The following limitations currently apply to the LDAP directory integration feature.

  • You can only integrate a single-domain LDAP directory.

    To integrate multiple domains from an LDAP directory, you need to create additional VMware Identity Manager directories, one for each domain.

  • VMware Identity Manager supports only those OpenLDAP implementations that support paged search queries. All VMware Identity Manager queries to the directory server are paged. If the directory service does not support paged queries, VMware Identity Manager cannot sync users.
  • The following authentication methods are not supported for VMware Identity Manager directories of type LDAP directory.
    • Kerberos authentication
    • RSA Adaptive Authentication
    • ADFS as a third-party identity provider
    • SecurID
    • Radius authentication with Vasco and SMS Passcode server
  • You cannot join an LDAP domain.
  • Integration with Horizon or Citrix-published resources is not supported for VMware Identity Manager directories of type LDAP directory.
  • User names must not contain spaces. If a user name contains a space, the user is synced but entitlements are not available to the user.
  • If you plan to add both Active Directory and LDAP directories, ensure that you do not mark any attributes required in the User Attributes page, except for userName, which can be marked required. The settings in the User Attributes page apply to all directories in the service. If an attribute is marked required, users without that attribute are not synced to the VMware Identity Manager service.
  • If you have multiple groups with the same name in your LDAP directory, you must specify unique names for them in the VMware Identity Manager service. You can specify the names when you select the groups to sync.

  • The option to allow users to reset expired passwords is not available.