vCloud director and LDAP

Started with a new client recently who is using ESX 5 and vCloud Director, so I should be able to branch these posts out a bit!

Ran into an interesting problem almost immediately. They’ve got several Organization vDC’s set up and are trying to get them each to authenticate against Active Directory groups using Custom LDAP queries. An account was already created and the LDAP connection was set up.

It was able to pull in the groups successfully and when you ran a test against AD everything seemed to be working correctly, however when a user tried to log into that vDC who was in the AD group, they couldn’t log in.

We fooled around with turning SSL on and off, changing the AD Domain Controller (DC) it was pointed to.. all that jazz. And nothing made a difference.

The Custom LDAP setup has a place to run a test query against LDAP and pull up specific users and what it came back with was kind of out of whack. It would pull most of the user information (name, description, etc.) but wouldn’t pull back any group information on them. We also played around with the LDAP mappings and changing what information it pulled, but that did nothing either.

I finally did what I should’ve done from the beginning and looked at the account that was being used for the connection. It’s only membership was in Domain Users. Okay, that’s an easy test. I went to one of my test accounts that wasn’t working (and was in the AD group we were sync’ed with) and granted the LDAP connection account Full Control to my test account.

And voila, it worked!

Took out the security perms and could no longer get in, so security was obviously the problem.

As it turns out, Domain Users does not have the permissions to pull the group membership on users. That is not a public field. As a work around (because we didn’t want to grant that account any more permissions than it needed), we placed it in the domain RAS and IAS group (which did have the permission). This is only a temp fix as you still need to modify the adminsdholder to allow it to pull group membership for administrators, but at least it’s a step in the right direction!