NSX

Connecting NSX-T to LDAPS

Introduction:

Identity Firewall (IDFW) features allow an NSX-T administrator to create Active Directory user-based Distributed Firewall (DFW) rules. IDFW requires NSX-T access to Active Directory user objects. This access is achieved through an NSX-T to LDAP (Lightweight Directory Access Protocol) connection. Connecting NSX-T to LDAPS is a part of the Identity Firewall Workflow.

Details in this article are based on lessons learned during in-lab testing and by assisting VMware customers to connect NSX-T to an Active Directory LDAPS (Lightweight Directory Access Protocol over SSL) server. It covers both configuration caveats and troubleshooting options.

Summary of Lessons Learned:

Let’s get straight to the good stuff. Here is a quick summary of lessons learned when connecting NSX-T to LDAPS:

  • collect Active Directory domain details using nbtstat
  • use netcat to validate NSX-T Manager connectivity
  • use openssl to validate LDAPS SSL connectivity
  • collect Active Directory domain details using Ldp Utility
  • establish LDAP connectivity first, to validate Active Directory domain parameters
  • once you can sync AD with the correct LDAP settings, move on to LDAPS
  • only use the default LDAP port 389 and LDAPS port 636
  • custom TCP ports are not supported
  • LDAPS communication to a global catalog server over TCP 3269 is not supported
  • in the NSX-T UI, you can’t add an LDAP Server without adding an Active Directory
  • adding an Active Directory forces you to add an LDAP Server
  • when specifying the LDAP Server Username, don’t include a domain
  • with vCenter Server, if you want to use LDAPS with your Active Directory LDAP Server or OpenLDAP Server identity source, a Choose certificate button appears
  • with NSX-T the Manager gets the LDAPS servers certificate automatically, and does not need to be specified

Let’s review each of these lessons learned in more detail.

Collect Active Directory domain details with nbtstat:

To retrieve the netBIOS name for your domain, enter nbtstat /n in a command window on a Windows Workstation that is part of a domain, or on a domain controller. In the NetBIOS Local Name Table, the entry with a <00> prefix and type Group is the NetBIOS name.

C:\Users\Administrator> nbtstat /n
 Ethernet1:
 Node IpAddress: [192.168.110.10] Scope Id: []

NetBIOS Local Name Table    
Name               Type         Status 
--------------------------------------------- 
AD01           <00>  UNIQUE      Registered 
HYPERVIZOR     <00>  GROUP       Registered    <---- netBIOS name
HYPERVIZOR     <1C>  GROUP       Registered 
AD01           <20>  UNIQUE      Registered 
HYPERVIZOR     <1B>  UNIQUE      Registered

Use netcat to validate NSX-T Manager connectivity:

In this example, my Microsoft Windows 2012 R2 LDAP Server ad01.core.hypervizor.com is at IP address 192.168.70.20. Let’s use the Linux netcat utility to verify that NSX-T Manager can reach the LDAP server over the default LDAP port 389 and LDAPS port 636:

nsxtmgr02> st en
root@nsxtmgr02:~# nc -zv ad01.core.hypervizor.com 389
Connection to ldapserver.core.hypervizor.com 389 port [tcp/ldap] succeeded!
root@nsxtmgr02:~# nc -zv ad01.core.hypervizor.com 636
Connection to ldapserver.core.hypervizor.com 636 port [tcp/ldaps] succeeded!

Of course we are looking for the keyword succeeded to verify TCP connectivity is in place.

Use openssl to validate LDAPS SSL connectivity:

LDAPS is LDAP over SSL, meaning that the LDAP connection between the LDAP client (NSX-T Manager) and LDAP server (Active Directory) is authenticated by TLS (Transportation Layer Security). Data exchanges are encrypted by the different cipher suites supported by the TLS protocol. To further test connectivity we can use Linux based OpenSSL as follows:

Notice that there is no SSL connection to LDAP port 389, as expected:

root@nsxtmgr02:~# openssl s_client -connect ad01.core.hypervizor.com:389
 CONNECTED(00000003)
 write:errno=104
 no peer certificate available
 No client certificate CA names sent
 SSL handshake has read 0 bytes and written 305 bytes
 New, (NONE), Cipher is (NONE)
 Secure Renegotiation IS NOT supported
 Compression: NONE
 Expansion: NONE
 No ALPN negotiated
 SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : 0000
     Session-ID:
     Session-ID-ctx:
     Master-Key:
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1563357359
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)


