Introduction:
Identity Firewall (IDFW) features allow an NSX-T administrator to create Active Directory user-based Distributed Firewall (DFW) rules. IDFW requires NSX-T access to Active Directory user objects. This access is achieved through an NSX-T to LDAP (Lightweight Directory Access Protocol) connection. Connecting NSX-T to LDAPS is a part of the Identity Firewall Workflow.
Details in this article are based on lessons learned during in-lab testing and by assisting VMware customers to connect NSX-T to an Active Directory LDAPS (Lightweight Directory Access Protocol over SSL) server. It covers both configuration caveats and troubleshooting options.
Summary of Lessons Learned:
Let’s get straight to the good stuff. Here is a quick summary of lessons learned when connecting NSX-T to LDAPS:
- collect Active Directory domain details using nbtstat
- use netcat to validate NSX-T Manager connectivity
- use openssl to validate LDAPS SSL connectivity
- collect Active Directory domain details using Ldp Utility
- establish LDAP connectivity first, to validate Active Directory domain parameters
- once you can sync AD with the correct LDAP settings, move on to LDAPS
- only use the default LDAP port 389 and LDAPS port 636
- custom TCP ports are not supported
- LDAPS communication to a global catalog server over TCP 3269 is not supported
- in the NSX-T UI, you can’t add an LDAP Server without adding an Active Directory
- adding an Active Directory forces you to add an LDAP Server
- when specifying the LDAP Server Username, don’t include a domain
- with vCenter Server, if you want to use LDAPS with your Active Directory LDAP Server or OpenLDAP Server identity source, a Choose certificate button appears
- with NSX-T the Manager gets the LDAPS servers certificate automatically, and does not need to be specified
Let’s review each of these lessons learned in more detail.
Collect Active Directory domain details with nbtstat:
To retrieve the netBIOS name for your domain, enter nbtstat /n in a command window on a Windows Workstation that is part of a domain, or on a domain controller. In the NetBIOS Local Name Table, the entry with a <00> prefix and type Group is the NetBIOS name.
C:\Users\Administrator> nbtstat /n Ethernet1: Node IpAddress: [192.168.110.10] Scope Id: []NetBIOS Local Name Table
Name Type Status
---------------------------------------------
AD01 <00> UNIQUE Registered
HYPERVIZOR <00> GROUP Registered
<---- netBIOS nameHYPERVIZOR <1C> GROUP Registered
AD01 <20> UNIQUE Registered
HYPERVIZOR <1B> UNIQUE Registered
Use netcat to validate NSX-T Manager connectivity:
In this example, my Microsoft Windows 2012 R2 LDAP Server ad01.core.hypervizor.com is at IP address 192.168.70.20. Let’s use the Linux netcat utility to verify that NSX-T Manager can reach the LDAP server over the default LDAP port 389 and LDAPS port 636:
nsxtmgr02> st en root@nsxtmgr02:~# nc -zv ad01.core.hypervizor.com 389 Connection to ldapserver.core.hypervizor.com 389 port [tcp/ldap] succeeded! root@nsxtmgr02:~# nc -zv ad01.core.hypervizor.com 636 Connection to ldapserver.core.hypervizor.com 636 port [tcp/ldaps] succeeded! Of course we are looking for the keyword succeeded to verify TCP connectivity is in place.
