After upgrading from VCF 5.2 to VCF 9.1, users are unable to log in to vCenter Server using LDAP credentials. The following symptoms are observed:

• vCenter UI returns a http 400 bad request error error during login.
• Logins using the local account ([email protected]) continue to work correctly.
• /var/log/vmware/sso/websso.log contains error entries similar to: 

  ERROR vmidentity-websso 64 [vc@4413 threadName="tomcat-http--15" logger="com.vmware.identity.idm.server.IdentityManager" corId="<ID>"] Failed to get attributes for principal [user_name] in tenant [vsphere.local]

  ERROR vmidentity-websso 64 [vc@4413 threadName="tomcat-http--15" logger="com.vmware.identity.idm.server.ServerUtils" corId="<ID>"] Exception 'java.lang.IllegalArgumentException: No attribute mapping found for 
[http://vmware.com/schemas/attr-names/2025/05/isServiceAccount]'
java.lang.IllegalArgumentException: No attribute mapping found for [http://vmware.com/schemas/attr-names/2025/05/isServiceAccount]

vCenter Server 9.1.0

This issue is caused by a missing attribute mapping in the Identity Provider configuration. VCF 9.1 introduces a requirement for the serviceAccount attribute. While this change was primarily intended for VMDIR providers, it currently impacts OpenLDAP providers as well. During the upgrade from 5.2, this specific attribute mapping is not automatically added to existing OpenLDAP identity sources.

This issue is scheduled to be resolved in a future maintenance release.

1. Re-add OpenLDAP Identity source, as it will automatically populate the required attributes, including serviceAccount.
2. Alternatively, to resolve the issue, you must manually add the missing attribute serviceAccount to the LDAP Identity Provider configuration. Please reach out to Broadcom support for further assistance.