To authenticate DSM and database users, VMware Data Services Manager can connect to a directory service, a centralized directory that can store user credentials and other information related to user identities. VMware Data Services Manager supports directories that use the Lightweight Data Access Protocol (LDAP). You can configure connections to existing directory service through the vSphere Client or the DSM console.
- To receive email notifications, directory service users must have a valid email address attribute (mail or rfc822mailbox in the LDAP server). Other DSM functionalities, such as log in to the DSM appliance or database access do not require an email address.
- VMware Data Services Manager requires Lightweight Directory Access Protocol over TLS (LDAPS).
- The servers certificate must be self-signed, or signed by a Certificate Authority (CA). If the certificate is signed by CA, you must add the issuing CA to the Trusted Root Certificates.
- Login user name in both the DSM Appliance and the databases depends on the User Search Attribute configuration of the Directory Service. Common attributes are:
- userPrincipalName
The default attribute in the Active Directory. Typically, it is user@domain.com
- sAMAccountName or uid
Typically, the user name is user. In OpenLDAP you might need to set uid as User Search Attribute.
- userPrincipalName
- If you make changes in the directory service configuration, VMware Data Services Manager restarts all database clusters that use this directory service. During the restart, the data pods associated with the database cluster instance are automatically restarted. This applies only to MySQL databases.
- Changing the LDAP server or groups for an existing configuration could result in loss of access to VMware Data Services Manager for any user that is not registered with the new LDAP server or group. Any databases provisioned by such users could become orphaned and no longer managed by VMware Data Services Manager.
- When creating or updating a database cluster, users can choose to enable or disable the directory service.
Complete the following steps to create the directory service connection.
Prerequisites
Before you configure a connection to the directory service, ensure that you can identify the LDAP server host address, domain, and the user name and password of a read-only service user.
The LDAP endpoint must be resolvable by the DNS server that is configured in the System Settings. You can change the DNS server specified during Provider VM deployment using the System Settings.
Procedure
What to do next
- Import users from a previously-configured directory service and assign them the DSM Admin and DSM User roles .
See Create Directory Service Groups Using the vSphere Client or Create Directory Service Groups Using the DSM Console.
- Enable directory service authentication when creating or modifying a database.
See Configure the Database in VMware Data Services Manager or Edit Basic Information of the Database in VMware Data Services Manager.
- To connect to a database as an LDAP user, you must create the LDAP user.