After opsmanager upgrade to 3.3.0, internal Ldap is not working
search cancel

After opsmanager upgrade to 3.3.0, internal Ldap is not working

book

Article ID: 440895

calendar_today

Updated On:

Products

VMware Tanzu Platform Core Operations Manager

Issue/Introduction

  • Opsman is configured to use LDAP for authentication.
  • After upgrading from older versions (ie 3.1.3) to 3.3, LDAP users are no longer able to authenticate with Opsman web client, errors returned are: "Provided credentials are invalid. Please try again".
  • When checking the Opsman /var/vcap/sys/log/uaa/uaa.log or /home/tempest-web/uaa/tomcat/logs/uaa.log you see errors like:

    [2026-05-05T16:20:04.884866Z] uaa - 9273 [http-nio-127.0.0.1-8080-exec-3] - [############1acd,############1acd] .... DEBUG --- ProviderManager: Authentication service failed internally for user 'ad.user.name'

    org.springframework.security.authentication.InternalAuthenticationServiceException: LDAP.FQDN.COM:636

    Caused by: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • The Certificate for LDAP configuration in Opsman GUI under Settings > LDAP Settings > Server SSL Cert is configured with a certificate chain containing more than 1 CA certificate.
    • The CA certificate for the LDAP server is not the first certificate in the chain.

 

Environment

Opsman version 3.3

Cause

Changes in UAA handling for Opsman 3.3 modified the certificate ingestion for LDAP server cert handling. The new handling doesn't split certificate chains correctly, so, any certificate below the first position in the certificate chain will not be respected.

Resolution

This is under investigation and will be fixed in a later version of Opsman 3.3.

 

Workaround:

From Opsman Web client, modify the Certificate for LDAP configuration in Opsman GUI under Settings > LDAP Settings > Server SSL Cert, move the CA certificate that signs your LDAP server certificate to the first position in the CA chain (move it to the top of the list).

 

If you are unable to log into the Opsman GUI to make this change due to the LDAP login failures, place the Opsman into Rescue Mode by configuring a local Admin user. Log in with the local Admin user you created and modify the cert chain, then remove the Rescue Mode configuration.

 

 

Powered by Wolken Software