How to Configure LDAPS Authentication in vCenter 7.0

This article explains how to configure LDAPS authentication in vCenter 7.0.

  1. Connect to the vCenter Server Appliance with SSH and login as root.
  2. Run the following command to show the LDAP certificate
    # openssl s_client -connect dc.virten.lab:636 -showcerts
  3. The command displays the certificate chain and SSL session information. The information we are looking for is the topmost certificate:
  4. Copy everything between (and including) -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and copy it to a text file.
  5. Save the file with a .cer extension.
  6. Open vSphere Client
  7. Login as Single Sign-On Administrator
  8. Navigate to Menu > Administration > Single Sign-On Configuration
  9. In the Identity Provider tab, open Identity Sources
  10. Click ADD
  11. Select Active Directory over LDAP or OpenLDAP, depending on your directory type.
  12. Fill out the remaining fields as follows:
    Identity Source Name: Label for identification
    Base DN for users: The Distinguished Name (DN) of the starting point for directory server searches. Example: If your domain name is virten.lab the DN for the entire directory is "DC=virten,DC=lab".
    Base DN for groups: The Distinguished Name (DN) of the starting point for directory server searches.
    Domain name: Your domain name. Example: "virten.lab"
    Domain alias: Your NetBIOS name. Example: "virten"
    Username: Domain user with at least browse privileges. Example: "ldapbind@virten.lab".
    If you get an "User XXX is not a valid dn format", try using the DN "uid=ldapbind,cn=users,dc=virten,dc=lab"
    Connect to: Either connect to port 636 (LDAP) or 3269 (Global Catalog).
    Example: "ldap://dc01.virten.lab:636".
  13. Click Browse next to SSL Certificate
  14. Select the .cer file created in step 5.
  15. Click ADD and finish the configuration wizard

From here, you can proceed and add users as explained here.

1 thought on “How to Configure LDAPS Authentication in vCenter 7.0”

  1. It is a requirement to have a certificate on each domain controller to enable LDAPS. For customers that have their own private CA used to generate those certificates, is there a way to upload the CA's certificate to a trusted CA store in vcenter so that you do not have to go through exporting the certificates for each domain controller used in the Identity Source and update the certificates there every time they rotate?

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.