Active Directory user login to NSX Manager fails with error stating "Your login attempt was not successful. Unable to contact the LDAP Server." after changes to LDAP Server certificates.
book
Article ID: 369799
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
When the certificate for an Active Directory server is modified, the configuration must be updated in NSX Manager. Until it is updated, attempting to log into NSX Manager with an AD user fails and says it is unable to contact the LDAP server.
In the NSX UI, testing the Connection Status for the LDAP Server(s) under System > User Management > LDAP will fail.
Environment
VMware NSX-T Data Center VMware NSX
Cause
NSX manager will fail its connection to an LDAP server due to a mismatch between the certificate information stored in NSX Manager and the active certificate on the LDAP server. There are other issues that can cause the connection to fail such as incorrect credentials, network connection problems, and so forth, but this article is specific to having an LDAP Server's certificate information in NSX that is different from the current certificate used by the LDAP Server.
Resolution
Ensure that the NSX Manager can connect to the LDAP Server on port 636. By command line on NSX Manager, you can test with netcat by running "nc -vz <LDAP server FQDN or IP> 636". If the connection fails, then you will first need to troubleshoot the networking and get it working.
Obtain the LDAP Server certificate. Run command: "openssl s_client -connect <LDAP server FQDN or IP>:636 -showcerts"
Check the certificate information from the output and compare it to the certificate information saved in NSX Manager. In the NSX Manager UI log in as admin, navigate to System > User Management > LDAP and expand the details for the LDAP Server.
After verifying that the certificate information does not match, edit the LDAP Server configuration in NSX Manager. Paste in the new certificate information obtained in step 2, fill in the credentials for the LDAP Server, click Add at the bottom, then Save.
Verify that the connection is now successful by refreshing the test of the Connection Status.
Ensure that the AD user(s) from the LDAP Server is now able to log into NSX Manager successfully.