"Unable to login because you do not have permission on any vCenter Server systems connected to this client" error when logging in using a DS389/FreeIPA user.
search cancel

"Unable to login because you do not have permission on any vCenter Server systems connected to this client" error when logging in using a DS389/FreeIPA user.

book

Article ID: 419621

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Authentication fails for DS389/FreeIPA domain users trying to access the vCenter server, citing a 'no permission' error.

  • Reviewing /var/log/vmware/vpxd/vpxd.log on the vCenter server, the below error is seen:
    YYYY-MM-DTDD:MM:SS error vpxd[07868] [Originator@6876 sub=Default opID=####-###-##-h5:#######-##] [VpxLRO] -- ERROR lro-4208 -- ######-###-###-##-###### -- SessionManager -- vim.SessionManager.loginByToken: :vim.fault.NoPermission
    --> Result:
    --> (vim.fault.NoPermission) {
    -->    faultCause = (vmodl.MethodFault) null,
    -->    faultMessage = <unset>,
    -->    object = 'vim.Folder:######-###-###-##-######:group-d1',
    -->    privilegeId = "System.View",
    -->    missingPrivileges = (vim.fault.NoPermission.EntityPrivileges) [
    -->       (vim.fault.NoPermission.EntityPrivileges) {
    -->          entity = 'vim.Folder:######-###-###-##-######:group-d1',
    -->          privilegeIds = (string) [
    -->             "System.View"
    -->          ]
    -->       }
    -->    ]
    -->    msg = ""
    --> }
    --> Args:
    -->
    --> Arg locale:
    --> "en"

  • The issue does not occur if the user is granted permissions directly on the vCenter server.

  • However, users cannot login to the vCenter server if access is granted via a defined domain group.

Environment

VMware vCenter Server 7.x

VMware vCenter Server 8.x

Cause

The login failure stems from the vCenter BINDUSER being unable to retrieve the group's "uniqueMember" attribute from DS389/FreeIPA when a group is assigned permissions within vCenter.

Resolution

vCenter Single Sign-On supports the use of OpenLDAP as an identity source only if it satisfies the required schemas.
OpenLDAP schemas supported in VMware vCenter Single Sign-On

As the BINDUSER fails to retreive the "uniqueMember" attribute from the groups, the below workarounds can be followed:

Workaround 1:
Add the vCenter BINDUSER user to the admins group in DS389/FreeIPA. 
This will allow the BINUSER to read all the group parameters and return the group membership.

Workaround 2:
Define Access Control Instructions (ACI's), so that a non-admin BINUSER can read the "uniqueMember" attribute from groups.
https://www.freeipa.org/page/V2/Permissions

Powered by Wolken Software