space separated, you see the below error when you save:
500 An error occurred.
URI::InvalidURIError
bad URI(is not URI?): "ldaps://ldap1_fqnd ldaps:// ldap2_fqdn ldaps:// ldap3_fqdn"
· You are unable to apply changes to install/upgrade PKS as the UAA configuration is not saved.
· You do not see this error when you provide a single LDAP server for UAA authentication.
Multiple LDAP servers are supported in PKS, however for PKS 1.6 LDAPBindVerifier option was added in ops manager. This option verifies that the specified LDAP server exists and the provided credentials are valid. Unfortunately, with current ops manager(2.7.x), this verifier works with a single LDAP server only.
This issue is set to resolved in upcoming Ops Manager versions.
To work around this issue, you can use a single LDAP server and proceed with PKS install/upgrade.
If you would like to use multiple LDAP servers in PKS, disable the LDAPBindVerifier option in Ops Manager to skip the validation.
1. Get the Opsmanager bearer token for admin user by following the below steps:
a. Install uaac on opsmanager or client machine and target your Opsmanager IP:
ubuntu@pks-client:~$ uaac target https:// YOUR_OPSMAN_IP /uaa --skip-ssl-validation
Unknown key: Max-Age = 86400
Target: https://192.168.20.26/uaa
b. Log in to your Ops Manager with the Client name opsman and empty Client secret:
ubuntu@pks-client:~$ uaac token owner get
Client ID: opsman
Client secret:
User name: admin
Password: ********************
Successfully fetched token via owner password grant.
Target: https://192.168.20.26/uaa
Context: admin, from client opsman
c. Retrieve your Ops Manager access token for admin user:
ubuntu@pks-client:~$ uaac context
2. export bearer token you collected in previous step:
export BEARER="token"
3. Get the staged product info by running:
curl -k "https://opsmgr-ip/api/v0/staged/products" -X GET -H "Authorization: Bearer $BEARER"|jq .
4. Disable the LDAPBindVerifier by running:
curl -k "https://opsmgr-ip/api/v0/staged/products/pivotal-container-service-<id>/verifiers/install_time/LDAPBindVerifier" -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer $BEARER" -d '{ "enabled": false }'| echo
5. The expected response should be : {}
6. Run the below command and confirm that LDAPBindVerifier value set to enabled:false.
curl -k "https://opsmgr-ip/api/v0/staged/products/pivotal-container-service-<id>/verifiers/install_time" -X GET -H "Authorization: Bearer $BEARER"|jq .
7. Now provide the multiple URLs in the UAA configuration tab in PKS and click on save.
8. You still see the 500 error in opsmgr UI, ignore this error and proceed with apply changes.
9. Confirm that you are able to install/upgrade PKS.
For more information, see:
Retrieve bearer token: https://docs.pivotal.io/pivotalcf/2-5/opsman-api/#the-basics
Turning off a verifier for Ops manager: https://docs.pivotal.io/pivotalcf/2-5/opsman-api/#turning-off-a-verifier-for-a-specific-product