Monday, October 25, 2010

vCO - secure ldap configuration - UPDATE

Today i had a configuration problem with a larger vCO environment with several domains... After starting the ldap configuration an error code 8 occurs and i had to change to secure ldap (SSL). After this change the vCenter Orchestrator want a new CA certificate for authentification. No problem, if you had an CA and export the CA request (.csr). But in my case i thought they had a "normal" ldap on port 389 and i create an simple self-signed CA.

The problem is: After creating a self-signed Certificate there is no way to create a new request with the company defaults! Deleting all cert* files and restart the configuration server does not work at all.

So you had to install the vCO again... :-( and can not import a configuration, because of the self-signed certificate.

After consulting the vCO installation guide i found out that the certificate is stored in the Database: vmo_keystore. So after cleaning it up you are able to create a new certficate.

With this new certificate, based on the customer data i export the .csr (request) file and send it to the central certificate instance.

Several days after my last attempt my fellow Andreas try to implement the AD SSL/TLS certificates and identifies another problem: the customer doesn´t use certificates in his AD! So after a few mails the basic problem is the NTLMv2 authorization, which is not supported in the ldap configuration.

So we try to find a fix for that and will inform you guys shortly.

Yes, we found the solution!!! After hours of attempts, thinking about it and several coffee cups a simple GPO (thank you Microsoft!) was the cause for all the trouble.

Because the Java engine uses simple bind the connection handshake with the domain controller fails. After turning of the ldap signing request option everything works fine. The second problem was the reverse DNS wich wasn´t right.

So, lessons learned and beer earned!

1 comment: