Multiple LDAP directories configured for SSO, one is unusable and objects returned from vsphere.local domain

search cancel

Multiple LDAP directories configured for SSO, one is unusable and objects returned from vsphere.local domain

book

Article ID: 427684

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

Multiple AD/LDAP directories registered.
Login to vCenter fails when using one of the configured AD/LDAP Identity Sources.
Unable to query AD/LDAP Users/Groups to apply Global Permissions or Add Members to a vCenter Single Sign-On Group.
- Selecting an AD/LDAP domain incorrectly shows the User/Groups from the System Domain vsphere.local.

Environment

vCenter 9.x

Cause

An external domain UPN suffix has been added to System Domain vsphere.local vmwSTSUpnSuffixes.

Resolution

Validate there is an external domain UPN suffix in System Domain vsphere.local.

root@vcenter [ ~ ]# /opt/likewise/bin/./ldapsearch -u -h localhost -W -x -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -b "cn=vsphere.local,cn=IdentityProviders,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local" -s sub "(&(objectclass=vmwSTSIdentityStore))" dn cn vmwSTSUpnSuffixes vmwSTSConnectionStrings
Enter LDAP Password:

Expected output:

# extended LDIF
# LDAPv3
# base <cn=vsphere.local,cn=IdentityProviders,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local> with scope subtree
# filter: (&(objectclass=vmwSTSIdentityStore))
# requesting: dn cn vmwSTSUpnSuffixes vmwSTSConnectionStrings
# vsphere.local, IdentityProviders, vsphere.local, Tenants, IdentityManager, Services, vsphere.local
dn: cn=vsphere.local,cn=IdentityProviders,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
ufn: vsphere.local, IdentityProviders, vsphere.local, Tenants, IdentityManager, Services, vsphere.local
vmwSTSConnectionStrings: ldap://VCENTER_FQDN:389
cn: vsphere.local
vmwSTSUpnSuffixes: EXTERNAL_DOMAIN_UPN_SUFFIX
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

Run script upn-suffix-removal.sh to remove the external UPN suffix from the vsphere.local System Domain.
Validate that the EXTERNAL_DOMAIN_UPN_SUFFIX has been removed.

root@vcenter [ ~ ]# /opt/likewise/bin/./ldapsearch -u -h localhost -W -x -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -b "cn=vsphere.local,cn=IdentityProviders,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local" -s sub "(&(objectclass=vmwSTSIdentityStore))" dn cn vmwSTSUpnSuffixes vmwSTSConnectionStrings
Enter LDAP Password:

Expected output:

Note, there should not be a vmwSTSUpnSuffixes: EXTERNAL_DOMAIN_UPN_SUFFIX

# extended LDIF
# LDAPv3
# base <cn=vsphere.local,cn=IdentityProviders,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local> with scope subtree
# filter: (&(objectclass=vmwSTSIdentityStore))
# requesting: dn cn vmwSTSUpnSuffixes vmwSTSConnectionStrings
# vsphere.local, IdentityProviders, vsphere.local, Tenants, IdentityManager, Services, vsphere.local
dn: cn=vsphere.local,cn=IdentityProviders,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
ufn: vsphere.local, IdentityProviders, vsphere.local, Tenants, IdentityManager, Services, vsphere.local
vmwSTSConnectionStrings: ldap://VCENTER_FQDN:389
cn: vsphere.local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

Additional Information

Unable to add IDP users to local SSO group, "No principal with specified name exists".

Configure Active Directory as an Identity Provider Using AD/LDAP.

Feedback

thumb_up Yes

thumb_down No