In Workspace ONE Access, you can convert a directory of type Other, which stores users and groups synced from Workspace ONE UEM, to a directory of type Active Directory over LDAP or Active Directory over Integrated Windows Authentication, which are associated with the Workspace ONE Access connector. After you convert the directory, the Directory Sync service of the Workspace ONE Access connector is used instead of ACC to sync users and groups from your enterprise directory to the Workspace ONE Access service.
Prerequisites
- Install the Directory Sync service and the User Auth service, which are components of the Workspace ONE Access connector beginning with version 20.01.0.0. See the latest version of Installing VMware Workspace ONE Access Connector for information.
- The following Active Directory information is required:
- If you are converting to Active Directory over LDAP, the Base DN, and Bind user DN and password are required.
The Bind user must have the following permissions in Active Directory to grant access to users and groups objects:
- Read
- Read All Properties
- Read Permissions
Using a Bind user account with a non-expiring password is recommended.
- If you are converting to Active Directory over Integrated Windows Authentication, the user name and password of the Bind user who has permission to query users and groups for the required domains is required.
The Bind user must have the following permissions in Active Directory to grant access to users and groups objects:
- Read
- Read All Properties
- Read Permissions
Using a Bind user account with a non-expiring password is recommended.
- If your Active Directory requires access over SSL/TLS, the Intermediate (if used) and Root CA certificates of the domain controllers for all relevant Active Directory domains are required. If the domain controllers have certificates from multiple Intermediate and Root Certificate Authorities, all the Intermediate and Root CA certificates are required.
- For Active Directory over Integrated Windows Authentication, when you have multi-forest Active Directory configured and the Domain Local group contains members from domains in different forests, make sure that the Bind user is added to the Administrators group of the domain in which the Domain Local group resides. If this is not done, these members are missing from the Domain Local group.
- For Active Directory over Integrated Windows Authentication:
- For all domain controllers listed in SRV records and hidden RODCs, nslookup of hostname and IP address should work.
- All the domain controllers must be reachable in terms of network connectivity.
Procedure
- In the Workspace ONE Access console, select .
- Click the directory that you want to convert.
- In the directory page, click Convert.
- Change the name of the directory, if required, and select the type of directory to which you want to convert the Other directory, Active Directory over LDAP or Active Directory over Integrated Windows Authentication.
- Enter the Active Directory connection information and continue with the wizard to set up the directory.
The process is the same as creating a new directory. See
Configuring Active Directory Connection to the Workspace ONE Access Service for detailed information.
Follow these guidelines while setting up the directory.
- In the Directory Sync and Authentication section, for Directory Sync Hosts, select the Directory Sync service that you installed.
All connector instances that have the Directory Sync service installed are listed. You can select multiple instances. Workspace ONE Access uses the first selected instance in the list to sync the directory. If the first instance is unavailable, it uses the next selected instance, and so on. You can reorder the list from the directory's Sync Settings page after creating the directory.
- For Authentication, select Set up password authentication for this directory. Then, for User Authentication Hosts, select the User Auth service instances to use for authentication.
- Ensure that you set up the converted directory identically to the Workspace ONE UEM directory so that it has the same directory structure. Select the same domains. When you specify users and groups to sync, make the same selections as the Workspace ONE UEM directory so that the same users and groups are synced to the converted directory.
- Ensure that you set the External ID to the same attribute that it is set to in Workspace ONE UEM.
- On the last page of the wizard, click Save & Sync.
The directory is converted and set up to use the Directory Sync service to sync users and groups. If you set the
Authentication option to
Set up password authentication for this directory, an identity provider named
IDP for directoryname and a Password (cloud deployment) authentication method are automatically created for the directory.
- (Optional) To set up other authentication methods for the directory, navigate to the page and create authentication methods for the directory.
- Edit the default_access_policy_set and any custom policies to replace the Password (AirWatch Connector) authentication method with Password (cloud deployment).
- Select .
- Click Edit Default Policy, then click Configuration in the Edit Policy wizard.
- Edit each policy rule and replace the Password (AirWatch Connector) authentication method with Password (cloud deployment).
- From the Policies page, edit custom policies, if any, to replace the Password (AirWatch Connector) authentication method with Password (cloud deployment).
- (Optional) Modify policies to use additional authentication methods, as needed.
Important: If you do not change Password (Airwatch Connector) to Password (cloud deployment) or another User Auth service authentication method, users of the converted directory will not be able to log in.
What to do next
Stop directory sync from Workspace ONE UEM to the converted directory.
