The first step toward configuring Hybrid Linked Mode from your SDDC is to add your on-premises LDAP domain as an identity source for the SDDC vCenter Server.

You can configure Hybrid Linked Mode from your SDDC if your on-premises LDAP service is provided by a native Active Directory (Integrated Windows Authentication) domain or an OpenLDAP directory service.

Important:

If you are using OpenLDAP as the identity source, see the VMware knowledge base article at http://kb.vmware.com/kb/2064977 for additional requirements.

Prerequisites

Ensure that you meet the Common Prerequisites in Prerequisites for Configuring Hybrid Linked Mode.

Procedure

  1. Log in to the vSphere Client for your SDDC.
    To add an identity source, you must be logged in as [email protected] or another member of the cloud administrators group.
  2. Open the Add Identity Source dialog box.
    Use case Description
    Hybrid Linked Mode
    1. Select Menu > Administration.
    2. Under Hybrid Cloud, select Linked Domains.
    3. Under Add Cloud Administrator, select Add Identity Source from the Identity Source drop-down menu.
    All other use cases
    1. Select Menu > Administration.
    2. Under Single Sign On, click Configuration.
    3. Click Identity Sources and click Add.
  3. Configure the identity source settings.
    Option Description
    Identity Source Type Select Active Directory as an LDAP Server to use a Windows Active Directory Server or OpenLDAP to use an OpenLDAP server.
    Name Enter the name of the identity source.
    Base DN for users Enter the Base Distinguished Name for users.
    Base DN for groups Enter the Base Distinguished Name for groups.
    Domain Name FQDN of the domain. Do not enter an IP address here.
    Domain Alias Enter an alias for the domain.

    For Active Directory identity sources, the domain's NetBIOS name. Add the NetBIOS name of the Active Directory domain as an alias of the identity source if you are using SSPI authentications.

    Username Enter the ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups. Use UPN format (for example, [email protected]), rather than DN format.
    Password Enter the password of the user who is specified by Username.
    Connect To Select which domain controller to connect to.
    • Select Any domain controller in the domain to connect to any domain controller.
    • Select Specific domain controllers to specify the domain controllers.

    If you select Specific domain controllers, specify the URL for the primary server and the secondary server used for failover. Use the format ldap://hostname:port or ldaps://hostname:port. The port is typically 389 for ldap: connections and 636 for ldaps: connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for ldap: connections and 3269 for ldaps: connections.

    SSL Certificates If you use ldaps:, select Browse and select a certificate file to upload to provide security for the ldaps: connection. Certificates can be exported in several formats. Be sure to export the format supported by the Identity Source Type you've chosen.

Results

When the identity source is added, on-premises users can authenticate to the SDDC, but have the No access role. Add permissions for a group of users to give them the cloud administrator role.