SSL connectivity is established to LDAPS port 636, as expected, where the message payload includes the LDAPS public key:

 root@nsxtmgr02:~# openssl s_client -connect ad01.core.hypervizor.com:636
 CONNECTED(00000003)
 depth=0 CN = ad01.core.hypervizor.com
 verify error:num=20:unable to get local issuer certificate
 verify return:1
 depth=0 CN = ad01.core.hypervizor.com
 verify error:num=21:unable to verify the first certificate
 verify return:1
 Certificate chain
  0 s:/CN=ad01.core.hypervizor.com
    i:/DC=com/DC=hypervizor/DC=core/CN=core-AD01-CA
 Server certificate
 -----BEGIN CERTIFICATE-----
 MIIGFTCCBP2gAwIBAgITZQAAAAqJlBmoIoXdCAAAAAAACjANBgkqhkiG9w0BAQUF
 ADBeMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKaHlwZXJ2
 aXpvcjEUMBIGCgmSJomT8ixkARkWBGNvcmUxFTATBgNVBAMTDGNvcmUtQUQwMS1D
 QTAeFw0xODEyMjExNDU4NTJaFw0xOTEyMjExNDU4NTJaMCMxITAfBgNVBAMTGGFk
 MDEuY29yZS5oeXBlcnZpem9yLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
 AQoCggEBAK5WnHFEUGLZ5eTFywoDmQzK4G7bqIgfksT4/9dF4BwiQFLhbUq5msWr
 qahC07/KOJ3ID2MOpNzCg2eedu8xcE/PRXjqWNOZAmuRIt87jyJFVRjrhOxP5uSt
 cQHd0xl1gS+MoHW0zNkh3cmVZGymC3kgrkEyfzuAYo4QdUHktDR7wLzezTuqJu9i
 LiH9QFbGQGSJB93ClXwA4E3nKLgnlTuUiLNh4MvUSivF0K/5q4qaEZI4wKvhTREZ
 eVZ5BTD7WlH8LsUQYJPKK9nsi7hr0e7hOafnSGAevyntSV/NtU6tEOCqjLPvb8h7
 WBQ+u2AesjtMXEGpNosJiAsR58HDQ6kCAwEAAaOCAwUwggMBMC8GCSsGAQQBgjcU
 AgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAdBgNVHSUEFjAU
 BggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgGCSqGSIb3DQEJ
 DwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQME
 ASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4D
 AgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFGl4sfdQgKJBtC5/+LolFPO5iFynMB8G
 A1UdIwQYMBaAFJS9gK1T6gSHoWJgYcCjXFdrnu4uMIHSBgNVHR8EgcowgccwgcSg
 gcGggb6GgbtsZGFwOi8vL0NOPWNvcmUtQUQwMS1DQSxDTj1hZDAxLENOPUNEUCxD
 Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1
 cmF0aW9uLERDPWNvcmUsREM9aHlwZXJ2aXpvcixEQz1jb20/Y2VydGlmaWNhdGVS
 ZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBv
 aW50MIHJBggrBgEFBQcBAQSBvDCBuTCBtgYIKwYBBQUHMAKGgalsZGFwOi8vL0NO
 PWNvcmUtQUQwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
 Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1jb3JlLERDPWh5cGVydml6
 b3IsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZp
 Y2F0aW9uQXV0aG9yaXR5MEQGA1UdEQQ9MDugHwYJKwYBBAGCNxkBoBIEEJ8qDb83
 2hRPtK3uOX0m2ZqCGGFkMDEuY29yZS5oeXBlcnZpem9yLmNvbTANBgkqhkiG9w0B
 AQUFAAOCAQEALmc2ATMLKGUNiQNkxTc9b8KAyhL+ZO8aXv2i+NEOlp6Rifn42TZk
 ZqRme9qCxBbd5ZPNEQxNSPT6nT9vZymuJHbgZzGrDPNsIND5LBSjr9bZIC2eV+Be
 VW+vaVsKqeOVzVsHNswQlCWVp6vE+D68uRLUz37WIjLXq0XJKmgWQlBt36SntE8p
 CUQFbuFah2+tuCduCcSXuOpF2VjWjnjGfikd0yje62t16BIt83t512dq05k/d6vr
 k32fQh9o4KPP8eldGeHBB2uAZVbDJGvtZsXEDmXloR3GKy/kI4I7Zj8hHfrzIfWM
 JKPnkz+dcfmwVIIc5TyXm5V9MNeCKNdefA==
 -----END CERTIFICATE-----
 subject=/CN=ad01.core.hypervizor.com
 issuer=/DC=com/DC=hypervizor/DC=core/CN=core-AD01-CA
 No client certificate CA names sent
 Client Certificate Types: RSA sign, DSA sign, ECDSA sign
 Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
 Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
 Peer signing digest: SHA1
 Server Temp Key: ECDH, P-256, 256 bits
 SSL handshake has read 2127 bytes and written 499 bytes
 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
 Server public key is 2048 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
 No ALPN negotiated
 SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-AES256-SHA384
     Session-ID: 980200004A9ADDEAB444609235F1C4DAC8C6C76D242F332FA5F617B2127B3CEA
     Session-ID-ctx:
     Master-Key: E543D139292570C0875CBA97282390B96BAE4E2F2669808AD030104EEB3CB63956C03FC2B2C7EA2FEC3E76705FE5A4CA
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1563357388
     Timeout   : 300 (sec)
     Verify return code: 21 (unable to verify the first certificate)

Collect Active Directory domain details with Ldp.exe:

Ldp is a Microsoft GUI based utility that is a Lightweight Directory Access Protocol (LDAP) client. It allows users to perform operations (such as connect, bind, search, modify, add & delete) against any LDAP-compatible directory, such as Active Directory. It provides all the details required to connect NSX-T to Active Directory and LDAPS.

