You can convert a directory of type Other, which stores users and groups synced from AirWatch, to a directory of type Active Directory over LDAP or Active Directory (Integrated Windows Authentication), which are associated with the VMware Identity Manager connector. After you convert the directory, the VMware Identity Manager connector is used instead of ACC to sync users and groups from your enterprise directory to VMware Identity Manager.
Install and activate the VMware Identity Manager Connector component of the VMware Enterprise Systems Connector on a Windows server.
To use some features, the Windows server must be joined to the domain, you must install the VMware Identity Manager Connector component as a domain user that is part of the administrator group on the Windows server, and you must choose to run the IDM Connector service as a Windows domain user.
This requirement applies to the following cases.
If you plan to convert the Other directory to Active Directory (Integrated Windows Authentication)
If you plan to use Kerberos authentication
If you plan to integrate Horizon View with VMware Identity Manager and want to use the Perform Directory Sync or Configuring 5.x Connection Server options
The following Active Directory information is required:
If you are converting to Active Directory over LDAP, the Base DN, Bind DN, and Bind DN password are required. Using a Bind DN user account with a non-expiring password is recommended.
If you are converting to Active Directory (Integrated Windows Authentication), the domain's Bind user UPN address and password are required. Using a Bind DN user account with a non-expiring password is recommended.
If the Active Directory requires access over SSL or STARTTLS, the Root CA certificate of the Active Directory domain controller is required.
For Active Directory (Integrated Windows Authentication), when you have multi-forest Active Directory configured and the Domain Local group contains members from domains in different forests, make sure that the Bind user is added to the Administrators group of the domain in which the Domain Local group resides. If this is not done, these members are missing from the Domain Local group.
- In the VMware Identity Manager administration console, click the Identity & Access Management tab, then click the Directories tab.
- Click the name of the directory that you want to convert.
- In the directory page, click the Convert button.
- In the Add Directory page, change the name of the directory if required and select the type of directory to which you want to convert the Other directory, Active Directory over LDAP or Active Directory (Integrated Windows Authentication).
- Enter the Active Directory connection information and continue with the wizard to set up the directory.
See "Configuring Active Directory Connection to the Service" in the Directory Integration with VMware Identity Manager guide for information.
Follow these guidelines.
In the Sync Connector field, select the VMware Identity Manager connector that you installed.
In the Directory Sync and Authentication section, select Yes for Authentication, unless you intend to use a third-party identity provider instead of the connector for authentication.
Ensure that you set up the converted directory identically to the AirWatch directory so that it has the same directory structure. Select the same domains. When you specify the users and groups to sync, make the same selections as the AirWatch directory so that the same users and groups are synced to the converted directory.
- On the last page of the wizard, click Sync Directory.
The directory is converted and set up to use the VMware Identity Manager connector. A Workspace Identity Provider is created, if one did not already exist, and the directory is associated with it automatically. The Password authentication method is already enabled for the directory.
- (Optional) To enable other authentication methods for the directory, follow these steps.
- In the Identity & Access Management tab, click Setup.
- On the Connectors page, locate the connector and the worker with which the converted directory is associated, and click the link in the Worker column.
- In the worker page, click the Auth Adapters tab.
- Configure and enable the authentication adapters you want to use for the directory by clicking the link for each and entering the configuration information.
See VMware Identity Manager Administration for information about configuring authentication adapters.
- Edit the default_access_policy_set and any custom policies to select VMware Identity Manager connector authentication methods instead of Password (AirWatch Connector).
- In the Identity & Access Management tab, click the Policies tab.
- Click Edit Default Policy.
- Under Policy Rules, edit the Authentication Methods column for each rule and replace Password (AirWatch Connector) with Password, which is a VMware Identity Manager connector authentication method.
- Click the Policies tab again and edit custom policies, if any, to use Password or any other VMware Identity Manager connector authentication method that you have configured.
If you do not change Password (Airwatch Connector) to Password or another VMware Identity Manager connector-based authentication method, users of the converted directory will not be able to log in.
What to do next
Stop directory sync from AirWatch to the converted directory.