Configure VMware Identity Manager Settings

After the VMware Identity Manager instance is deployed, you use the Setup wizard to set passwords and select a database. Then you set up the connection to your Active Directory or LDAP directory.

Make sure that your run the Setup wizard using the fully qualified host name. Do not enter the IP address as the name.

Prerequisites

The VMware Identity Manager machine is powered on.
The external database is configured and the external database connection information is available. Before you run the Setup wizard, verify that the database configuration is correct. See Create the VMware Identity Manager Service Database for information.
Before setting up the directory, review Directory Integration with VMware Identity Manager for requirements and limitations.
You have your Active Directory or LDAP directory information.
When multi-forest Active Directory is configured and the Domain Local group contains members from domains in different forests, the Bind DN user used on the VMware Identity Manager Directory page must be added to the Administrators group of the domain in which Domain Local group resides. If this is not done, these members are missing from the Domain Local group.
You have a list of the user attributes you want to use as filters, and a list of the groups and users you want to add to VMware Identity Manager.
Group names are synced to the directory immediately. Members of a group do not sync until the group is entitled to resources or added to a policy rule. Users who need to authenticate before group entitlements are configured should be added directly during the initial configuration.

Procedure

Go to the VMware Identity Manager URL that was displayed when you finished the installation. Enter the fully qualified domain name (FQDN). For example, https://hostname.example.com.
Accept the certificate, if prompted.
You can update the certificate after the initial set up.
In the Get Started page, click Continue.

In the Set Passwords page, set passwords for the following administrator accounts, which are used to manage the appliance, then click Continue.


Account
Appliance Administrator	Set the password for the admin user. This user name cannot be changed. The admin user account is used to manage the appliance settings. Important: The admin user password must be at least 6 characters in length.
Appliance Root	Set the `root` user password. The root user has full rights to the appliance.
Remote User	Set the sshuser password, which is used to log in remotely to the appliance with an SSH connection.

In the Select Database page, select the database to use.
See Configure VMware Identity Manager to Use an External Database
- If you are using an external database, select External Database and enter the external database connection information, user name, and password. To verify that VMware Identity Manager can connect to the database, click Test Connection.
  After you verify the connection, click Continue.
- If you are using the internal database, click Continue.
  Note: The internal database is not recommended for use with production deployments.
The connection to the database is configured and the database is initialized. When the process is complete, the Setup is complete page appears.
Click the Log in to the administration console link on the Setup is complete page to log in to the VMware Identity Manager console to set up the Active Directory or LDAP directory connection.
Log in to the VMware Identity Manager console as the admin user, using the password you set.
You are logged in as a local admin and the Directories page appears. Before you add a directory, ensure that you review Directory Integration with VMware Identity Manager for requirements and limitations.
Click the Identity & Access Management tab.
Click Setup > User Attributes to select the user attributes to sync to the directory.
Default attributes are listed and you can select the ones that are required. If an attribute is marked required, only users with that attribute are synced to the service. You can also add other attributes.
Important: After a directory is created, you cannot change an attribute to be a required attribute. You must make that selection now.
Also, be aware that the settings in the User Attributes page apply to all directories in the service. When you mark an attribute required, consider the effect on other directories. If an attribute is marked required, users without that attribute are not synced to the service.
Click Save.
Click the Identity & Access Management tab.
In the Directories page, click Add Directory and select Add Active Directory over LDAP/IWA or Add LDAP Directory, based on the type of directory you are integrating.
You can also create a local directory in the service. For more information about using local directories, see #GUID-FF1F0D8B-F68E-41CE-B2F7-733F32B82665.

For Active Directory, follow these steps.

Enter a name for the directory you are creating in VMware Identity Manager and select the type of directory, either Active Directory over LDAP or Active Directory (Integrated Windows Authentication).

Provide the connection information.

