You are on page 1of 4

Technical Note

Copyright 2007 VMware, Inc. All rights reserved. 1



Integrating Linux Hosted
ACE Management Server with
Active Directory
VMware ACE 2.0.1
ThistechnicalnoteoutlineshowLinuxhostedACEManagementServerintegrateswithActiveDirectory,
describesdefaultinstallations,andoutlinesbasictroubleshooting.
ThisdocumentappliestotheLinuxhostedACEManagementServers,whichuseRHEL4andthe
debianbasedVirtualAppliancefromVMware.
Implementation Overview
ACEManagementServerusesLDAPtoqueryActiveDirectoryforuserandgroupinformation.Toaccess
LDAP,ACEusestheSASLauthenticationabstractionlayer.Inparticular,ACEManagementServerusesthe
GSSAPIauthenticationmethodwhenbindingtotheLDAPserver.
TosuccessfullycompleteaGSSAPIbind,ACEManagementServermakesuseoftheMITKerberos5library.
ACEManagementServerimplementsaKerberosclientthatauthenticatesuserstotheActiveDirectoryKey
DistributionCenter(KDC).Kerberos5hasbeenapartofWindowsNTsinceWindows2000.
ThedatapassedbytheLDAPprotocolisprotectedbyapplicationlayerencryptionbasedonthekeys
exchangedbytheKerberosauthenticationprotocol.
Ports in Use
ACEManagementServerusesthefollowingportsdirectlywhenintegratedwithActiveDirectory:
389LDAPtraffic
88Kerberosauthenticationtraffic
Indirectly,ACEManagementServeralsousesDNSservicesbydefault(duetofeaturesenabledintheKerberos
library).
Active Directory Integration Details
DuringtheconfigurationphaseoftheACEManagementServer,theadministratorprovidesthefollowing
information:
LDAPserverhostnameThenetworkhostnameofthemachinethatisrunningyourLDAPservice(your
domaincontroller).Forexample,ldap.vmware.com.
QueryuserUPNTheaccountthatACEManagementServerusestologontotheLDAPservicetoquery
foruserandgroupinformation.Theformatoftheusernameisuser@domain,otherwiseknownasuser
Copyright 2007 VMware, Inc. All rights reserved. 2
Integrating Linux Hosted ACE Management Server with Active Directory

principalname.IntheLDAPservicetheattributefortheuserobjectiscalleduserPrincipalName.For
example,ams@vmware.com.
QueryuserpasswordThepasswordforthequeryuseraccount.
DefaultdomainThenameofthedomaintousebydefault.Thisdefaultdomainisusedwhenusersdo
notenterdomaininformationwhileloggingin.Theformatofthedomainnameisdotdelimited.For
example,vmware.com.
AdmingroupDNTheFQDNofthegrouptowhichACEadministratorsbelong.UserswhouseWSAE
tocreateandmodifyACEsandinstancesmustbelongtothisgroup.TheformatoftheadmingroupDN
isFQDN.Forexample,cn=AceAdministrators,cn=Users,dc=vmware,dc=com.
ThisinformationisusedwhenACEauthenticatesusersandverifiesgroupmemberships.
ACEManagementServerinteractionswithActiveDirectoryfallintoseveralcategories:
AuthenticationofadministratorsinthewebconfigurationUI
AuthenticationofadministratorsorhelpdeskpersonnelintheWebUI(HelpdeskWebapplication)
AuthenticationofadministratorsintheWorkstationAceEditionapplication
Authenticationofendusersintheplayerapplication
Enablesproxychangeofpasswordrequestsusingtheplayerapplication
Authentication of Users and Accessing the LDAP Service
ACEManagementServerusestheMITKerberoslibraryfortwopurposes:
Toauthenticateusercredentials
TogainnecessarycredentialstocompleteaGSSAPIbindtotheLDAPservicewiththequeryuser
specifiedduringconfiguration
BothoftheseoperationsareidenticalexceptthatwhenyoudoanLDAPbind,youstoretheticketsthatare
receivedfromtheKerberosserverafterasuccessfulauthenticationsothattheLDAPlibrarycanusethem.
FortheKerberoslibrarytoperformanauthentication,yourLinuxACEManagementServerhostmachine
mustbeabletoresolvecertainDNSqueries.Formoreinformation,readtheKerberosdocumentationincluded
withyourLinuxdistribution.
TheKDChostisresolvedthroughDNS.ThismeansthatyourDNSservermustresolvearequestforthe
_kerberostcpserviceforthespecifieddomain(eitherdefaultdomainoradomainspecifiedbytheuser).
ThedomainnamemustresolvetoavalidhostIP.Forexample,vmware.cominyournetworkresolvesto
ldap.vmware.comsIPaddress.
ReverselookupsfortheKDCmustresolve.
ReverselookupsforthedomainnameIPmustresolve.
ThehostnameoftheACEManagementServerhostmustresolveinyourDNS.
AreverselookupentryforyourACEManagementServerhostIPmustresolveinyourDNS.
IfanyoftheseDNSqueriesfail,yougetafailurefromtheKerberoslibrary.Someofthesefailuresareeasyto
identify(forexample,cannotfindKDChost)andsomearemoredifficulttoidentify(forexample,local
errors).
Copyright 2007 VMware, Inc. All rights reserved. 3
Integrating Linux Hosted ACE Management Server with Active Directory

