Important Information about configuring an LDAPS identity source
- VMware Skyline Health Diagnostics for vSphere - FAQ
- If an existing identity source exists with the same domain, that identity source will have to be removed prior to configuring an LDAPS identity source.
- If you are updating or replacing the SSL certificate the identity source will need to be removed & re-added.
- If the "Username" used during adding Identity Source gets locked/disabled/password expired; then the AD user login's to vCenter would fail. You have to redo the task and update the AD username and password again.
- Ensure the account being used to add the identity source is not in a restricted AD group, such as the Protected Users group .
vSphere includes anopenssl binary located at C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.
Run the command to gather the SSL certificate information from any Domain Controller desired:
# openssl s_client -connect dc#.domain.com:636 -showcerts
When the openssl connect command completes, the full contents of the SSL certificate are displayed. The root certificate appears similar to:
Certificate chain
0 s:/CN=DC3.domain.com
i:/DC=com/DC=domain/CN=BRM-CA
-----BEGIN CERTIFICATE-----
MIIFyjCCBLKgAwIBAgIKYURFHAAAAAAABDANBgkqhkiG9w0BAQUFADBCMRMwEQYK
..........
...snip...
..........
TmqX6OuznopBJKNW5Z5LbHzuUCfY8ryBhYZhHKsf9CmZa12j/ODfznFtAgbPNw==
-----END CERTIFICATE-----
1 s:/DC=com/DC=domain/CN=BRM-CA
i:/CN=BRM-ROOT-CA
-----BEGIN CERTIFICATE-----
MIIFkjCCBHqgAwIBAgIKYSn5HgAAAAAAAjANBgkqhkiG9w0BAQUFADAWMRQwEgYD
..........
...snip...
..........
N4C2CAlLaR3sXlHBRNlfsLO+rZo45hwW8Xw3rLD+ETtgKMmAVUI=
-----END CERTIFICATE-----
Insert the entire root certificate section of openssl output into a .cer file.
Note: When snipping text, include the BEGIN and END lines for the last certificate.