Option	Description
Active Directory over LDAP	In the Sync Connector field, select the connector you want to use to sync users and groups from Active Directory to the VMware Identity Manager directory. A connector component is always available with the VMware Identity Manager service by default. This connector appears in the drop-down list. If you install multiple VMware Identity Manager appliances for high availability, the connector component of each appears in the list. In the Authentication field, select Yes if you want to use this Active Directory to authenticate users. If you want to use a third-party identity provider to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication. In the Directory Search Attribute field, select the account attribute that contains username. If the Active Directory uses DNS Service Location lookup, make the following selections. In the Server Location section, select the This Directory supports DNS Service Location checkbox. If the Active Directory requires STARTTLS encryption, select the This Directory requires all connections to use SSL check box in the Certificates section and copy and paste the Active Directory Root CA certificate into the SSL Certificate field. Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines. Note: If the Active Directory requires STARTTLS and you do not provide the certificate, you cannot create the directory. If the Active Directory does not use DNS Service Location lookup, make the following selections. In the Server Location section, verify that the This Directory supports DNS Service Location checkbox is not selected and enter the Active Directory server host name and port number. To configure the directory as a global catalog, see the Multi-Domain, Single Forest Active Directory Environment section in "Active Directory Environments" in Directory Integration with VMware Identity Manager. If the Active Directory requires access over SSL, select the This Directory requires all connections to use SSL check box in the Certificates section and copy and paste the Active Directory Root CA certificate into the SSL Certificate field. Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines. Note: If the Active Directory requires SSL and you do not provide the certificate, you cannot create the directory. In the Allow Change Password section, select Enable Change Password if you want to allow users to reset their passwords from the VMware Identity Manager login page if the password expires or if the Active Directory administrator resets the user's password. In the Base DN field, enter the DN from which to start account searches. For example, OU=myUnit,DC=myCorp,DC=com. In the Bind DN field, enter the account that can search for users. For example, CN=binduser,OU=myUnit,DC=myCorp,DC=com. Note: Using a Bind DN user account with a non-expiring password is recommended. After you enter the Bind password, click Test Connection to verify that the directory can connect to your Active Directory.
Active Directory (Integrated Windows Authentication)	In the Sync Connector field, select the connector you want to use to sync users and groups from Active Directory to the VMware Identity Manager directory. A connector component is always available with the VMware Identity Manager service by default. This connector appears in the drop-down list. If you install multiple VMware Identity Manager appliances for high availability, the connector component of each appears in the list. In the Authentication field, if you want to use this Active Directory to authenticate users, click Yes. If you want to use a third-party identity provider to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication. In the Directory Search Attribute field, select the account attribute that contains username. If the Active Directory requires STARTTLS encryption, select the This Directory requires all connections to use STARTTLS checkbox in the Certificates section and copy and paste the Active Directory Root CA certificate into the SSL Certificate field. Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines. If the directory has multiple domains, add the Root CA certificates for all domains, one at a time. Note: If the Active Directory requires STARTTLS and you do not provide the certificate, you cannot create the directory. Enter the name of the Active Directory domain to join. Enter a user name and password that has the rights to join the domain. See "Permissions Required for Joining a Domain" in Directory Integration with VMware Identity Manager for more information. In the Allow Change Password section, select Enable Change Password if you want to allow users to reset their passwords from the VMware Identity Manager login page if the password expires or if the Active Directory administrator resets the user's password. In the Bind User Details section, enter the user name and password of the bind user who has permission to query users and groups for the required domains. For the user name, enter the sAMAccountName, for example, jdoe. If the bind user's domain is different from the Join Domain entered above, enter the user name as sAMAccountName@domain, where domain is the fully-qualified domain name. For example, [email protected]. Note: Using a Bind user account with a non-expiring password is recommended.

Option

Description

Active Directory over LDAP

In the Sync Connector field, select the connector you want to use to sync users and groups from Active Directory to the VMware Identity Manager directory.
A connector component is always available with the VMware Identity Manager service by default. This connector appears in the drop-down list. If you install multiple VMware Identity Manager appliances for high availability, the connector component of each appears in the list.
In the Authentication field, select Yes if you want to use this Active Directory to authenticate users.
If you want to use a third-party identity provider to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication.
In the Directory Search Attribute field, select the account attribute that contains username.
If the Active Directory uses DNS Service Location lookup, make the following selections.
- In the Server Location section, select the This Directory supports DNS Service Location checkbox.
- If the Active Directory requires STARTTLS encryption, select the This Directory requires all connections to use SSL check box in the Certificates section and copy and paste the Active Directory Root CA certificate into the SSL Certificate field.
  Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.
  
  Note: If the Active Directory requires STARTTLS and you do not provide the certificate, you cannot create the directory.
If the Active Directory does not use DNS Service Location lookup, make the following selections.
- In the Server Location section, verify that the This Directory supports DNS Service Location checkbox is not selected and enter the Active Directory server host name and port number.
  To configure the directory as a global catalog, see the Multi-Domain, Single Forest Active Directory Environment section in "Active Directory Environments" in Directory Integration with VMware Identity Manager.
- If the Active Directory requires access over SSL, select the This Directory requires all connections to use SSL check box in the Certificates section and copy and paste the Active Directory Root CA certificate into the SSL Certificate field.
  Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.
  
