Cannot configure identity source due to Failed to probe provider connectivity: " Caused by: Can't contact LDAP server " while configuring Open LDAP.
search cancel

Cannot configure identity source due to Failed to probe provider connectivity: " Caused by: Can't contact LDAP server " while configuring Open LDAP.

book

Article ID: 374879

calendar_today

Updated On:

Products

VMware vCenter Server 7.0

Issue/Introduction

  • While configuring OpenLDAP on the vCenter Server using the vSphere Client, the following error occurs.

"Cannot configure identity source due to Failed to probe provider connectivity [URI: ldaps://XXXXX:636 ]; tenantName [XXXXX.XXXX], userName [cn=XXXX,dc=ad,dc=XXXX,dc=XX] Caused by: Can't contact LDAP server"




  • In the vCenter Server /var/log/vmware/sso/ssoAdminServer.log file for the vCenter Server (EAM), review and confirm entries similar to:

YYYY-MM-DDThh:mm:ssZ ERROR ssoAdminServer[103:pool-2-thread-2] [OpId=lynipdlb-3402300-auto-20x8e-h5:70125843] [com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl] Failed to probe provider connectivity [URI: ldap:// < primary  < secondary LDAP server FQDN/IP >:636ldap:// <  secondary LDAP server FQDN/IP >:636 ]; tenantName [nnn.com], userName [cn=Manager,dc=nnn,dc=com]
at com.vmware.identity.idm.server.IdentityManager.probeProviderConnectivity(IdentityManager.java:2979) ~[vmware-identity-idm-server-7.0.0.jar:?]
at com.vmware.identity.idm.server.IdentityManager.setProvider(IdentityManager.java:2646) ~[vmware-identity-idm-server-7.0.0.jar:?]
at com.vmware.identity.idm.server.IdentityManager.setProvider(IdentityManager.java:10005) ~[vmware-identity-idm-server-7.0.0.jar:?]
at com.vmware.identity.idm.client.CasIdmClient.setProvider(CasIdmClient.java:944) ~[vmware-identity-idm-client-7.0.0.jar:?]
at com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl.updateLdapAuthnType(IdentitySourceManagementImpl.java:601) [sso-adminserver-7.0.0.jar:?]
at com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl$9.call(IdentitySourceManagementServiceImpl.java:334) [sso-adminserver-7.0.0.jar:?]

    ....

YYYY-MM-DDThh:mm:ssZ ERROR ssoAdminServer[124:pool-2-thread-10] [OpId=lynipdlb-3402330-auto-20x9a-h5:70125852] [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Error when trying to parse validity date java.text.ParseException: Unparseable date: "20530709170747Z"
at java.text.DateFormat.parse(DateFormat.java:366) ~[?:1.8.0_402]
at com.vmware.identity.interop.ldap.OpenLdapClientLibrary$SslCertVerify.datesAreValid(OpenLdapClientLibrary.java:229) [vmware-identity-platform-7.0.0.jar:?]
at com.vmware.identity.interop.ldap.OpenLdapClientLibrary$SslCertVerify.checkValidity(OpenLdapClientLibrary.java:214) [vmware-identity-platform-7.0.0.jar:?]
at com.vmware.identity.interop.ldap.OpenLdapClientLibrary$SslCertVerify.callback(OpenLdapClientLibrary.java:169) [vmware-identity-platform-7.0.0.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_402]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_402]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_402]


Environment

vCenter Server - 7.0.x

vCenter Server - 8.0.x

Cause

  • This issue occurs when issuing LDAP certificates has the expiry date set for more than 10 years from the certificate issued date.
    • Example: In the aforementioned log snippet, the certificate expiry date was set to 2053.

Resolution

Regenerate the LDAP certificate with an expiration date not exceeding 10 years.

  • When using the openSSL, the command similar to that mentioned below can be used to regenerate the certificates.
  • Otherwise, submit the key and CSR file to the third-party CA authority to obtain a signed certificate with an expiration date of no more than 10 years.

 

Additional Information

Powered by Wolken Software