Use openssl to validate LDAPS SSL connectivity:
LDAPS is LDAP over SSL, meaning that the LDAP connection between the LDAP client (NSX-T Manager) and LDAP server (Active Directory) is authenticated by TLS (Transportation Layer Security). Data exchanges are encrypted by the different cipher suites supported by the TLS protocol. To further test connectivity we can use Linux based OpenSSL as follows:
Notice that there is no SSL connection to LDAP port 389, as expected: root@nsxtmgr02:~# openssl s_client -connect ad01.core.hypervizor.com:389 CONNECTED(00000003) write:errno=104 no peer certificate available No client certificate CA names sent SSL handshake has read 0 bytes and written 305 bytes New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1563357359 Timeout : 300 (sec) Verify return code: 0 (ok) SSL connectivity is established to LDAPS port 636, as expected, where the message payload includes the LDAPS public key: root@nsxtmgr02:~# openssl s_client -connect ad01.core.hypervizor.com:636 CONNECTED(00000003) depth=0 CN = ad01.core.hypervizor.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = ad01.core.hypervizor.com verify error:num=21:unable to verify the first certificate verify return:1 Certificate chain 0 s:/CN=ad01.core.hypervizor.com i:/DC=com/DC=hypervizor/DC=core/CN=core-AD01-CA Server certificate -----BEGIN CERTIFICATE----- MIIGFTCCBP2gAwIBAgITZQAAAAqJlBmoIoXdCAAAAAAACjANBgkqhkiG9w0BAQUF ADBeMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKaHlwZXJ2 aXpvcjEUMBIGCgmSJomT8ixkARkWBGNvcmUxFTATBgNVBAMTDGNvcmUtQUQwMS1D QTAeFw0xODEyMjExNDU4NTJaFw0xOTEyMjExNDU4NTJaMCMxITAfBgNVBAMTGGFk MDEuY29yZS5oeXBlcnZpem9yLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAK5WnHFEUGLZ5eTFywoDmQzK4G7bqIgfksT4/9dF4BwiQFLhbUq5msWr qahC07/KOJ3ID2MOpNzCg2eedu8xcE/PRXjqWNOZAmuRIt87jyJFVRjrhOxP5uSt cQHd0xl1gS+MoHW0zNkh3cmVZGymC3kgrkEyfzuAYo4QdUHktDR7wLzezTuqJu9i LiH9QFbGQGSJB93ClXwA4E3nKLgnlTuUiLNh4MvUSivF0K/5q4qaEZI4wKvhTREZ eVZ5BTD7WlH8LsUQYJPKK9nsi7hr0e7hOafnSGAevyntSV/NtU6tEOCqjLPvb8h7 WBQ+u2AesjtMXEGpNosJiAsR58HDQ6kCAwEAAaOCAwUwggMBMC8GCSsGAQQBgjcU AgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAdBgNVHSUEFjAU BggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgGCSqGSIb3DQEJ DwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQME ASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4D AgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFGl4sfdQgKJBtC5/+LolFPO5iFynMB8G A1UdIwQYMBaAFJS9gK1T6gSHoWJgYcCjXFdrnu4uMIHSBgNVHR8EgcowgccwgcSg gcGggb6GgbtsZGFwOi8vL0NOPWNvcmUtQUQwMS1DQSxDTj1hZDAxLENOPUNEUCxD Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1 cmF0aW9uLERDPWNvcmUsREM9aHlwZXJ2aXpvcixEQz1jb20/Y2VydGlmaWNhdGVS ZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBv aW50MIHJBggrBgEFBQcBAQSBvDCBuTCBtgYIKwYBBQUHMAKGgalsZGFwOi8vL0NO PWNvcmUtQUQwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1jb3JlLERDPWh5cGVydml6 b3IsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZp Y2F0aW9uQXV0aG9yaXR5MEQGA1UdEQQ9MDugHwYJKwYBBAGCNxkBoBIEEJ8qDb83 2hRPtK3uOX0m2ZqCGGFkMDEuY29yZS5oeXBlcnZpem9yLmNvbTANBgkqhkiG9w0B AQUFAAOCAQEALmc2ATMLKGUNiQNkxTc9b8KAyhL+ZO8aXv2i+NEOlp6Rifn42TZk ZqRme9qCxBbd5ZPNEQxNSPT6nT9vZymuJHbgZzGrDPNsIND5LBSjr9bZIC2eV+Be VW+vaVsKqeOVzVsHNswQlCWVp6vE+D68uRLUz37WIjLXq0XJKmgWQlBt36SntE8p CUQFbuFah2+tuCduCcSXuOpF2VjWjnjGfikd0yje62t16BIt83t512dq05k/d6vr k32fQh9o4KPP8eldGeHBB2uAZVbDJGvtZsXEDmXloR3GKy/kI4I7Zj8hHfrzIfWM JKPnkz+dcfmwVIIc5TyXm5V9MNeCKNdefA== -----END CERTIFICATE----- subject=/CN=ad01.core.hypervizor.com issuer=/DC=com/DC=hypervizor/DC=core/CN=core-AD01-CA No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Peer signing digest: SHA1 Server Temp Key: ECDH, P-256, 256 bits SSL handshake has read 2127 bytes and written 499 bytes New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 980200004A9ADDEAB444609235F1C4DAC8C6C76D242F332FA5F617B2127B3CEA Session-ID-ctx: Master-Key: E543D139292570C0875CBA97282390B96BAE4E2F2669808AD030104EEB3CB63956C03FC2B2C7EA2FEC3E76705FE5A4CA Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1563357388 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)
Collect Active Directory domain details with Ldp.exe:
Ldp is a Microsoft GUI based utility that is a Lightweight Directory Access Protocol (LDAP) client. It allows users to perform operations (such as connect, bind, search, modify, add & delete) against any LDAP-compatible directory, such as Active Directory. It provides all the details required to connect NSX-T to Active Directory and LDAPS.