  Note: If the Active Directory requires SSL and you do not provide the certificate, you cannot create the directory.
In the Allow Change Password section, select Enable Change Password if you want to allow users to reset their passwords from the VMware Identity Manager login page if the password expires or if the Active Directory administrator resets the user's password.
In the Base DN field, enter the DN from which to start account searches. For example, OU=myUnit,DC=myCorp,DC=com.
In the Bind DN field, enter the account that can search for users. For example, CN=binduser,OU=myUnit,DC=myCorp,DC=com.
Note: Using a Bind DN user account with a non-expiring password is recommended.
After you enter the Bind password, click Test Connection to verify that the directory can connect to your Active Directory.

Active Directory (Integrated Windows Authentication)

In the Sync Connector field, select the connector you want to use to sync users and groups from Active Directory to the VMware Identity Manager directory.
A connector component is always available with the VMware Identity Manager service by default. This connector appears in the drop-down list. If you install multiple VMware Identity Manager appliances for high availability, the connector component of each appears in the list.
In the Authentication field, if you want to use this Active Directory to authenticate users, click Yes.
If you want to use a third-party identity provider to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication.
In the Directory Search Attribute field, select the account attribute that contains username.
If the Active Directory requires STARTTLS encryption, select the This Directory requires all connections to use STARTTLS checkbox in the Certificates section and copy and paste the Active Directory Root CA certificate into the SSL Certificate field.
Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.

If the directory has multiple domains, add the Root CA certificates for all domains, one at a time.

Note: If the Active Directory requires STARTTLS and you do not provide the certificate, you cannot create the directory.
Enter the name of the Active Directory domain to join. Enter a user name and password that has the rights to join the domain. See "Permissions Required for Joining a Domain" in Directory Integration with VMware Identity Manager for more information.
In the Allow Change Password section, select Enable Change Password if you want to allow users to reset their passwords from the VMware Identity Manager login page if the password expires or if the Active Directory administrator resets the user's password.
In the Bind User Details section, enter the user name and password of the bind user who has permission to query users and groups for the required domains. For the user name, enter the sAMAccountName, for example, jdoe. If the bind user's domain is different from the Join Domain entered above, enter the user name as sAMAccountName@domain, where domain is the fully-qualified domain name. For example, [email protected].
Note: Using a Bind user account with a non-expiring password is recommended.

Click Save & Next.
The page with the list of domains appears.

For LDAP directories, follow these steps.

Provide the connection information.

Option	Description
Directory Name	A name for the directory you are creating in VMware Identity Manager.
Directory Sync and Authentication	In the Sync Connector field, select the connector you want to use to sync users and groups from your LDAP directory to the VMware Identity Manager directory. A connector component is always available with the VMware Identity Manager service by default. This connector appears in the drop-down list. If you install multiple VMware Identity Manager appliances for high availability, the connector component of each appears in the list. You do not need a separate connector for an LDAP directory. A connector can support multiple directories, regardless of whether they are Active Directory or LDAP directories. In the Authentication field, select Yes if you want to use this LDAP directory to authenticate users. If you want to use a third-party identity provider to authenticate users, select No. After you add the directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication. In the Directory Search Attribute field, specify the LDAP directory attribute to be used for user name. If the attribute is not listed, select Custom and type the attribute name. For example, `cn`.
Server Location	Enter the LDAP Directory server host and port number. For the server host, you can specify either the fully-qualified domain name or the IP address. For example, `myLDAPserver.example.com` or `100.00.00.0`. If you have a cluster of servers behind a load balancer, enter the load balancer information instead.
LDAP Configuration	Specify the LDAP search filters and attributes that VMware Identity Manager can use to query your LDAP directory. Default values are provided based on the core LDAP schema. LDAP Queries Get groups: The search filter for obtaining group objects. For example: `(objectClass=group)` Get bind user: The search filter for obtaining the bind user object, that is, the user that can bind to the directory. For example: `(objectClass=person)` Get user: The search filter for obtaining users to sync. For example:`(&(objectClass=user)(objectCategory=person))` Attributes Membership: The attribute that is used in your LDAP directory to define the members of a group. For example: `member` Object UUID: The attribute that is used in your LDAP directory to define the UUID of a user or group. For example: `entryUUID` Distinguished Name: The attribute that is used in your LDAP directory for the distinguished name of a user or group. For example: `entryDN`
Certificates	If your LDAP directory requires access over SSL, select the This Directory requires all connections to use SSL and copy and paste the LDAP directory server's root CA SSL certificate. Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.
Bind User Details	Base DN: Enter the DN from which to start searches. For example, cn=users,dc=example,dc=com. Bind DN: Enter the user name to use to bind to the LDAP directory. Note: Using a Bind DN user account with a non-expiring password is recommended. Bind DN Password: Enter the password for the Bind DN user.

