Likewise LDAP account Expires on vCloud Automation Center (vCAC) 6.x

Likewise LDAP account Expires on vCloud Automation Center (vCAC) 6.x

Likewise LDAP account Expires on vCloud Automation Center (vCAC) 6.x

Issue with vCloud Automation Center (vCAC) 6.x: vCAC tenants become inaccessible, the LDAP/AD connection seems to be unavailable/removed is Single Sign On (SSO).

The exact symptoms of this issue are:

  • vCAC 6.x seems to be running fine for a couple of months, suddenly tenants become inaccesible;
  • The LDAP/AD connection in the default tenant disappears and error message is reported by vCAC;
  • You see error messages in the catalina.out log file similar to “Error occured looking for solution user :: Insufficient access“.

Although this issue and solution has been reported in VMware KB article 2075011, I suggest to take the steps stretched out in this article in advance: before the issue actually pops up! The cause of this issue is internal SSO Password expiry after the product is running for 90 days. Note: this is not theadministrator@vsphere.localThis email address is being protected from spambots. You need JavaScript enabled to view it.password expiring, is has to do with an internal account.

Prevent the internal SSO account from expiring

Depending on which SSO server you’re using (vCenter Appliance SSO, SSO in the vCAC identity server, SSO on Windows) take the necessary steps to prevent this problem from occurring. For the vCAC identity server the steps are:

(Replace tenant_name with the URL name of your tenant)

  1. Open an SSH connection to the vCAC Identity Server Appliance (so the SSO server, not the vCAC appliance).
  2. Reset the account control flag by running the command: 
    /opt/likewise/bin/ldapmodify -H ldap://localhost:389 -x -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W <<EOF
dn: cn=tenantadmin,cn=users,dc=tenant_name
changetype: modify
replace: userAccountControl
userAccountControl: 0
EOF
  3. Response: modifying entry “cn=administrator,cn=users,dc=tenant_name.”
    Note: You will be prompted for theadministrator@vsphere.localThis email address is being protected from spambots. You need JavaScript enabled to view it.password when running this command.
  4. Disable password expiration by running the command: 
    /opt/likewise/bin/ldapmodify -H ldap://localhost:389 -x -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W <<EOF
dn: cn=DCAdmins,cn=builtin,dc=vsphere,dc=local
changetype: modify
add: member
member: cn=tenantadmin,cn=users,dc=tenant_name
EOF
  5. Response: modifying entry “cn=DCAdmins,cn=builtin,dc=vsphere,dc=local
    Note: You will be prompted for theadministrator@vsphere.localThis email address is being protected from spambots. You need JavaScript enabled to view it.password when running this command.

Type the command exactly as illustrated here, so there are a few ‘new lines’ in the command.

This will solve the AD connection problem, everything will work as expected after applying this solution. A solution for the other SSO servertypes is posted in the KB article.

 

SOURCE: http://www.viktorious.nl/2014/06/10/vcac-prevent-tenants-become-inaccessible-due-expiring-sso-internal-password/

 

Example: where demo is the tenant

/opt/likewise/bin/ldapmodify -H ldap://localhost:389 -x -D “cn=administrator,cn=users,dc=vsphere,dc=local” -W <<EOF
dn: cn=tenantadmin,cn=users,dc=demo
changetype: modify
replace: userAccountControl
userAccountControl: 0
EOF

/opt/likewise/bin/ldapmodify -H ldap://localhost:389 -x -D “cn=administrator,cn=users,dc=vsphere,dc=local” -W <<EOF
dn: cn=DCAdmins,cn=builtin,dc=vsphere,dc=local
changetype: modify
add: member
member: cn=tenantadmin,cn=users,dc=demo
EOF

Comments are closed.