To configure an LDAP connection, you set the details of your LDAP server. You can test the connection to make sure that you entered the correct settings and the user and group attributes are mapped correctly. When you have a successful LDAP connection, you can synchronize the user and group information with the LDAP server at any time.

Prerequisites

  • If you plan to connect to an LDAP server over SSL (LDAPS), verify that the certificate of your LDAP server is compliant with the Endpoint Identification introduced in Java 8 Update 181. The common name (CN) or the subject alternative name (SAN) of the certificate must match the FQDN of the LDAP server. For more information, see the Java 8 Release Changes at https://www.java.com.

  • If you want to use SSL, you can test the connection to the LDAP server and establish a trust relationship with it. See Test the Connection to a Remote Server and Establish a Trust Relationship.

Procedure

  1. In the Connection tab, enter the required information for the LDAP connection.
    Required Information Description
    Server The host name or IP address of the LDAP server.
    Port

    The port number on which the LDAP server is listening.

    For LDAP, the default port number is 389. For LDAPS, the default port number is 636.

    Base distinguished name

    The base distinguished name (DN) is the location in the LDAP directory where VMware Cloud Director to connect.

    To connect at root level, enter only the domain components, for example, DC=example,DC=com.

    To connect to a node in the domain tree structure, enter the distinguished name for that node, for example, OU=ServiceDirector,DC=example,DC=com.

    Connecting to a node limits the scope of the directory available to VMware Cloud Director.

    Connector type The type of your LDAP server. Can be Active Directory or OpenLDAP.
    Use SSL If your server is LDAPS, select this check box.
    Authentication method Simple authentication consists of sending the user's DN and password to the LDAP server. If you are using LDAP, the LDAP password is sent over the network in plain text.

    If you want to use Kerberos, you must configure the LDAP connection by using the vCloud API.

    User name Enter the full LDAP distinguished name (DN) of a service account with domain admin rights. VMware Cloud Director uses this account to query the LDAP directory and retrieve user information.

    If the anonymous read support is enabled on your LDAP server, you can leave these text boxes blank.

    Password

    The password for the service account that connects to the LDAP server.

    If the anonymous read support is enabled on your LDAP server, you can leave these text boxes blank.

  2. Click the User Attributes tab, examine the default values for the user attributes, and, if your LDAP directory uses different schema, modify the values.
  3. Click the Group Attributes tab, examine the default values for the group attributes, and, if your LDAP directory uses different schema, modify the values.
  4. Click Save.
  5. If you selected the Use SSL check box, and if the certificate of the LDAPS server is not yet trusted, on the Trust Certificate window, confirm if you trust the certificate presented by the server endpoint.
  6. To test the LDAP connection settings and the LDAP attribute mappings:
    1. Click Test
    2. Enter the password of the LDAP server user that you configured and click Test.
      If connected successfully, a green check mark is displayed.

      The retrieved user and group attribute values are displayed in a table. The values that are successfully mapped to LDAP attributes are marked with green check marks. The values that are not mapped LDAP attributes are blank and marked with red exclamation marks.

    3. To exit, click Cancel.
  7. To synchronize VMware Cloud Director with the configured LDAP server, click Sync.
    VMware Cloud Director synchronizes the user and group information with the LDAP server regularly depending on the synchronization interval that you set in the general system settings.
    Wait a few minutes for the synchronization to finish.

Results

You can import users and groups from the newly configured LDAP server.