vCloud Director: Delete LDAP user / group prevents adding again…
Hi All…as part of vCloud Director proof-of-concept I discovered this troubling problem: It is impossible to switch LDAP from Simple to Kerberos and allow existing vCloud Director admin users / groups to login. See below for the gory details:
UPDATE as of 5 JUN 2013:Â I could not figure a way to workaround this problem and I cannot open a VMware support ticket (I’m just evaluating this software). So the final answer is…be Very Careful how you setup vCloud Director authentication.
I have a VMware Communities post on this at http://communities.vmware.com/thread/447657 – see that for replies and comments.
Also I’ve attached a PDF that has all the below information as well as lots of screenshots…just open it using this link: Documentation for reported error where LDAP cannot be switched from Simple to Kerberos.
- vCD 5.1.2 (latest patches) with simple LDAP authentication and AD usersimported.
- Two brand-new test Active Directory users TestAccount1 and TestAccount2 that have *not* ever been entered into vCloud Director as owning any objects
- Set LDAP to Simple.
- Under Admin / Users: Import AD TestAccount1. Displays with sAMAccountName.
- Validate TestAccount1 login (using sAMAccountName).
- Change LDAP authentication from Simple to Kerberos.
- Under Admin / Users: Import AD TestAccount2. Displays with userPrincipalName.
- Validate TestAccount2 login (using userPrincipalName).
- Verify TestAccount1 login no longer works.
- Under Admin / Users: Disable and Delete AD TestAccount1.
- Under Admin / Users: Import AD TestAccount1 user again. Verify that â€“ although Kerberos is in effect â€“ user continues to display with sAMAccountName.
- Verify that TestAccount1 longer continues not to work.
If I get a solution I’ll update this post. Until then…*choose carefully* your LDAP integration mechanism because – once chosen – you cannot change it!
You just need to click on Synchronize ldap and you ll see all your users changing from the samaccountname to the UPN and then they will be able to login again.