AD user login to NSX manager fails with the LDAP error: The server requires binds to turn on integrity checking
Article ID: 413181
Updated On:
Products
Issue/Introduction
Test Connection fails with one of these errors:
[LDAP: error code 8 - 00002028: LdapErr: DSID-0C090346, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563^@]
An error occurred while searching LDAP Identity Source example.local
Environment
VMware NSX
Cause
This issue occurs because the Active Directory domain is configured with a Group Policy that enforces LDAP signing and binding integrity. Specifically, the policy Domain controller: LDAP server signing requirements is likely set to Require signing.
When this policy is active, the Active Directory server rejects any LDAP authentication attempts (binds) that use the cleartext protocol (port 389) without encryption. NSX must use LDAPS (LDAP over SSL) or StartTLS to satisfy the integrity check requirement.
Resolution
To resolve this issue:
Adding new LDAP connection
- Log in to the NSX manager. Browse to System> User Management> Authentication Provider> select LDAP.
- Under Add Identity Sources, select your identity source and then choose Edit.
- Under Primary server URL, change the URL from ldap://... to ldaps://....
- For Certificates (for LDAPS), Click Browse.
- Select the correct .cer Root CA certificate of your AD/OpenLdap Identity Source.
- Click Save.
Editing LDAP connection
- click Add LDAP Server > click 3 dots edit.
- change LDAP Protocol to LDAPS port will change to 389.
- you can add customer certificate or click add it will popup a certificate which you can use.
- apply changes and save the Identity source.
- you can cross the by selecting connection status click 'check status'.
Additional Information
For more information on using a LDAPS Identity Source with NSX Single Sign-On, NSX 4.2 Documentation for LDAP Identity Source
Feedback
