NSX LDAPs Server - Connection Status Failed
search cancel

NSX LDAPs Server - Connection Status Failed

book

Article ID: 382741

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • An LDAPs Authentication Provider is configured in NSX.
  • Within the NSX User Interface > User Management > LDAP > Connection Status returns "Failed".
  • This may be a new configuration or certificates may have been updated.
  • LDAP is used to access the CRL Distribution Point (CDP)
  • NSX Manager logs shows the following warning.

/var/log/proton/nsxapi.log
[TIMESTAMP]  WARN http-nio-exec-46 CrlWebDirectFetcher SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" reqId="[UUID]" subcomp="manager" username="[USERNAME]"] Couldn't get LDAP context from URI ldap:///CN=[CN],CN=[CN],CN=[CN],CN=[CN],CN=Services,CN=[CN],DC=[DC],DC=[DC
javax.naming.CommunicationException: [HOSTNAME].:389
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:243) ~[?:1.8.0_382]
        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) ~[?:1.8.0_382]
        at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615) ~[?:1.8.0_382]
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2849) ~[?:1.8.0_382]
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347) ~[?:1.8.0_382]
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229) ~[?:1.8.0_382]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189) ~[?:1.8.0_382]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247) ~[?:1.8.0_382]
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) ~[?:1.8.0_382]
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) ~[?:1.8.0_382]
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695) ~[?:1.8.0_382]
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_382]
        at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_382]
        at javax.naming.InitialContext.<init>(InitialContext.java:216) ~[?:1.8.0_382]
        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) ~[?:1.8.0_382]
        at com.vmware.nsx.management.security.CrlWebDirectFetcher.downloadCrlFromLdap(CrlWebDirectFetcher.java:110) ~[nsx-trustmanager-1.0.jar:?]

  • Following API shows CRL check is enabled

GET https://<manager>/api/v1/global-configs/SecurityGlobalConfig 
{
    "crl_checking_enabled": true,
    "ca_signed_only": false,
    "eku_checking_enabled": true,
    "id": "[UUID]",
    "_create_time": [TIME],
    "_create_user": "system",
    "_last_modified_time": [TIME],
    "_last_modified_user": "system",
    "_protection": "NOT_PROTECTED",
    "_revision": 0
}


     

Environment

VMware NSX

VMware NSX-T Data Center

Resolution

VMware NSX doesn't currently support LDAP hosted CDPs.

Workaround:

  • Option 1:
    • Use a certificate with a HTTP-based CDP configured.
  • Option 2:
    • Disable CRL checking
      • Confirm config

GET https://<manager>/api/v1/global-configs/SecurityGlobalConfig

{
    "crl_checking_enabled": true,
    "ca_signed_only": false,
    "eku_checking_enabled": true,
    "id": "[UUID]",
    "_create_time": [TIME],
    "_create_user": "system",
    "_last_modified_time": [TIME],
    "_last_modified_user": "system",
    "_protection": "NOT_PROTECTED",
    "_revision": 0
}

      • Disable CRL checking. Copy the output of the GET call and copy to the body of the PUT. Change crl checking to false: "crl_checking_enabled": false. 

PUT https://<manager>/api/v1/global-configs/SecurityGlobalConfig