To authenticate DSM and database users, VMware Data Services Manager can connect to a directory service, a centralized directory that can store user credentials and other information related to user identities. VMware Data Services Manager supports directories that use the Lightweight Data Access Protocol (LDAP). You can configure connections to existing directory service through the vSphere Client or the DSM console.

Keep in mind the following considerations:
  • To receive email notifications, directory service users must have a valid email address attribute (mail or rfc822mailbox in the LDAP server). Other DSM functionalities, such as log in to the DSM appliance or database access do not require an email address.
  • VMware Data Services Manager requires Lightweight Directory Access Protocol over TLS (LDAPS).
  • The servers certificate must be self-signed, or signed by a Certificate Authority (CA). If the certificate is signed by CA, you must add the issuing CA to the Trusted Root Certificates.
  • Login user name in both the DSM Appliance and the databases depends on the User Search Attribute configuration of the Directory Service. Common attributes are:
    • userPrincipalName

      The default attribute in the Active Directory. Typically, it is user@domain.com

    • sAMAccountName or uid

      Typically, the user name is user. In OpenLDAP you might need to set uid as User Search Attribute.

  • If you make changes in the directory service configuration, VMware Data Services Manager restarts all database clusters that use this directory service. During the restart, the data pods associated with the database cluster instance are automatically restarted. This applies only to MySQL databases.
  • Changing the LDAP server or groups for an existing configuration could result in loss of access to VMware Data Services Manager for any user that is not registered with the new LDAP server or group. Any databases provisioned by such users could become orphaned and no longer managed by VMware Data Services Manager.
  • When creating or updating a database cluster, users can choose to enable or disable the directory service.

Complete the following steps to create the directory service connection.

Prerequisites

Before you configure a connection to the directory service, ensure that you can identify the LDAP server host address, domain, and the user name and password of a read-only service user.

The LDAP endpoint must be resolvable by the DNS server that is configured in the System Settings. You can change the DNS server specified during Provider VM deployment using the System Settings.

Procedure

  1. Open the Configure Directory Service dialog box.
    Option Description
    From the vSphere Client
    1. In the vSphere Client, navigate to vCenter Server and click the Configure tab.
    2. Click Directory Service Settings under Data Services Manager to view, configure, or update the directory service.

    Configure Directory Services from the vSphere Client.

    From the DSM console
    1. In the DSM console, click Settings from the left navigation pane.
    2. Click the Directory Service Settings tab to view, configure, or update the directory service.

    Configure Directory Service from DSM console.

  2. Click Configure Directory Service or Edit and enter or update the following properties.
    Property Name Value Required?
    Type Select the LDAP type: Active Directory or Open LDAP. Required
    Primary Server URL

    URL of the primary server in protocol://host:port format.

    • host. IP address of the directory server.
    • Port. The port number on which the LDAP server is listening. For LDAP, the default port number is 389. For LDAPS, the default port number is 636.

      If you use an Active Directory LDAP server, use port 3269 instead of 636.

    Required
    Secondary Server URL Comma separated list of secondary server URLs in the protocol://host:port format.
    Username The name of the user to be used when connecting to the directory server. Required
    Password The password of the user who is specified by Username. Required
    Domain The FQDN of the domain. Required
    Base DN The base distinguished name identifies the location in the LDAP directory from which to start user searches. The default behaviour is for search to start from the root DN.
    Search User Attribute The LDAP attribute to map to the VMware Data Services Manager Email Id. The default value is userPrincipalName.
  3. To apply the LDAP settings, click CONFIGURE or UPDATE.
    VMware Data Services Manager validates the settings that you provide, and returns an error if validation fails.

What to do next

After you configure the directory service, perform the following steps.
  1. Import users from a previously-configured directory service and assign them the DSM Admin and DSM User roles .

    See Create Directory Service Groups Using the vSphere Client or Create Directory Service Groups Using the DSM Console.

  2. Enable directory service authentication when creating or modifying a database.

    See Configure the Database in VMware Data Services Manager or Edit Basic Information of the Database in VMware Data Services Manager.

  3. To connect to a database as an LDAP user, you must create the LDAP user.