On vCenter Server 7.0u3p (aka 7.0.3.01800), I recently experienced an error “Cannot configure identity source due to Type or value exists.” when configuring Active Directory over LDAPS. The issue was caused by a duplicate certificate, but that fact was not immediately obvious.
To configured AD over LDAPS we must provide the certificate used by the domain controller. To obtain this certificate, the following KB article: https://kb.vmware.com/s/article/2041378 shows how to use openssl s_client to obtain the certificate on port 636 (LDAPS). Obtaining the certificates from each domain controller and presenting both to the “Edit Identity Source” screen (as shown below):
Would result in the following error:
Tailing the /storage/log/vmware/vmdird/vmdird-syslog.log file, we noticed an entry when saving the above configuration similar to:
2024-01-23T13:39:26.847703+00:00 err vmdird t@140567635818240: InternalAddEntry: VdirExecutePostAddCommitPlugins - code(9619)
2024-01-23T13:39:26.848501+00:00 err vmdird t@140567635818240: VmDirSendLdapResult: Request (Add), Error (LDAP_TYPE_OR_VALUE_EXISTS(20)), Message (Invalid or duplicate (userCertificate)), (0) socket (127.0.0.1)The Invalid or duplicate (userCertificate) part of this error was interesting. After checking with the directory services folks, they confirmed they had placed the same certificate on multiple domain controllers, listing each domain controller name/IP in the subject alternative name (subjectAltName) field. When using openssl s_client to obtain the certificates, each DC returned the exact same value, which would explain a duplicate.
To work around this issue, we left both servers listed in the “Edit Identity Source” screen, but only provided a single certificate file. This change saved successfully and didn’t result in the ‘Type or value exists’ error message.