Troubleshooting LDAP-Erros in vCO

By
Joerg Lew
July 2, 2011Posted in: Troubleshooting / Debugging

VMware vCenter Orchestrator uses LDAP in different flavors:

  • For its own User Authentication (configured in the webbased configuration utility)
  • inside Workflows, e.g. when getting information about the user who started the workflow via Server.getCurrentLdapUser()
  • in Plugins (e.g. the vCO-Plugin fo Microsoft Active Directory)

Since the Workflow engine runs on a Java-Plattform, even the LDAP-calls are done using Java-Libraries. So if something goes wrong, you will get an JNDI-exception. To troubleshoot such errors, you can do following process:

  1. Get the error code:
    In the “Validation results”-area in the configuration tool, in the Events of your workflow or in the logfiles of vCO
    ldap-jndi-errors
  2. Translate error code to the JNDI-Exception to get a better description:
    http://download.oracle.com/javase/tutorial/jndi/ldap/exceptions.html
  3. (Gooogle to find other cases 🙂 )
    e.g: http://stackoverflow.com/questions/1073643/adding-ldap-entries-using-jndi
  4. Fix it!

The common issues are:

  • wrong username / password
  • wrong Distinguished Name
  • [email protected] vs. Domain\user specification
  • Active Directory password restrcition policy when using the AD plugin

If you cannot find the reason for the error, you can do troubleshooting the hard way: Use another Java-based LDAP-Utility (like Apache LDAP Studio), and try to do the things you expect your workflow to do manually. You should get the same errors…

Good luck! 😉

BTW: If you want to access some LDAP-information which are not exposed via the LdapUser/LdapGroup in JavaScript, you can do as workaround: Use an external commandline-tool like adfind, and call it via Command.execute() in a scripting element.
Download adfind: http://www.joeware.net/freetools/tools/adfind/index.htm
Examples for calling external scripts (here powercli, but works with adfind in the same way): http://www.vcoportal.de/examples/vco-powershell/