Configuring an LDAPS identity source in VCSA.
This guide will assist you in either adding or renewing an LDAPS identity source for AD lookups to your VCSA appliance. We will use LDAPS for security, but the process for LDAP is the same, minus the certificates.
This guide is based on version 7.0.3, but the process is the same for all supported versions at the time of this publication, This guide also assumes you have access to your VCSA via SSH and the GUI, at least 1 Windows domain controller and a certificate authority installed and configured on your network with certificates being pushed to your AD devices.
Please note, that LDAPS certificates are not the same as the certificate needed for your VCSAs webpage, it does not secure your servers HTTPS, it only secures connections to Active Directory for LDAP lookups.
Let's start by making a connection to our VCSA via SSH, in the example above I am using PowerShell to do this, but CMD, Terminal, Putty or whatever SSH tool you like will do the same.
Type SSH root@your-vcsa-server and enter your password when asked, followed by 'shell' without the quotes to enter BASH.
Once the shell is loaded, we now need to check what certificate is in use by the DC(s), if any.
type, openssl s_client -connect your-dc-server.youdomain.com:636
This will return the certificate and any chains, you can use CTRL+C to break this, we only need to see it, to grab the certificate.
Scroll up the page and find the server certificate, we need to copy everything in-between and including --— BEGIN CERTIFICATE --— and --— END CERTIFICATE --—, this contains the certificate we need for LDAPS.
Copy all of this to a text file (use notepad, not word/WordPad), save the file, naming it something like dc-server-ldaps.crt. If you are adding more than one DC for redundancy, repeat the above process for a second server, outputting a second dc2-server-ldaps.crt certificate.
You can now exit the sessions above by typing exit <return>, exit <return>.
Moving over to the VCSA GUI, login with administrator@vsphere.local and your password, once in, go to the burger menu in the left top corner, under administration, single sign on and configuration, select identity source on the right side, add, and choose the option Active Directory for LDAP.
If you already have a domain configured and we're resolving an expired certificate issue, select your domain and remove it, you'll need to re-add it, manually.
You will be presented with the identity source window, complete your fields like the above. Add your domain name as the identity source and domain name and your base DN for users and groups - if you're not limiting to specific users or groups, add your domain using DC=domain,DC=com, if you use a co.uk or other domain suffix, DC=domain,DC=co,DC=uk. If you do want to restrict to specific users or groups, you'll need to complete the base DN boxes according to your needs.
Enter a domain account that has rights to add the source along with the password, further down, select 'specific domain controllers' and add your DCs in the format, ldaps://dc1.domain.com:636 and ldaps://dc2.domain.com:636.
TIP: If you are not interested in using certificates, use ldap://dc1.domain.com:389 and ldap://dc2.domain.com:389 for a non-secure connection.
Finally, click the browse button to load the two .cer files we created earlier, if everything is well, the certificates are good, the domain base DNs are good and the user/password work, this should now add your new identity source, for use.
If you get any errors about passwords, please check the username and password you are using, if you get errors about URI or certificate formats, please confirm the certificate is valid and includes the dc name and fully qualified domain, for example if the certificate is only valid for dc1 and not dc1.domain.com, you'll need to check the certificate template includes this and repeat the export process. This is outside the scope of this guide though.
Once the identity source is added, you should now see that on your main page, select your newly added domain, and choose set as default - this means when you login to your VCSA, you don't need to use domain\username, you can simply use, username and your password, the default domain assumes you are logging in with credentials from 'domain.com'. This step is optional, but makes it easier to login with domain credentials without having to specify them. Be mindful, if you add multiple domains, only one can be set as default.
Be sure to note the expiration date on the certificates you exported, as you'll need to repeat this process closer to the expiration date, so you can continue to use domain logins.
TIP: in VCSA, setup an alert to email you when the certificate is due to expire.
TIP: If you are exporting certificates via Windows MMC snap-in or any other method, the certificate must be base64 encoded.
If this is the first time you are adding an identity source, you'll want to specify which users can now login with domain credentials. To do this, go to the burger menu, Administration, Single Sign On, Users and Groups.
Select Groups, here you will be shown a list of groups specific to VCSA. If you want to setup specific permissions for a subset of staff, you should do this step first, it is not covered here. For this guide we will add members to the default Administrators group. Select the Administrators group by putting a tick next to it, click edit. You will be shown a list of users/groups who already have permissions, let's add another, from AD. In the 'Add Members' section, change vsphere.local to your newly added AD domain and type in the name of a user or group to add. It is recommended to use AD groups, so user management is done via AD.
As you type it will start to match users and groups, select the user/group you want to add and click save. That's it!
You should now be able to log out of administrator@vsphere.local and login with your AD credentials.
TIP: To remove permissions, simply follow the same process to add users/groups, but once you edit the group, click the little 'x' next to the account(s) you no longer want to have access,
