Friday, August 8, 2014

vCOPS - Custom UI LDAP error - "One or more users already exist and haven't been imported"

The regular vcops-vshere WEB GUI was easy and straight forward to configure for LDAP authentication since it uses the vCenter privileges.
However vCOPS custom GUI web interface uses a custom configuration for LDAP authentication. I am also using sAMAccountName for Username Field on LDAP settings.  This is not available and have to type in manually.

After setting up LDAP I tried to import the same users but receive the following error message:

"One or more users already exist and haven't been imported"


The main problem here is that both webpages uses the same useraccount tables in postgres database. This causes duplicates since the username to be added to vcops-custom is already in the database.
Strange observation is that the useraccounts created by vcops-vshere don't show up under the "Not Grouped" group name.

Resolution:

Reviewing the useraccounts in database shows both username and <domainname>\username.

VMware support provide a detailed KB on how to lookup the users in the postgres database and rename the account with duplicate usernames.

For vCenter Operations 5.0.x: 
  • Open SSH to Analytics VM and run command:
    • # su postgres
    • # psql alivevm
  • Run these commands at the psql prompt to export the user account table:
    • alivevm=> \o /tmp/useraccount.csv
    • alivevm=> SELECT userid, username, description FROM useraccount ORDER BY userid;
  • Exit the psql session with \q:
    • alivevm=> \q
  • Run this command:
    • more /tmp/useraccount.csv
    • Review the useraccount.csv file and determine if there are any duplicate usernames and make note of the related userid(s). 
  • To disable the duplicate user accounts:  (This is only a rename of the useraccount)
    • Repeat Step 2 to log in to the database again. 
    • Run this update statement to rename the username of the user account
      • alivevm=> UPDATE useraccount SET username = username||'_disabled' WHERE userid in ('2','3','N');
      • Note: Replace the user ID in the IN statement (in this example, 2,3,N) with the user ID(s) of the duplicate user accounts you want to disable.
  • Run these commands with admin user on the UI VM to restart the vCenter Operations services:
    • admin@firstvm-external:> vcops-admin restart

The best way to mitigate this problem is to make sure that the users log in to vcops-vsphere with "<domain>\username" and not just their username.  This will allow for the user with username only to be added to vcops-custom.  
This just and issue when using sAMAccountName.  If using the userpricipalname it will import the user as with username of  "username@domainname".


Link:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2013440