Unable to edit LDAP identity source settings configured in vCenter.

In vCenter suppose if you have LDAP as identity source such as below screenshot.

ldap.jpg

However when we edit any setting such as changing the primary server URL and save then it fails with following error.

“The SSO server either failed to connect to or authenticate to the service at the specified URI”

You may see following error in vmware-sts-idmd.log

Appliance /var/log/vmware/sso/vmware-sts-idmd.log

Windows Appliance %ALLUSERSPROFILE%\VMWare\vCenterServer\logs\sso\vmware-sts-idmd.log


[2019-04-17T17:55:05.936-04:00 vsphere.local 14ec989e-7089-4c8d-aabf-b7d1b449f03c INFO ] [IdentityManager] Authentication succeeded for user [admin@domain] in tenant [vsphere.local] in [10] milliseconds with provider [domain.local] of type [com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider]

[2019-04-17T17:51:48.330-04:00 vsphere.local 8d1b773b-9441-4c1c-a77d-6c76c9011e2b WARN ] [ServerUtils] cannot bind connection: [ldap://dc.domain.local:3268,CN=admin,OU=Applicataion Users,DC=domain,DC=local]
[2019-04-17T17:51:48.330-04:00 vsphere.local 8d1b773b-9441-4c1c-a77d-6c76c9011e2b ERROR] [ServerUtils] cannot establish connection with uri: [ldap://dc.domain.local:3268]
[2019-04-17T17:51:48.330-04:00 vsphere.local 8d1b773b-9441-4c1c-a77d-6c76c9011e2b WARN ] [IdentityManager] Failed to probe provider connectivity [URI: ldap://dc.domain.local:3268]; tenantName [vsphere.local], userName [CN=admin,OU=Applicataion Users,DC=domain,DC=local]
[2019-04-17T17:51:48.330-04:00 vsphere.local 8d1b773b-9441-4c1c-a77d-6c76c9011e2b ERROR] [IdentityManager] Failed to set Ldap provider for tenant [vsphere.local]
[2019-04-17T17:51:48.330-04:00 vsphere.local 8d1b773b-9441-4c1c-a77d-6c76c9011e2b ERROR] [ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginException: Failed to probe provider connectivity [URI: ldap://dc.domain.local:3268]; tenantName [vsphere.local], userName [CN=admin,OU=Applicataion Users,DC=domain,DC=local]'
com.vmware.identity.idm.IDMLoginException: Failed to probe provider connectivity [URI: ldap://dc.domain.local:3268]; tenantName [vsphere.local], userName [CN=admin,OU=Applicataion Users,DC=domain,DC=local]

As per the log, we can see Authentication works however one the server URL (typically a domain controller) isn’t reachable.

In this situation, you can’t modify setting due to unavailability of DC. The workaround is to either remove current identity LDAP source and then add it again OR create host file entry pointing to one of the working domain controller for DC that is failing as per log.

Advertisements