I am at my wits end and wish to query the masses for any assistance. I upgraded vCenter from 5.0 to 5.1 and have had the joy of fighting with SSO. I am able to configure SSO to authenticate Active Directory users, but a majority of my users are housed in an LDAP server. I have successfully created an Open LDAP Identity source which tests successfully. The problem I am facing is the "@" symbol when I am trying to log into the Web Client. The LDAP UID for our organization is the email address (and unfortunately the organization is very large and changing the uid would be impossible). This UID is problematic due to how VMware's SSO implementation parses out the @ symbol to determine domain name. When I specify joe.user@domain.com, which is the UID, I am able to determine from the SSO logs that VMware tries to find an Identity Source with "domain.com" and then passes "joe.user" for the uid. This of course fails because the LDAP server has no UID of "joe.user" but rather has a UID of joe.user@domain.com. I've even gotten creative and have tried combinations such as "domain.com\joe.user@domain.com" but this also fails because VMware is still glomming onto the characters after the @ symbol for the domain portion and submits only "joe.user" for the UID.
How can I get VMware's SSO implementation to keep the @ symbol intact in the UID and not parse it out for the domain (Identity Source) identification? If this is not possible, I have another unique field in our LDAP that I could use for authentication. It appears from perusing the SSO database that I might be able to change the PRINCIPAL_MAP_RDN field in the IMS_IDENTITY_SOURCE table from UID to this other unique identifier, but after a change and a restart of the appropriate services I still can't get it to work.
Your help is much appreciated.