"Cannot configure identity source due to Failed to probe provider connectivity... Caused by: Can't contact LDAP server" when attempting to edit an existing LDAP with SSL (LDAPS) configuration
Article ID: 401134
Updated On:
Products
Issue/Introduction
- When attempting to edit an existing LDAP with SSL (LDAPS) identity source configuration on the vCenter Server using the vSphere Client in order to update or replace the existing certificates, the following error occurs:
Cannot configure identity source due to Failed to probe provider connectivity [URI: ldaps://XXXXX:636 ]; tenantName [XXXXX.XXXX], userName [cn=XXXX,dc=ad,dc=XXXX,dc=XX] Caused by: Can't contact LDAP server.
Environment
vCenter Server 8.x
vCenter Server 7.x
Cause
This is an expected behavior from the vSphere Client. As per KB article 316596 - Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS):
"If updating or replacing the SSL certificate, the identity source must be removed and re-added."
Resolution
Option 1:
In order to update or replace the existing LDAPS Certificates remove the existing Identity Source and re-add it using the new certificates.
Option 2:
Use the vCert tool to remove the old certificates and install the new ones by following these paths:
1. Remove the old/expired certificates:
- 3. Manage certificates > 11. LDAPS Identity Source certificates > 2. Remove LDAP server certificate(s)
- Select the specific certificate(s) to remove from the provided list.
2. Import new certificates:
- 3. Manage certificates > 11. LDAPS Identity Source certificates > 1. Add LDAP server certificate(s)
Note: When adding more than one LDAP certificate, import the first DC certificate as the full certificate chain. Import the second DC certificate using the machine certificate only. Add the full chain first, then add the machine certificate for the second DC.
Feedback
