HPE Community
HPE OneView
1834908 Members
2970 Online
110071 Solutions
New Discussion

Re: OneView Synergy - Setting up LDAP via PowerShell

 
gcj2021
Advisor

‎11-10-2021 02:56 AM - last edited on ‎11-10-2021 09:12 PM by

‎11-10-2021 02:56 AM - last edited on ‎11-10-2021 09:12 PM by

OneView Synergy - Setting up LDAP via PowerShell

OneView Synergy 6.3

When attempting to setup a LDAP Directory via powershell cmdlets, I get the below error. When setting up via the web interface, I am able to set it up, but I have to check force leaf cert since we are using the CA cert from AD. 

Is there anyway for me to accomplish this via script, or is the only way to accomplish this is via the web since I am utlizing the AD cert and forcing the leaf cert. 

Command example:

 $LdapAuthDirectory = New-OVLdapDirectory -Name 'domain.local' -AD -BaseDN 'dc=domain,dc=local' -servers $dc1,$dc2 @AuthParams

Error:

New-OVLdapDirectory : Unable to establish trusted communication with the server. The certificate of the root CA that has authorized the directory server certificate is not present in the OneView trust store. Unable to establish trusted communication with
the server. The certificate of the root CA that has authorized the directory server certificate is not present in the OneView trust store.

 

Cheers!

0 Kudos
Reply
3 REPLIES 3
ChrisLynch
HPE Pro

‎11-10-2021 02:07 PM

‎11-10-2021 02:07 PM

Re: OneView Synergy - Setting up LDAP via PowerShell

When you created the LDAP server objects that are stored in $dc1 and $dc2, did you include the -TrustLeafCertificate switch? The message from the API is stating that you haven't added your root and issuing subordinate certs to the appliance. I would advise against trusting the leaf cert because if it expires or becomes invalid, you'll need to replace it on the appliance. You should add the cert chain certs to the appliance so your domain controller certs are implicitly trusted.
I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
gcj2021
Advisor

‎11-10-2021 02:09 PM

‎11-10-2021 02:09 PM

Re: OneView Synergy - Setting up LDAP via PowerShell

Yea - shortly after i posted I found that if I ran this on both of my DCs, i did not get the CA error - this seems to have worked. 

Add-OVApplianceTrustedCertificate -ComputerName $DCServer1 -Port 636 -Force

Add-OVApplianceTrustedCertificate -ComputerName $DCServer2 -Port 636 -Force

 

Thanks Chris

0 Kudos
Reply
ChrisLynch
HPE Pro

‎11-10-2021 08:31 PM

‎11-10-2021 08:31 PM

Re: OneView Synergy - Setting up LDAP via PowerShell

While yes, those commands will work, it isn't what we advise or recommend.  Instead, you should either get the certificate chain, or you could have used the -TrustCertChain parameter with Add-OVApplianceTrustedCertificate Cmdlet when you attempted to add the cert from one of your domain controllers.  So, the Cmdlet should have been:

 

$DCServer1 = "mydc-name.mydomain.com"
Add-OVApplianceTrustedCertificate -ComputerName $DCServer1 -Port 636 -TrustCertChain

 

This way, the cert chain will be added to the appliance trust store, so the domain controllers leaf certificate is not explicitly trusted.  As I stated, if that cert expires, you will need to update it manually.  By trusting the chain instead, the appliance will implicitly trust the leaf certificate when it is re-issued.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.