Troubleshooting Guide
IfyourACEManagementServerhostishavingtroubleintegratingwithyourADconfiguration,followthese
stepstodeterminetheproblem,andhowtocorrectit.
1 Verifyyourconfigurationinputs:
LDAPhostname
CanyoupingyourLDAPhostfromtheACEManagementServerhost?
CanyoudoaforwardlookupofthehostnamefromyourACEManagementServerhost?Enterthe
nslookup <host name>commandtoverify.
CanyoudoareverselookupoftheIPfortheLDAPserver?Enterthenslookup <ip-address>
command.Theresultshouldbethesamehostnamethatyouhaveenteredintotheconfiguration.
Canyouconnecttoport389ontheLDAPhostfromtheACEManagementServerhost?Verifythat
nofirewallsareblockingtheconnection.Toconnecttotheport,enterthetelnet host name 389
command.
Queryuserinformation
Verifythattheusernameiscorrect.
Verifythatpasswordiscorrectandnotexpired.
DefaultDomain
VerifythatdefaultdomainresolvestoavalidIPonDNS.Enterthenslookup <domain name>
command.Forthebestresults,defaultdomainshouldbethedomainforwhichtheLDAPserverhost
isadomaincontroller.
2 VerifythatyourACEManagementServerhostclockisaccurate:
IftheclockontheACEManagementServerhostisoffbymorethan5minutesyoureceiveanerror
message:Clockskewtoogreat.
UseNTPtokeepyourclockaccurate.
3 Verifyyourlocalnetworkconfiguration(ACEManagementServerhost):
YourhostnameshouldresolveonDNS.Enterthenslookup <host name>command.
YourIPshouldhavearevertlookupentrythatmatchestheforwardlookupentry.Enterthenslookup
<ip address>command.
Ifanyoftheseentriesfailtoresolve,orresolvewithinaccurateinformation,youmustcorrecttheproblem
beforecontinuingtorunACEManagementServer.
ResolvetheseDNSresolutionproblemsbymodifyingtheentriesinyourDNSserverorbyaddingentriesto
your/etc/hostsfile.
AfterfixingDNSissues,flushtheDNScacheontheACEManagementServerhostbystoppingandstarting
theNSCDservice:
/etc/init.d/nscd restart
Using the krb5.conf file
IfACEManagementServerstillwillnotverifyyourLDAPconfigurationoptionsduetoanLDAPconnection
problem,youcandirectACEManagementServernottouseDNSwhileusingtheKerberoslibrary.Instead,it
canprovideallthenetworktopologyinformationtoACEManagementServerthroughakrb5.conffile.
Thekrb5.conffileisaMITKerberoslibraryconfigurationfile.ACEManagementServerinstallsadefault
krb5.confatthefollowinglocation:
/var/lib/vmware/acesc/conf/krb5.conf
4
Integrating Linux Hosted ACE Management Server with Active Directory

VMware, Inc. 3401 Hillview Ave., Palo Alto, CA 94304 www.vmware.com
Copyright 2007 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886,
6,789,156, 6,795,966, 6,880,022, 6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481, 7,149, 843, 7,155,558, and 7,222,221; patents
pending. VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or trademarks of VMware, Inc. in the United States and/or other
jurisdictions. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Linux is a registered trademark of Linus Torvalds. All other marks and
names mentioned herein may be trademarks of their respective companies.
Revision 20070807
Thisfilecontainsthreeconfigurationsettings:
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
clockskew = 3600
ThefirsttwosettingsinstructtheKerberoslibrarytouseDNStoresolvetheKDChostnameandtheREALM.
IfyouarehavingtroubleintegratingACEManagementServerwithActiveDirectory,thisfileenablesyouto
bypassalltheDNSlookups,andinsteadprovidespecificinformationaboutyournetworksothatKerberos
willoperate.IfyouturnoffDNSlookupsforrealmandKDC,youmustspecifytheKDCforyourrealm
(domain).Followingisanexampleofakrb5.conffilethatturnsoffDNSlookupsanddefinesthevmware.com
realm:
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
clockskew = 3600
[realms]
VMWARE.COM = {
kdc = ldap.vmware.com
}
ThisfiletellsKerberosnottoperformDNSlookupsforrealmsandKDCs.ThefilealsodefinestheKDCserver
forthevmware.comrealmasldap.vmware.com.BecauseweomittedtheportnumberfortheKDC,thedefault
portnumberf88isused.
Formoreinformationonkrb5.conf,readthedocumentationthatcomeswithyourLinuxdistribution.
Ifyoustillhaveproblemsaftermodifyingyourkrb5.conffile,modifythe/etc/hostsfileonyourACE
ManagementServerhostsothatallhostsinvolvedintheActiveDirectoryconfigurationareincluded.For
example,your/etc/hostsfileforthevmware.comACEManagementServermighthavethefollowingentries:
10.20.30.40ldap.vmware.comldap
10.20.30.40vmware.com
10.20.30.41ams.vmware.comams
Inthisexample,10.20.30.40istheIPforthedomaincontroller(andLDAPserver)and10.20.30.41istheIP
addressfortheACEManagementServerhost.

You might also like