Reference this article on how to use Microsoft’s Ldp.exe utility Ldp can be downloaded from Microsoft here.
Use Ldp to connect to an Active Directory Server using LDAP over TCP port 389, where the SSL checkbox is not selected:
A successful connection will populate the dialog box with the Active Directory parameters required to configure NSX-T:
From this:
- ldapServiceName is: core.hypervizor.com
- Base Distinguished name is: DC=core,DC=hypervizor,DC=com
Use Ldp to connect to an Active Directory Server using LDAPS over TCP port 636, where the SSL checkbox is selected:
Once again, a successful connection will populate the dialog box with the same Active Directory parameters required to configure NSX-T:
Establish LDAP connectivity first, to validate Active Directory domain parameters:
Not that we’ve validated connectivity and collected the required AD parameters, it’s time to setup for AD and LDAP on NSX-T.
The Active Directory and LDAP Server setups are interdependent in the UI:
- In the NSX-T UI, you can’t add an LDAP Server without adding an Active Directory.
- Adding an Active Directory forces you to add an LDAP Server.
Start by adding an Active Directory:
- Name: core.hypervizor.com
- NetBIOS Name, collected with nbtstat:
HYPERVIZOR
- Base Distinguished name is: DC=core,DC=hypervizor,DC=com
Note that you can’t save these setting, until an LDAP Server is defined:
Note here that when specifying the LDAP Server Username, don’t include a domain, just the Username. In my lab the username is administrator:
These setting worked; Active Directory has been updated successfully and has completed Full Sync:
Once you can sync AD with the correct LDAP settings, move on to LDAPS:
Change the LDAP Server Protocol to LDAPS, the Port to 636, and then re-enter the credentials:
Once again, verify that Active Directory has been updated successfully, and that AD Full Sync is successful:
LDAP/LDAPS Failure to connect message:
When attempting to connect NSX-T to LDAPS, the following error means that the LDAP Server connection is not configured correctly. In this case the target LDAP port is incorrectly configured to the unsupported TCP port 3269:
Related NSX-T Manager logs: /var/log/proton/nsxapi.log - note the incorrect port 3269 is specified: 2019-07-18T01:14:24.365Z INFO http-nio-127.0.0.1-7440-exec-2 AuditingServiceImpl - DIRECTORY-SERVICE [nsx@6876 audit="true" comp="nsx-manager" re qId="d8bd10b3-56d1-460e-b41e-10d3edb0f824" subcomp="manager"] UserName="admin", ModuleName="DirectoryService", Operation="CreateDirectoryLdapServe r", Operation status="failure", New value=["ec290b3e-8b43-47d3-b827-dcdcd06d7955" {"host":"ad01.core.hypervizor.com","port":3269,"protocol":"LDAPS ","username":"administrator","display_name":"ad01.core.hypervizor.com","_protection":"UNKNOWN"}] 2019-07-18T01:14:24.365Z ERROR http-nio-127.0.0.1-7440-exec-2 DirectoryServiceFacadeImpl - DIRECTORY-SERVICE [nsx@6876 comp="nsx-manager" subcomp= "manager"] Error updating directory domain: LDAPS socket factory installing throws exception with LDAP server 'ad01.core.hypervizor.com' and baseD n 'null'. /var/log/nsx-audit.log <182>1 2019-07-18T01:14:24.366Z nsxtmgr02 NSX 5141 - [nsx@6876 audit="true" comp="nsx-manager" subcomp="manager"] UserName:'admin' ModuleName:'DirectoryService' Operation:'PUT@/api/v1/directory/domains/ec290b3e-8b43-47d3-b827-dcdcd06d7955'Operation status: 'failure' Error: LDAPS socket factory installing throws exception with LDAP server 'ad01.core.hypervizor.com' and baseDn 'null'.
For additional detail, this VMware article expands on how to Add an LDAP Server as described in the NSX-T Data Center Administration Guide.
This concludes connecting NSX-T to LDAPS, and a review of lessons learned. If you’re interested in some further reading, check out my previous article on Tier-0 Connectivity to Physical.
Great post! I’ll be trying this out in my home lab soon!