You can integrate your enterprise LDAP directory with VMware Identity Manager to sync users and groups from the LDAP directory to the VMware Identity Manager service.
To integrate your LDAP directory, you create a corresponding VMware Identity Manager directory and sync users and groups from the LDAP directory to the VMware Identity Manager directory. You can set up a regular sync schedule for subsequent updates.
You also select the LDAP attributes that you want to sync for users and map them to VMware Identity Manager attributes.
Your LDAP directory configuration might be based on default schemas or custom schemas. It may also have custom attributes. For VMware Identity Manager to be able to query your LDAP directory to obtain user or group objects, you need to provide the LDAP search filters and attribute names that are applicable to your LDAP directory.
Specifically, you need to provide the following information.
LDAP search filters for obtaining groups, users, and the bind user
LDAP attribute names for group membership, UUID, and distinguished name
Certain limitations apply to the LDAP directory integration feature. See Limitations of LDAP Directory Integration.
Review the attributes in the VMware Identity Manager attributes to your LDAP directory attributes when you create the directory. These attributes are synced for the users in the directory.page and add additional attributes that you want to sync. You map theNote:
When you make changes to user attributes, consider the effect on other directories in the service. If you plan to add both Active Directory and LDAP directories, ensure that you do not mark any attributes required except for userName, which can be marked required. The settings in the User Attributes page apply to all directories in the service. If an attribute is marked required, users without that attribute are not synced to the VMware Identity Manager service.
A Bind DN user account. Using a Bind DN user account with a non-expiring password is recommended.
In your LDAP directory, the UUID of users and groups must be in plain text format.
In your LDAP directory, a domain attribute must exist for all users and groups.
You map this attribute to the VMware Identity Manager domain attribute when you create the VMware Identity Manager directory.
User names must not contain spaces. If a user name contains a space, the user is synced but entitlements are not available to the user.
If you use certificate authentication, users must have values for userPrincipalName and email address attributes.
- In the VMware Identity Manager console, click the Identity & Access Management tab.
- In the Directories page, click Add Directory and select Add LDAP Directory.
- Enter the required information in the Add LDAP Directory page.
A name for the VMware Identity Manager directory.
Directory Sync and Authentication
In the Sync Connector text box, select the connector you want to use to sync users and groups from your LDAP directory to the VMware Identity Manager directory.
In an on premises deployment, a connector component is always available with the VMware Identity Manager service by default. This connector appears in the drop-down list. If you install multiple VMware Identity Manager instances for high availability, the connector component of each appears in the list. Additional, external connectors are also listed.
You do not need to use a separate connector for an LDAP directory. A connector can support multiple directories, regardless of whether they are Active Directory or LDAP directories. For the scenarios in which you need additional connectors, see Installing and Configuring VMware Identity Manager.
In the Authentication text box, if you want to use this LDAP directory to authenticate users, select Yes.
If you want to use a third-party identity provider to authenticate users, select No. After you add the directory connection to sync users and groups, go to the to add the third-party identity provider for authentication.
In the Directory Search Attribute text box, specify the LDAP directory attribute to be used for user name. If the attribute is not listed, select Custom and type the attribute name. For example, cn.
Enter the LDAP Directory server host and port number. For the server host, you can specify either the fully-qualified domain name or the IP address. For example, myLDAPserver.example.com or 100.00.00.0.
If you have a cluster of servers behind a load balancer, enter the load balancer information instead.
Specify the LDAP search filters and attributes that VMware Identity Manager can use to query your LDAP directory. Default values are provided based on the core LDAP schema.
Get groups: The search filter for obtaining group objects.
For example: (objectClass=group)
Get bind user: The search filter for obtaining the bind user object, that is, the user that can bind to the directory.
For example: (objectClass=person)
Get user: The search filter for obtaining users to sync.
Membership: The attribute that is used in your LDAP directory to define the members of a group.
For example: member
Object UUID: The attribute that is used in your LDAP directory to define the UUID of a user or group.
For example: entryUUID
Distinguished Name: The attribute that is used in your LDAP directory for the distinguished name of a user or group.
For example: entryDN
If your LDAP directory requires access over SSL, select the This Directory requires all connections to use SSL and copy and paste the LDAP directory server's root CA SSL certificate. Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.
Bind User Details
Base DN: Enter the DN from which to start searches. For example, cn=users,dc=example,dc=com
Bind DN: Enter the user name to use to bind to the LDAP directory.Note:
Using a Bind DN user account with a non-expiring password is recommended.
Bind DN Password: Enter the password for the Bind DN user.
- To test the connection to the LDAP directory server, click Test Connection.
If the connection is not successful, check the information you entered and make the appropriate changes.
- Click Save & Next.
- In the Domains page, verify that the correct domain is listed, then click Next.
- In the Map Attributes page, verify that the VMware Identity Manager attributes are mapped to the correct LDAP attributes.
These attributes will be synced for users.Important:
You must specify a mapping for the domain attribute.
You can add attributes to the list from the User Attributes page.
- Click Next.
- In the groups page, click + to select the groups you want to sync from the LDAP directory to the VMware Identity Manager directory.
When groups are added, group names are synced to the directory. Users that are members of the group are not synced to the directory until the group is entitled to an application or the group name is added to an access policy rule.
If you have multiple groups with the same name in your LDAP directory, you must specify unique names for them in the groups page.
The Sync nested group users option is enabled by default. When this option is enabled, all the users that belong directly to the group you select as well as all the users that belong to nested groups under it are synced. Note that the nested groups are not synced; only the users that belong to the nested groups are synced when the group is entitled. In the VMware Identity Manager directory, these users will appear as members of the top-level group that you selected for sync. In effect, the hierarchy under a selected group is flattened and users from all levels appear in VMware Identity Manager as members of the selected group.
If this option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync.
- Click Next.
- Click + to add users. For example, enter CN=username,CN=Users,OU=myUnit,DC=myCorp,DC=com.
Because members in groups do not sync to the directory until the group is entitled to applications or added to an access policy rule, add all users who need to authenticate before group entitlements are configured.
To exclude users, create a filter to exclude some types of users. You select the user attribute to filter by, the query rule, and the value.
- Review the page to see how many users and group names will sync to the directory and to view the default sync schedule.
To make changes to users and groups, or to the sync frequency, click the Edit links.
- Click Sync Directory to start the directory sync.
The connection to the LDAP directory is established and users and group names are synced from the LDAP directory to the VMware Identity Manager directory. The Bind DN user has an administrator role in VMware Identity Manager by default.