I recently upgraded to vCenter Server 5.1 from 5.0 and was able to get SSO installed just fine and was very excited about being able to authenticate to vCenter using my eDirectory accounts.
So I attemnpted to setup an OpenLDAP Identity source and that is where the issues began.
First off the documentation for setting up OpenLDAP sources is lacking and the nomenclature is obviously for Microsoft AD LDAP.
I cannot complete the setup without specifying a domain object which any LDAP directory (especially eDirectory) admin will tell you is not required and I have never used it for any of my 4 other system that use eDirectory as their LDAP authentication source.
So I creat a bogus domain object specify it and then the base DNs for users and groups and a user to bind as and everything works, I see my users in SSO.
Then I try to login and it fails for any eDir user location in my user base DN or a user I created under the domain object.
I did an LDAP trace and talked to some colleagues that know a lot more about LDAP than I do and found that SSO is querying he LDAP directory for the user's password which is a problem since many LDAP directories do not return the password attribute due to security issues. A lot of apps with use the bind user to search for the FQDN of the user that is attempting to login and then perform an authenticated bind using that user and then password they supplied to the app but apparently Vmware does not do that and I prefer not to introduce a security risk in order to get SSO to work as it should.
I would like to be proven wrong and someone tell me that it is a mistake on my part and that SSO is really not designed to require a domain object for LDAP directories that do not use or require it and than they are not asking a directory to return the password attribute to do a local compare on the SSO server.
This really dampens my enthusiasm for SSO wich I saw as a way to open the door outside of AD only shops but this is disappointing. Also surprising since from what I read vOrchestrator specifically supports eDirectory so someone at VMware knows how to deal with eDir.
I really like VMware products and am hoping I can get this working.
Thanks for your help.
Tim