Error: '"Unauthorized" response from provider endpoint during login with LDAP user
search cancel

Error: '"Unauthorized" response from provider endpoint during login with LDAP user

book

Article ID: 406470

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • Sending LDAP authentication requests to Cloud Director (VCD) REST endpoint /cloudapi/1.0.0/sessions/provider sometimes fails.
  • The issue is intermittent and inconsistent, sometimes failing even though it has just succeeded with same details.
  • Authentication Failure in VCD
  • Within the log file /opt/vmware/vcloud-director/logs/vcloud-container-debug.log the following errors show in the VCD logs when receiving the HTTP 401 response:

ERROR    | pool-jetty-###          | LdapProviderImpl               | Error logging into LDAP. | requestId=########,request=POST https://<VCD_FQDN>/cloudapi/1.0.0/sessions,requestTime=####,remoteAddress=#.#.#.#:#,userAgent=<USER_STRING> ...,accept=application/json;version 39.0
javax.naming.CommunicationException: simple bind failed: <LDAP_FQDN>:636 [Root exception is java.net.SocketException: Connection reset]
        at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
[....]
Caused by: java.net.SocketException: Connection reset

INFO     | pool-jetty-###           | EmailManager                   | No addresses to send email : LDAP connection error. | requestId=<REQUEST_ID>,request=POST https://<VCD_FQDN>/cloudapi/1.0.0/sessions/provider,requestTime=#####,remoteAddress=##.##.##.##,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=application/json;version 39.1

DEBUG    | pool-jetty-###          | SecurityServiceImpl            | Cannot authenticate user | requestId=########,request=POST https://<VCD_FQDN>/cloudapi/1.0.0/sessions,requestTime=####,remoteAddress=#.#.#.#:##,userAgent=<USER_STRING> ...,accept=application/json;version 39.0

com.vmware.ssdc.backendbase.ldap.UninitializedLdapContextException: LDAP context not initialized.  Error connecting to LDAP.
        at com.vmware.ssdc.backendbase.ldap.LdapProviderImpl.search(LdapProviderImpl.java:1044)

  • This only occurs for LDAP login and not for local VCD users such as administrator@system 

Environment

VMware Cloud Director 10.6.x

Cause

This issue will occur when there is a connection issue to the configured LDAP endpoint, an active directory domain controller or equivalent. Inconsistency may be seen where there is an issue with the load balancer or only one/some of the LDAP servers behind it.

Resolution

To resolve this issue investigate the configured LDAP server(s) to isolate where the connection is dropped. Engage with your LDAP team to confirm that the LDAP service is active and correctly configured on the LDAP server(s) in use. Additionally verify with your network team if there are any firewall rules, load balancer configurations, or ACLs preventing traffic from any of the VCD Cells to the LDAP server(s). 

The following steps can be performed to assist diagnosis:

Review the current configuration

  1. Login to the Provider portal as a System Administrator. Note: If LDAP users are failing to login, then use the local administrator@system account.
  2. In the Left navigation menu , click Administration.
  3. Navigate to Identity Providers > LDAP.
  4. Underneath the "Custom LDAP" tab review the value set in the 'server' and 'port' fields.
  5. Click the 'Test' button and enter the the password of the configured LDAP server to confirm if it's connecting successfully.

For additional information see Edit, Test, and Synchronize an LDAP Connection Using Your VMware Cloud Director Service Provider Admin Portal

Testing the connection with CURL

  1. Open an SSH connection to all Cloud Director cells and login as root user.
  2. Run the following curl command on each cell to test the connection from the Cloud Director cell(s) to the LDAP server(s), using the 'server' and 'port' value identified earlier when reviewing the configuration.

    curl -v telnet://<server>:<port>

    Note: If the configured server is an LDAP server group containing multiple servers, the IP address for each node will be returned in the response of the curl command. In this case, test the connection to all IP address returned. Update the 'server' value in the curl command to match the returned IP addresses and rerun the command. This will help to isolate if only some servers within the LDAP server group are problematic.

To workaround this issue you can login using the default local account administrator@system or alternative create a new local user in the Provider UI for login purposes with the desired permission role.

Powered by Wolken Software