vCAC 6.0.1, Inaccessible Tenants, and Missing Identity Stores

With vCAC 6.0.x, there is a bug in the SSO appliance where several symptoms present all at the same time:

  • Authentication to AD or LDAP identity stores fails, returning the user to the blank authentication screen.
  • When logged-in to the default tenant as administrator (usually ‘administrator@vsphere.local’), accessing tenant identity stores results in a ‘System Exception’ error.
  • Tenant Admins cannot add or edit identity stores.

This is a documented bug, as listed in VMware KB Article 2075011, and at the time of writing there is a workaround.

The issue as documented is the administrator account in the default tenant expires 90 days after implementation of the appliance. I came across this issue, and was for a while not understanding the syntax of the commands required to complete the workaround. So, here are the steps in minutia that should work for others implementing this same fix.

Note: Whatever is in highlighted code needs to be typed as single entry lines, with a return at the end to complete the command entry.

1. SSH to the SSO server IP address. Authenticate as the SSO Root User.

2. Reset the account control flag by issuing the following commands:

/opt/likewise/bin/ldapmodify -H ldap://localhost:389 -x -D “cn=administrator,cn=users,dc=vsphere,dc=local” -W <<EOF

When typing this command, you are not returned to the usual root prompt, but rather to a simple ‘>’ prompt. This is what stumped me for a bit….. At that prompt, enter the following commands. (Note: replace tenant_name¬†instances in the commands below with the name of your own tenant).

dn: cn=tenantadmin,cn=users,dc=tenant_name

At the > prompt, enter:

changetype: modify

At the > prompt, enter:

replace: userAccountControl

At the > prompt, enter:

userAccountControl: 0

At the > prompt, enter:

EOF

You will be prompted for LDAP password. Enter the password for the default tenant administrator (usually ‘administrator@vsphere.local’).

Once authenticated, the message ‘Response: modifying entry “cn=administrator,cn=users,dc=tenant_name.”‘ is displayed, and the command prompt returns to the usual prompt.

3. Disable password expiration

by issuing the following commands:

/opt/likewise/bin/ldapmodify -H ldap://localhost:389 -x -D “cn=administrator,cn=users,dc=vsphere,dc=local” -W <<EOF

When typing this command, you are not returned to the usual root prompt, but rather to a simple ‘>’ prompt. This is what stumped me for a bit….. At that prompt, enter the following commands:

dn: cn=DCAdmins,cn=builtin,dc=vsphere,dc=local

At the > prompt, enter:

changetype: modify

At the > prompt, enter:

add: member

At the > prompt, enter:

member: cn=administrator,cn=users,dc=tenant_name

At the > prompt, enter:

EOF

You will be prompted for LDAP password. Enter the password for the default tenant administrator (usually ‘administrator@vsphere.local’).

Once authenticated, the message ‘Response: modifying entry “cn=DCAdmins,cn=builtin,dc=vsphere,dc=local”‘ is displayed, and the command prompt returns to the usual prompt.

4. Retry vCAC login to either the default or user tenants – the problem should be resolved and the login should work as normal.

Jeremy loves all things technology! Has been in IT for years, loves Macs (but doesn't preach to others about their virtues), loves virtualization (and does shout about it's virtues), and sometimes skis, bikes and directs amateur plays!

Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *