Configuring External LDAP in VCF 9.0 fails with "Failed to connect to host" error.
Article ID: 438796
Updated On:
Products
Issue/Introduction
- When attempting to configure an Identity Provider in the VCF Operations UI, the process fails at the "Review" stage.
Saving configuration settings failed with the following error: Failed to connect to host <domain_controller:port>
- Manual network verification (e.g., curl or openssl to port 389/636) from the Identity Broker nodes may appear to succeed, yet the UI configuration fails.
Environment
VMware Cloud Foundation 9.x
Identity Broker
Cause
During the LDAPS handshake and binding process, the VIDB nodes perform a mandatory bi-directional DNS check (Forward and Reverse lookup). If the Domain Controller's IP address does not have a corresponding PTR in the DNS server, the VIDB node cannot perform a successful reverse lookup,
Resolution
To resolve this issue, ensure that both forward and reverse DNS records are correctly configured for all Domain Controllers being used in the LDAP configuration.
Verify Forward DNS Resolution: From an Identity Broker node, run:
nslookup <DC_FQDN>The command should return the correct IP address of the Domain Controller.
Verify Reverse DNS (PTR) Resolution: From an Identity Broker node, run:
nslookup <DC_IP_ADDRESS>The command must return the FQDN of the Domain Controller. If this command fails or returns "NXDOMAIN," the PTR record is missing or incorrect.
Update Environment DNS:
Log into your organization's DNS management console and navigate to the Reverse Lookup Zones.
Ensure a Pointer Record (PTR) exists for each Domain Controller's IP address, mapping back to the FQDN used in the VCF Identity Provider configuration.
Retry Configuration:
Return to the VCF Operations UI.
Re-enter the Identity Provider details and click Save. The configuration should now succeed as the VIDB node can successfully validate the host identity.
Feedback
