Press "Enter" to skip to content

vCAC 6 SSL LDAP connection with Advance Services Design

Hey hey,

Recently been getting more involved with vCAC (VMware vCloud Automation Center for those who have been living under a rock in the IT work) A client I work with wanted to fully invest in a vCAC solution for full user self provisioning not just for Virtual Servers but creating users and groups and OUs with AD. We are talking full range of services. VM creation thats easy and using the built in flows most Active Directory tasks are easy to. But we hit a snag when it can to creating users.

After allot of troubleshooting I couldn’t find much of a solution for my issue. So now that we have found it i wanted to put it up here in black and white.

When trying to create a user with the built in ADS AD flow for testing we were getting the following error:
Unable to create a new user: InternalError: Failed to create user account... [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0 ] (Dynamic Script Module name : createUserWithPassword#6) (Dynamic Script Module name : createUserWithPassword#9)

But when we tried to create a group it completed successfully.

Why is this?

Well its because the Active Directory endpoint was setup using port 389 or ldap:// to create users with passwords you must use secure ldap or ldaps:// on port 636. You can create a user if your AD password policy allows blank passwords but lets be real no company or business would be using that.

This is the next hurdle how do we setup the endpoint like the image below?
vcacad07
1)First we need to import the Active Directory DC’s certificate and create one if it hasn’t already been done.
I’m not going to go into how to setup a certificate but follow THIS link from Microsoft and follow the steps.

2)Now once the certificate has been setup on the Domain Controller. we need to export it, during my testing the export of the certificate would not work when importing into vCO. So what I did was use OpenSSL which can be downloaded for windows and connect to the DC using the following command:
C:\OpenSSL-Win64\bin>openssl.exe s_client -connect vmmedc01.virtualiseme.com.au:3269
The output will be like below:
vcacad03

3) Copy everything between and including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and paste it into notepad and save the file with a .cer extention.

4)Log into vCO configuration page select network on the left and SSL Trust Manager tab. Use the import file option like the image below.
vcacad05

5) if successful you should now see the Domain Controller certificate and a message saying import successful like the below image.
vcacad06

Now you should be able to configure the active directory endpoint in vCAC to use SSL like the image at the start of this post.

NOTE*** I have seen people saying you can grab the certificate using the URL import option in the vCO SSL trust manager(above the import file option) but I was not able to get this to work for LDAP connections. also the import of the exported certificate out of cert manager in windows did not work either. The above solution was the only way I was able to get it to work with Active Directory correctly.

Cheers

2 Comments

  1. Pierre Girard
    Pierre Girard April 22, 2015

    what if the error is not 0000001F but 0000052D like this one?

    additional info: 0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0

    i did try to modify the password of an already existing AD account with ldapmodify, in ssl, but the server is not responding much. funny thing, after deploying the certificate, i may now ldapsearch in ssl, but that all.

    Thank for any comment.

    • Pierre Girard
      Pierre Girard April 22, 2015

      forget it,
      i have the good error, but i am working on ubuntu and using ldapmodify…
      My certification is probably wrongly set.

Leave a Reply

Your email address will not be published. Required fields are marked *

Anti SPAM BOT Question * Time limit is exhausted. Please reload CAPTCHA.