LDAP/LDAPS login failure in VMware Cloud Director after Active Directory certificate update
search cancel

LDAP/LDAPS login failure in VMware Cloud Director after Active Directory certificate update

book

Article ID: 422116

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

After the LDAP/LDAPS certificate on the Active Directory servers is updated, VMware Cloud Director is unable to authenticate users using LDAP credentials. All LDAP-based authentication attempts fail, while local and system administrator logins continue to function normally.

Administrators observes the following symptoms:

  • LDAP user synchronization from VCD fails.
  • LDAP authentication attempts result in errors.
  • The following error appears during LDAP sync or bind operations:
 
javax.naming.CommunicationException: simple bind failed: ldap.next.loc:636 javax.net.ssl.SSLHandshakeException: PKIX path building failed SunCertPathBuilderException: unable to find valid certification path

Environment

VMware Cloud Director 10.6.1

Cause

This issue occurs when the LDAP/LDAPS certificate on the Active Directory server is updated but the new root and/or intermediate CA certificates are not imported into the VMware Cloud Director trusted store.

VMware Cloud Director requires the full certificate chain to be trusted for LDAPS communication. If the updated certificate chain is missing in VCD's trust store, SSL handshake validation fails, leading to LDAP bind and synchronization failures.

Resolution

To resolve the issue, import the updated LDAP certificate chain (Root and Intermediate CA certificates) into VMware Cloud Director and validate LDAP connectivity.

1. Export Certificates from AD

  • Export the Root CA and Intermediate CA certificates used to sign the LDAP server‘s certificate.

  • Ensure the certificates are saved in PEM (.pem) format.

2. Import Certificates into VCD

Log in to the VCD provider portal as a System Administrator, then:

  1. Navigate to:
    Administration → Certificates → Trusted Certificates

  2. Click Import

  3. Upload the Root and Intermediate CA PEM files

  4. After upload, ensure they are trusted in the interface

3. Validate LDAP Connectivity

Navigate to:

Administration → Settings → LDAP

  • Click Test LDAP Connection

  • Ensure the test completes successfully

4. Synchronize LDAP Users

  • Re-run LDAP synchronization

  • Verify that the process completes without errors

Additional Information

For detailed steps, refer to VMware Cloud Director documentation:

Powered by Wolken Software