vCloud Director: Delete LDAP user / group prevents adding again…

Hi All…as part of vCloud Director proof-of-concept I discovered this troubling problem: It is impossible to switch LDAP from Simple to Kerberos and allow existing vCloud Director admin users / groups to login. See below for the gory details:

UPDATE as of 5 JUN 2013: I could not figure a way to workaround this problem and I cannot open a VMware support ticket (I’m just evaluating this software). So the final answer is…be Very Careful how you setup vCloud Director authentication.

I have a VMware Communities post on this at http://communities.vmware.com/thread/447657 – see that for replies and comments.

Also I’ve attached a PDF that has all the below information as well as lots of screenshots…just open it using this link: Documentation for reported error where LDAP cannot be switched from Simple to Kerberos.

Requirements:

• vCD 5.1.2 (latest patches) with simple LDAP authentication and AD usersimported.
• Two brand-new test Active Directory users TestAccount1 and TestAccount2 that have *not* ever been entered into vCloud Director as owning any objects

Procedure:

• Set LDAP to Simple.
• Under Admin / Users: Import AD TestAccount1. Displays with sAMAccountName.
• Validate TestAccount1 login (using sAMAccountName).
• Change LDAP authentication from Simple to Kerberos.
• Under Admin / Users: Import AD TestAccount2. Displays with userPrincipalName.
• Validate TestAccount2 login (using userPrincipalName).
• Verify TestAccount1 login no longer works.
• Under Admin / Users: Disable and Delete AD TestAccount1.
• Under Admin / Users: Import AD TestAccount1 user again. Verify that – although Kerberos is in effect – user continues to display with sAMAccountName.
• Verify that TestAccount1 longer continues not to work.

If I get a solution I’ll update this post. Until then…*choose carefully* your LDAP integration mechanism because – once chosen – you cannot change it!