You can configure an LDAP connection to provide vCloud Director and its organizations with access to users and groups on the LDAP server.

Prerequisites

  • If you plan to connect to an LDAPS server, verify that you have a properly constructed certificate for the improved LDAP support in Java 8 Update 181. For more information, see the Java 8 Release Changes at https://www.java.com.
  • If you want to use Kerberos as your authentication method, you must Add a Kerberos Realm.

Procedure

  1. Click the Administration tab and click LDAP in the left pane.
  2. Type the host name or IP address of the LDAP server.
    For Kerberos authentication, use the fully qualified domain name (FQDN).
  3. Type a port number.
    For LDAP, the default port number is 389. For LDAP over SSL (LDAPS), the default port number is 636.
  4. Type the base distinguished name (DN).
    The base DN is the location in the LDAP directory where vCloud Director connects. VMware recommends connecting at the root. Type the domain components only, for example, DC=example, DC=com.

    To connect to a node in the tree, type the distinguished name for that node, for example, OU=ServiceDirector, DC=example, DC=com. Connecting to a node limits the scope of the directory available to vCloud Director.

  5. Select the SSL check box to use LDAPS and choose one of the certificate options.
    Option Action
    Accept all certificates Select the check box.
    SSL Certificate Click Browse to locate the SSL certificate.
    SSL Keystore Click Browse to locate the SSL keystore. Type and confirm the keystore password.
  6. Select an authentication method.
    Option Description
    Simple Simple authentication consists of sending the LDAP server the user's DN and password. If you are using LDAP, the LDAP password is sent over the network in clear text.
    Kerberos Kerberos issues authentication tickets to prove a user's identity. If you select Kerberos, you must select a realm.
  7. Type a user name and password to connect to the LDAP server.
    If anonymous read support is enabled on your LDAP server, you can leave these text boxes blank.
    Authentication Method User Name Description
    Simple Type the full LDAP DN.
    Kerberos Type the name in the form of user@REALM.com.
  8. Click Apply.

What to do next

You can now add LDAP users and groups to the system and to organizations that use the system LDAP settings.