Configure LDAPS authentication for vCenter Server.

Following steps can help to configure Active directory LDAPs Authentication for vCenter servers.

Step 1

Note down the DC (Domain controller) assigned with LDAP. If you want to know all domain controllers following windows command can be used. This can be executed from any windows machine that is joined to AD domain.

nltest /dclist:DomainName

Step 2

Select one of the Domain controller that is configured as LDAP identity source. Login to vCenter appliance using SSH session (use Putty/Terminal access) to get LDAP certificate from DC.

openssl s_client -connect DC1.ad.local:636 -showcerts

Replace DC1.ad.local as the domain controller of your environment. The top most certificate in this chain is the certificate of the domain controller.

-----BEGIN CERTIFICATE-----
MIIC4DCCAcigAwIBAgIQJ3hiT2fQzIBLYFPywfvCgjANBgkqhkiG9w0BAQUFADAZ
MwMDAwMDBaMBkxFzAVBgNVBAMTDmFkLmdzc2xhYnMub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7JFQshqvAH+bsej+FE6IYf3LA38EpMmnsCJV
nvvX1RXoHs5tr8iwbm6fMggRHZA8jHY3Z/wnLkh1Ct+8MylrGVRL4MB1bXeSH7MT
TTCMCI/ikokCO6vkVlG1RP/YcMOIUCLERsgJiZ8qCEZYLdw8ioZuA1kaGQkiJRy8
KZI5lz4nqV9owks1e4TW5TtCTDqorYxBz2x2PsZLTih/fgLf9kRr0QUHc/f8TMuI
3LWdGdodxUKKAP7cHU5awhsOdiDjqWEuYA4gioog0Dd9sE111JvPP0opSPMgnMpf
CWOc04z8dqkR15BChG36Gvgqqbnf77vknDe1RgkFhyK6GjKGTQIDAQABoyQwIjAL
BgNVHQ8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQAD
ggEBAC8sNBB5e5WffE9VjU5zcDqvOQqE24XD1bdFeKW/ud6aYwmF5YV4wFpEGkA9
AnmCDTsxtHiRytwnN8uGll9acBCs8VQaB1HZ33GxdzNfIgtCq4XPlhHrO1+YU3+g
bez2zI5TKVnm2XE4mpwyZHSbbiXzh2SbAQI1QTde9slTFTkib0HsMZYxBE5Xsgdq
RXUX6xvU2sMbHevj13zkGfoF71T72ddq78LTCbrX3EU0jYbHhrKTqRc6qHAv9fz4
2z8xKysVs+CCx8g+qEm+igMxb9/XdA2HUOA8l+NDlH/qS78e9ty0XNayl8ZC/7bZ
cKk5wfWIbFHIIBMbl7PY2eaQK8c=
-----END CERTIFICATE-----

Copy the complete string including —–BEGIN CERTIFICATE—– until (including) —–END CERTIFICATE—– into a text file. Remove any additional characters after —–END CERTIFICATE—–. Save that content into Notepad file and save file with as cer extension (e.g. ldap_dc.cer).

 

Step 3

Open vCenter web client (HTML/Flash). Go to \Home\Administration \ Configuration under Single Sign-on\ click on + sign \ select Active directory as an LDAP server

Give the appropriate name following options.

vCenter 6.0

Name = domain name
Base DN for users: dc=domainname,dc=local
(This option to search user's in specific organization unit OR container of AD.)
Domain name: domainname.local
Domain alias: domainname
Base DN for groups: dc=domainname,dc=local
(This option to search AD group's in a specific organization unit OR container of AD.)
Primary server URL: ldaps://DC1.ad.local:636
(You can mentioned domain instead of specific DC if all your domain controller configured to use SSL for LDAP.)
Secondary server URL:ldaps://DC2.ad.local:636
(This is optional)

 

ldap_6.0.jpg

vCenter 6.5/6.7

Name = domain name
Base DN for users: dc=domainname,dc=local
Base DN for groups: dc=domainname,dc=local
Domain name: domainname.local
Domain alias: domainname
User name = adminuser@domain.local
Password ****

When you select Connect to any domain controller in the domain then vCenter connects to DC that is acting as primary domain controller (PDC). NLTest output will tell you the current primary domain controller. This option may not work for version prior to 6.7 U1 OR 6.5 U2D due to known issue. Refer The workaround is to download LDAP certificate for all DC’s (DC list can be obtain from NSTest as mentioned in point 1) then provide certificate in next step of configuration.

You also have ability to specify primary and second LDAP servers.

Primary server URL: ldaps://DC1.ad.local:636
Secondary server URL:ldaps://DC2.ad.local:636

ldap_6.7.jpg

In the next screen, upload the certificate downloaded in step2

ldap_6.7_2.jpg

If all the configuration is correct then Active Directory as an LDAP server should be added without any issue.

Advertisements