search

vmware / PowerCLI-Example-Scripts

http://blogs.vmware.com/powercli
Other
757 stars 603 forks source link

Add-LDAPIdentitySource fails when secondary LDAPS server is defined, returning "Type or value exists" #490

Open StevePantol opened 2 years ago

StevePantol commented 2 years ago

Example:

Add-LDAPIdentitySource -Name 'stickers' -DomainName 'stickers.corp' -DomainAlias 'stickers' -PrimaryUrl 'ldaps://nyc-dc-01.stickers.corp:636' -SecondaryUrl 'ldaps://avs-dc-01.stickers.corp:636' -BaseDNUsers 'DC=stickers,DC=corp' -BaseDNGroups 'DC=stickers,DC=corp' -Username 'user@stickers.corp' -Password 'password' -Certificates 'C:\certs\nyc-dc-01.cer','C:\certs\avs-dc-01.cer'

Output: Add-LDAPIdentitySource: Type or value exists

We are able to add a single LDAPS server with this function and then add a secondary LDAPS server via the vCenter Client.

In Azure VMware Solution environments, however, users do not have access to configure Identity Sources through the vCenter Client. Instead, AVS Run Commands are used to temporarily elevate permissions and execute the Add-LDAPIdentitySource function.

dmilov commented 2 years ago

Hello Steve,

can you paste the error details?

$error[0] | Select * $error[0].Exception | Select *

StevePantol commented 2 years ago

Happy to!

PS C:\Users\spantol> $error[0] | Select *

PSMessageDetails : Exception : Microsoft.PowerShell.Commands.WriteErrorException: Type or value exists TargetObject : CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Add-LDAPIdentitySource ErrorDetails : InvocationInfo : System.Management.Automation.InvocationInfo ScriptStackTrace : at Add-LDAPIdentitySource, C:\Users\spantol\Documents\PowerShell\Modules\VMware.vSphere.SsoAdmi n\1.3.5\IdentitySource.ps1: line 373 at , : line 1 PipelineIterationInfo : {0, 1}

PS C:\Users\spantol> $error[0].Exception | Select *

TargetSite : StackTrace : Message : Type or value exists Data : {} InnerException : HelpLink : Source : HResult : -2146233087

dmilov commented 2 years ago

Hi @StevePantol the SecondaryUrl parameter is in fact the FailoverUrl for the LDAP. Are you running the Add-LDAPIdentitySource twice for the 1st IS and then for the 2nd one? I want to make sure you are not passing two different IS Url to PrimaryUrl and SecondaryUrl

StevePantol commented 2 years ago

Hi @dmilov -

I'm trying to run Add-LDAPIdentitySource once, with a PrimaryURL defined and a SecondaryUrl defined. Both of the parameters provided are active directory domain controllers.

dmilov commented 2 years ago

Try to call Add-LDAPIdentitySource with PrimaryURL only twice. First time for the first domain controller, second call for the second one.

StevePantol commented 2 years ago

Apologies for the delay here.

Trying to repeat the command with different PrimaryURLs and certificates gets me this error:

Add-LDAPIdentitySource: Domain with name 'stickers.corp' and alias 'stickers' already exists.

PSMessageDetails : Exception : Microsoft.PowerShell.Commands.WriteErrorException: Domain with name 'stickers.corp' and alias 'stickers' already exists. TargetObject : CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Add-LDAPIdentitySource ErrorDetails : InvocationInfo : System.Management.Automation.InvocationInfo ScriptStackTrace : at Add-LDAPIdentitySource, C:\Users\spantol\Documents\PowerShell\Modules\VMware.vSphere.SsoAdmi n\1.3.5\IdentitySource.ps1: line 373 at , : line 1 PipelineIterationInfo : {0, 1}

TargetSite : Message : Domain with name 'stickers.corp' and alias 'stickers' already exists. Data : {} InnerException : HelpLink : Source : HResult : -2146233087 StackTrace :