Monday, June 15, 2020

LDAPs configuration for vCenter Server.


Hello there !!

I am covering this post for the configuration of LDAPS authentication for vCenter server or Platform Service controller in case of external PSC deployment.

Before doing this, let me give you an important update that Microsoft gave advisory that everyone needs to enable the LDAP binding and signing at Active Directory domain controllers for secure LDAP authentication. Below are some KB articles for how to enable LDAP binding and signing at AD level.

·         KB4520412: 2020 LDAP channel binding and LDAP signing requirement for Windows
·         KB4034879: LDAP channel binding
·         KB935834: LDAP signing

This LDAP change will affect all applications which are using LDAP authentication with AD. 

So. Lets begin to change the LDAP configuration on vCenter Server 6.7 in my case here.

Step 1


First check which domain controller is preferable to this vCenter server as per site. May be someone has different DCs as per sites basis.
Run below command to get the list of all domain controllers in your environment.
nltest /dclist:yourDomainName

Step 2

Select one of the Domain controller from above list which you want to use for authentication with vCenter server and that is configured as LDAP identity source. Login to vCenter appliance using SSH session and run below command to get LDAP certificate from that domain controller.
openssl s_client -connect dc1.cloudarena.com:636 -showcerts

This command will show the certificate of that domain controller, copy the top most certificate which is always DC certificate. Copy that starting from ---BEGIN CERTIFICATE---- until ----END CERTIFICATE----.
Make sure there is no other characters and space within this selection.

-----BEGIN CERTIFICATE-----
MwMDAwMDBaMBkxFzAVBgNVBAMTDmFkLmdzc2xhYnMub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7JFQshqvAH+bsej+FE6IYf3LA38EpMmnsCJV
nvvX1RXoHs5tr8iwbm6fMggRHZA8jHY3Z/wnLkh1Ct+8MylrGVRL4MB1bXeSH7MT
TTCMCI/ikokCO6vkVlG1RP/YcMOIUCLERsgJiZ8qCEZYLdw8ioZuA1kaGQkiJRy8
KZI5lz4nqV9owks1e4TW5TtCTDqorYxBz2x2PsZLTih/fgLf9kRr0QUHc/f8TMuI
3LWdGdodxUKKAP7cHU5awhsOdiDjqWEuYA4gioog0Dd9sE111JvPP0opSPMgnMpf
CWOc04z8dqkR15BChG36Gvgqqbnf77vknDe1RgkFhyK6GjKGTQIDAQABoyQwIjAL
BgNVHQ8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQAD
ggEBAC8sNBB5e5WffE9VjU5zcDqvOQqE24XD1bdFeKW/ud6aYwmF5YV4wFpEGkA9
bez2zI5TKVnm2XE4mpwyZHSbbiXzh2SbAQI1QTde9slTFTkib0HsMZYxBE5Xsgdq
RXUX6xvU2sMbHevj13zkGfoF71T72ddq78LTCbrX3EU0jYbHhrKTqRc6qHAv9fz4
2z8xKysVs+CCx8g+qEm+igMxb9/XdA2HUOA8l+NDlH/qS78e9ty0XNayl8ZC/7bZ
-----END CERTIFICATE-----

Save the above certificate content into Notepad file and save file with as .cer extension (e.g. ldap_dc.cer).


Step 3

Now, open the browser and login into the VCSA 6.7 . you need to login with local administrator account i.e administrator@vsphere.local then password.


Click on Menu and choose Administration section


Then click on Configuration option under SSO


Click on identity Sources and then click on ADD IDENTITY SOURCE






Choose identity source type is Active Directory over LDAP and then fill all details of Domain like below and also upload the certificate under section SSL Certificates which we had saved in Step2 




Click ADD and if all details are correct then your identity source will add and show under identity Source Tab.


 That's all for this LDAPs configuration. Hope, this will informative to all... Cheers..!!



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How to migrate the N-VDS as the host switch to VDS 7.0 in NSX-T 3.x

  Hello There, In this article, i am covering how to migrate the ESXi host switch from N-VDS to VDS 7.0 switch in NSX-T 3.2.x version. When ...