Privileges for OpenLDAP authenticated user

seva9 · ‎12-10-2015

I have a vCenter 6.0 instance which uses an OpenLDAP identity source (actually on a RedHat 389 Directory Server), and I notice there are some differences between the available 'Administration' menu items when logging in as an externally managed LDAP user than for a local SSO Domain user. If it's relevant this installation uses an external PSC.

These differences are:

'Single Sign-On' item is missing for the external LDAP user

'Solutions > Client Plug-Ins' item is missing for the external LDAP user

'Deployment > System Configuration' shows 0 Nodes and Services, and the message "You do not have permissions to view this page. You must be a member of the SystemConfiguration.Administrators group in vCenter Single Sign-On to access System Configuration.".

If I try to add the external LDAP user to SytemConfiguration.Administrators group (or any other group) I get an error saying that 'One or more of the specified principals was already part of the group'.

Is it possible to have the same privileges for the externally authenticated users as for local users, and, if so, how is this achieved?

Thanks in advance.

joelgb · ‎09-07-2016

I had the same issue recently when setting up a vSphere 6 environment with generic LDAP (openLDAP) for SSO. I found this posting doing a search and want to leave a potential answer for others having the same issue and finding this post.

I'm not sure if it was correct, but I added "rights" to my LDAP group in Access Control -> Global Permissions NOT in Single Sign-On -> Users and Groups. Seems to work for me.

-Joel

Gidrakos · ‎06-20-2019

I just want to confirm this response here and that it still applies for VCSA 6.7.

Was getting the exact same error as OP when trying to add Directory Server users to ANY group. Ignoring this and simply giving Global Permissions (don't forget to propagate to children) fixed the issue.

All

Privileges for OpenLDAP authenticated user