Reference this article on how to use Microsoft’s Ldp.exe utility Ldp can be downloaded from Microsoft here.

Use Ldp to connect to an Active Directory Server using LDAP over TCP port 389, where the SSL checkbox is not selected:

Connecting NSX-T to LDAPS

A successful connection will populate the dialog box with the Active Directory parameters required to configure NSX-T:

Connecting NSX-T to LDAPS

From this:

  • ldapServiceName is: core.hypervizor.com
  • Base Distinguished name is: DC=core,DC=hypervizor,DC=com

Use Ldp to connect to an Active Directory Server using LDAPS over TCP port 636, where the SSL checkbox is selected:

Connecting NSX-T to LDAPS

Once again, a successful connection will populate the dialog box with the same Active Directory parameters required to configure NSX-T:

Connecting NSX-T to LDAPS

Establish LDAP connectivity first, to validate Active Directory domain parameters:

Not that we’ve validated connectivity and collected the required AD parameters, it’s time to setup for AD and LDAP on NSX-T.

The Active Directory and LDAP Server setups are interdependent in the UI:

  • In the NSX-T UI, you can’t add an LDAP Server without adding an Active Directory.
  • Adding an Active Directory forces you to add an LDAP Server.

Start by adding an Active Directory:

  • Name: core.hypervizor.com
  • NetBIOS Name, collected with nbtstat: HYPERVIZOR
  • Base Distinguished name is: DC=core,DC=hypervizor,DC=com

Note that you can’t save these setting, until an LDAP Server is defined:

Connecting NSX-T to LDAPS

Note here that when specifying the LDAP Server Username, don’t include a domain, just the Username. In my lab the username is administrator:

These setting worked; Active Directory has been updated successfully and has completed Full Sync:

Once you can sync AD with the correct LDAP settings, move on to LDAPS:

Change the LDAP Server Protocol to LDAPS, the Port to 636, and then re-enter the credentials:

Once again, verify that Active Directory has been updated successfully, and that AD Full Sync is successful:

LDAP/LDAPS Failure to connect message:

When attempting to connect NSX-T to LDAPS, the following error means that the LDAP Server connection is not configured correctly. In this case the target LDAP port is incorrectly configured to the unsupported TCP port 3269:

Related NSX-T Manager logs:

/var/log/proton/nsxapi.log
- note the incorrect port 3269 is specified:

2019-07-18T01:14:24.365Z  INFO http-nio-127.0.0.1-7440-exec-2 AuditingServiceImpl - DIRECTORY-SERVICE [nsx@6876 audit="true" comp="nsx-manager" re
 qId="d8bd10b3-56d1-460e-b41e-10d3edb0f824" subcomp="manager"] UserName="admin", ModuleName="DirectoryService", Operation="CreateDirectoryLdapServe
 r", Operation status="failure", New value=["ec290b3e-8b43-47d3-b827-dcdcd06d7955" {"host":"ad01.core.hypervizor.com","port":3269,"protocol":"LDAPS
 ","username":"administrator","display_name":"ad01.core.hypervizor.com","_protection":"UNKNOWN"}]
 2019-07-18T01:14:24.365Z ERROR http-nio-127.0.0.1-7440-exec-2 DirectoryServiceFacadeImpl - DIRECTORY-SERVICE [nsx@6876 comp="nsx-manager" subcomp=
 "manager"] Error updating directory domain: LDAPS socket factory installing throws exception with LDAP server 'ad01.core.hypervizor.com' and baseD
 n 'null'.

/var/log/nsx-audit.log

<182>1 2019-07-18T01:14:24.366Z nsxtmgr02 NSX 5141 - [nsx@6876 audit="true" comp="nsx-manager" subcomp="manager"] UserName:'admin' ModuleName:'DirectoryService' Operation:'PUT@/api/v1/directory/domains/ec290b3e-8b43-47d3-b827-dcdcd06d7955'Operation status: 'failure' Error: LDAPS socket factory installing throws exception with LDAP server 'ad01.core.hypervizor.com' and baseDn 'null'.

For additional detail, this VMware article expands on how to Add an LDAP Server as described in the NSX-T Data Center Administration Guide.

This concludes connecting NSX-T to LDAPS, and a review of lessons learned. If you’re interested in some further reading, check out my previous article on Tier-0 Connectivity to Physical.

One thought on “Connecting NSX-T to LDAPS

Comments are closed.

Begin typing your search term above and press enter to search. Press ESC to cancel.