To test the connection to the LDAP directory server, click Test Connection.
If the connection is not successful, check the information you entered and make the appropriate changes.
Click Save & Next.
The page listing the domain appears.

For an LDAP directory, the domain is listed and cannot be modified.
For Active Directory over LDAP, the domains are listed and cannot be modified.
For Active Directory (Integrated Windows Authentication), select the domains that should be associated with this Active Directory connection.

Note: If you add a trusting domain after the directory is created, the service does not automatically detect the newly trusting domain. To enable the service to detect the domain, the connector must leave and then rejoin the domain. When the connector rejoins the domain, the trusting domain appears in the list.

Click Next.
Verify that the VMware Identity Manager attribute names are mapped to the correct Active Directory or LDAP attributes and make changes, if necessary.

Important: If you are integrating an LDAP directory, you must specify a mapping for the domain attribute.
Click Next.

Select the groups you want to sync from your Active Directory or LDAP directory to the VMware Identity Manager directory.

Option	Description
Specify the group DNs	To select groups, you specify one or more group DNs and select the groups under them. Click + and specify the group DN. For example, CN=users,DC=example,DC=company,DC=com. Important: Specify group DNs that are under the Base DN that you entered. If a group DN is outside the Base DN, users from that DN will be synced but will not be able to log in. Click Find Groups. The Groups to Sync column lists the number of groups found in the DN. To select all the groups in the DN, click Select All, otherwise click Select and select the specific groups to sync. Note: If you have multiple groups with the same name in your LDAP directory, you must specify unique names for them in VMware Identity Manager. You can change the name while selecting the group. Note: When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.
Sync nested group members	The Sync nested group members option is enabled by default. When this option is enabled, all the users that belong directly to the group you select as well as all the users that belong to nested groups under it are synced. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the VMware Identity Manager directory, these users will be members of the parent group that you selected for sync. If the Sync nested group members option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large Active Directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync.

Option

Description

Specify the group DNs

To select groups, you specify one or more group DNs and select the groups under them.

Click + and specify the group DN. For example, CN=users,DC=example,DC=company,DC=com.
Important: Specify group DNs that are under the Base DN that you entered. If a group DN is outside the Base DN, users from that DN will be synced but will not be able to log in.
Click Find Groups.
The Groups to Sync column lists the number of groups found in the DN.
To select all the groups in the DN, click Select All, otherwise click Select and select the specific groups to sync.
Note: If you have multiple groups with the same name in your LDAP directory, you must specify unique names for them in VMware Identity Manager. You can change the name while selecting the group.

Note: When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.

Sync nested group members

The Sync nested group members option is enabled by default. When this option is enabled, all the users that belong directly to the group you select as well as all the users that belong to nested groups under it are synced. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the VMware Identity Manager directory, these users will be members of the parent group that you selected for sync.

If the Sync nested group members option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large Active Directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync.

Click Next.
Specify additional users to sync, if required.
Because members of groups do not sync to the directory until the group is entitled to applications or added to an access policy rule, add all users who need to authenticate before group entitlements are configured.
1. Click + and enter the user DNs. For example, CN=username,CN=Users,OU=myUnit,DC=myCorp,DC=com.
  
  Important: Specify user DNs that are under the Base DN that you entered. If a user DN is outside the Base DN, users from that DN will be synced but will not be able to log in.
2. (Optional) To exclude users, create a filter to exclude some types of users.
  You select the user attribute to filter by, the query rule, and the value.
Click Next.
Review the page to see how many users and groups will sync to the directory and to view the sync schedule.

To make changes to users and groups, or to the sync frequency, click the Edit links.
Click Sync Directory to start the directory sync.

Results

Note: If a networking error occurs and the host name cannot be uniquely resolved using reverse DNS, the configuration process stops. You must fix the networking problems and restart the virtual appliance. Then, you can continue the deployment process. The new network settings are not available until after you restart the virtual appliance.

What to do next

For information about setting up a load balancer or a high-availability configuration, see Advanced Configuration for the VMware Identity Manager Appliance.