Hi All…as part of vCloud Director proof-of-concept I discovered this troubling problem: It is impossible to switch LDAP from Simple to Kerberos and allow existing vCloud Director admin users / groups to login. See below for the gory details:
UPDATE as of 5 JUN 2013:Â I could not figure a way to workaround this problem and I cannot open a VMware support ticket (I’m just evaluating this software). So the final answer is…be Very Careful how you setup vCloud Director authentication.
I have a VMware Communities post on this at http://communities.vmware.com/thread/447657 – see that for replies and comments.
Also I’ve attached a PDF that has all the below information as well as lots of screenshots…just open it using this link: Documentation for reported error where LDAP cannot be switched from Simple to Kerberos.
- vCD 5.1.2 (latest patches) with simple LDAP authentication and AD usersimported.
- Two brand-new test Active Directory users TestAccount1 and TestAccount2 that have *not* ever been entered into vCloud Director as owning any objects
- Set LDAP to Simple.
- Under Admin / Users: Import AD TestAccount1. Displays with sAMAccountName.
- Validate TestAccount1 login (using sAMAccountName).
- Change LDAP authentication from Simple to Kerberos.
- Under Admin / Users: Import AD TestAccount2. Displays with userPrincipalName.
- Validate TestAccount2 login (using userPrincipalName).
- Verify TestAccount1 login no longer works.
- Under Admin / Users: Disable and Delete AD TestAccount1.
- Under Admin / Users: Import AD TestAccount1 user again. Verify that â€“ although Kerberos is in effect â€“ user continues to display with sAMAccountName.
- Verify that TestAccount1 longer continues not to work.
If I get a solution I’ll update this post. Until then…*choose carefully* your LDAP integration mechanism because – once chosen – you cannot change it!