You can integrate your enterprise LDAP directory with VMware Identity Manager to sync users and groups from the LDAP directory to the VMware Identity Manager service.

Before you begin

  • If you use additional, external connector virtual appliances, note that the ability to integrate LDAP directories is only available with connector version 2016.6.1 and later.

  • Review the attributes in the Identity & Access Management > Setup > User Attributes page and add additional attributes that you want to sync. You map these VMware Identity Manager attributes to your LDAP directory attributes later when you create the directory. These attributes are synced for the users in the directory.

    Note:

    When you make changes to user attributes, consider the effect on other directories in the service. If you plan to add both Active Directory and LDAP directories, ensure that you do not mark any attributes required except for userName, which can be marked required. The settings in the User Attributes page apply to all directories in the service. If an attribute is marked required, users without that attribute are not synced to the VMware Identity Manager service.

  • A Bind DN user account. Using a Bind DN user account with a non-expiring password is recommended.

  • In your LDAP directory, the UUID of users and groups must be in plain text format.

  • In your LDAP directory, a domain attribute must exist for all users and groups.

    You map this attribute to the VMware Identity Manager domain attribute when you create the VMware Identity Manager directory.

  • User names must not contain spaces. If a user name contains a space, the user is synced but entitlements are not available to the user.

  • If you use certificate authentication, users must have values for userPrincipalName and email address attributes.

About this task

To integrate your LDAP directory, you create a corresponding VMware Identity Manager directory and sync users and groups from your LDAP directory to the VMware Identity Manager directory. You can set up a regular sync schedule for subsequent updates.

You also select the LDAP attributes that you want to sync for users and map them to VMware Identity Manager attributes.

Your LDAP directory configuration may be based on default schemas or you may have created custom schemas. You may also have defined custom attributes. For VMware Identity Manager to be able to query your LDAP directory to obtain user or group objects, you need to provide the LDAP search filters and attribute names that are applicable to your LDAP directory.

Specifically, you need to provide the following information.

  • LDAP search filters for obtaining groups, users, and the bind user

  • LDAP attribute names for group membership, UUID, and distinguished name

Certain limitations apply to the LDAP directory integration feature. See Limitations of LDAP Directory Integration.

Procedure

  1. In the administration console, click the Identity & Access Management tab.
  2. In the Directories page, click Add Directory and select Add LDAP Directory.
  3. Enter the required information in the Add LDAP Directory page.

    Option

    Description

    Directory Name

    A name for the VMware Identity Manager directory.

    Directory Sync and Authentication

    1. In the Sync Connector field, select the connector you want to use to sync users and groups from your LDAP directory to the VMware Identity Manager directory.

      A connector component is always available with the VMware Identity Manager service by default. This connector appears in the drop-down list. If you install multiple VMware Identity Manager appliances for high availability, the connector component of each appears in the list.

      You do not need a separate connector for an LDAP directory. A connector can support multiple directories, regardless of whether they are Active Directory or LDAP directories.

      For the scenarios in which you need additional connectors, see "Installing Additional Connector Appliances" in the VMware Identity Manager Installation Guide.

    2. In the Authentication field, if you want to use this LDAP directory to authenticate users, select Yes.

      If you want to use a third-party identity provider to authenticate users, select No. After you add the directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication.

    3. In the Directory Search Attribute field, specify the LDAP directory attribute to be used for user name. If the attribute is not listed, select Custom and type the attribute name. For example, cn.

    Server Location

    Enter the LDAP Directory server host and port number. For the server host, you can specify either the fully-qualified domain name or the IP address. For example, myLDAPserver.example.com or 100.00.00.0.

    If you have a cluster of servers behind a load balancer, enter the load balancer information instead.

    LDAP Configuration

    Specify the LDAP search filters and attributes that VMware Identity Manager can use to query your LDAP directory. Default values are provided based on the core LDAP schema.

    LDAP Queries

    • Get groups: The search filter for obtaining group objects.

      For example: (objectClass=group)

    • Get bind user: The search filter for obtaining the bind user object, that is, the user that can bind to the directory.

      For example: (objectClass=person)

    • Get user: The search filter for obtaining users to sync.

      For example:(&(objectClass=user)(objectCategory=person))

    Attributes

    • Membership: The attribute that is used in your LDAP directory to define the members of a group.

      For example: member

    • Object UUID: The attribute that is used in your LDAP directory to define the UUID of a user or group.

      For example: entryUUID

    • Distinguished Name: The attribute that is used in your LDAP directory for the distinguished name of a user or group.

      For example: entryDN

    Certificates

    If your LDAP directory requires access over SSL, select the This Directory requires all connections to use SSL and copy and paste the LDAP directory server's root CA SSL certificate. Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.

    Bind User Details

    Base DN: Enter the DN from which to start searches. For example, cn=users,dc=example,dc=com

    Bind DN: Enter the user name to use to bind to the LDAP directory.

    Note:

    Using a Bind DN user account with a non-expiring password is recommended.

    Bind DN Password: Enter the password for the Bind DN user.

  4. To test the connection to the LDAP directory server, click Test Connection.

    If the connection is not successful, check the information you entered and make the appropriate changes.

  5. Click Save & Next.
  6. In the Domains page, verify that the correct domain is listed, then click Next.
  7. In the Map Attributes page, verify that the VMware Identity Manager attributes are mapped to the correct LDAP attributes.
    Important:

    You must specify a mapping for the domain attribute.

    You can add attributes to the list from the User Attributes page.

  8. Click Next.
  9. In the groups page, click + to select the groups you want to sync from the LDAP directory to the VMware Identity Manager directory.

    If you have multiple groups with the same name in your LDAP directory, you must specify unique names for them in the groups page.

    The Sync nested group users option is enabled by default. When this option is enabled, all the users that belong directly to the group you select as well as all the users that belong to nested groups under it are synced. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the VMware Identity Manager directory, these users will appear as members of the top-level group that you selected for sync. In effect, the hierarchy under a selected group is flattened and users from all levels appear in VMware Identity Manager as members of the selected group.

    If this option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync.

  10. Click Next.
  11. Click + to add additional users. For example, enter CN=username,CN=Users,OU=myUnit,DC=myCorp,DC=com.

    To exclude users, create a filter to exclude some types of users. You select the user attribute to filter by, the query rule, and the value.

    Click Next.

  12. Review the page to see how many users and groups will sync to the directory and to view the default sync schedule.

    To make changes to users and groups, or to the sync frequency, click the Edit links.

  13. Click Sync Directory to start the directory sync.

Results

The connection to the LDAP directory is established and users and groups are synced from the LDAP directory to the VMware Identity Manager directory. The Bind DN user has an administrator role in VMware Identity Manager by default.