You can integrate your enterprise LDAP directory with VMware Workspace ONE Access to sync users and groups from the LDAP directory to the VMware Workspace ONE Access service.

To integrate your LDAP directory, you create a corresponding VMware Workspace ONE Access directory and sync users and groups from the LDAP directory to the VMware Workspace ONE Access directory. You can set up a regular sync schedule for subsequent updates.

You also select the LDAP attributes that you want to sync for users and map them to VMware Workspace ONE Access attributes.

Your LDAP directory configuration might be based on default schemas or custom schemas. It might also have custom attributes. For VMware Workspace ONE Access to be able to query your LDAP directory to obtain user or group objects, you need to provide the LDAP search filters and attribute names that are applicable to your LDAP directory.

Specifically, you need to provide the following information.

  • LDAP search filters for obtaining groups, users, and the bind user
  • LDAP attribute names for group membership, External ID, and distinguished name or equivalent attribute

Certain limitations apply to the LDAP directory integration feature. See #GUID-6CD48490-9250-4E25-ABDD-D0CF392C0CB2.

Prerequisites

  • Review the attributes in the Identity & Access Management > Setup > User Attributes page and add additional attributes that you want to sync. You map the VMware Workspace ONE Access attributes to your LDAP directory attributes when you create the directory. These attributes are synced for the users in the directory.
    Note: When you make changes to user attributes, consider the effect on other directories in the Workspace ONE Access service. If you plan to add both Active Directory and LDAP directories, ensure that you do not mark any attributes required except for userName, which can be marked required. The settings in the User Attributes page apply to all directories in the service. If an attribute is marked required, users without that attribute are not synced to the VMware Workspace ONE Access service.
  • A Bind DN user account. Using a Bind DN user account with a non-expiring password is recommended.
  • In your LDAP directory, the UUID of users and groups must be in plain text format.
  • In your LDAP directory, a domain attribute must exist for all users and groups.

    You map this attribute to the VMware Workspace ONE Access domain attribute when you create the VMware Workspace ONE Access directory.

  • User names must not contain spaces. If a user name contains a space, the user is synced but entitlements are not available to the user.
  • If you use certificate authentication, users must have values for userPrincipalName and email address attributes.

Procedure

  1. In the Workspace ONE Access console, go to the Identity & Access Management > Manage > Directories page.
  2. Click Add Directory and select Add LDAP Directory.
  3. Enter the required information in the Add Directory page.
    Option Description
    Directory Name Enter a name for the VMware Workspace ONE Access directory.
    Directory Sync and Authentication
    1. For Directory Sync Hosts, select one or more Directory Sync service instances to use to sync this directory. All Directory Sync service instances that are registered with the tenant are listed. You can only select instances that are in Active state.

      If you select multiple instances, Workspace ONE Access uses the first selected instance in the list to sync the directory. If the first instance is unavailable, it uses the next selected instance, and so on. You can reorder the list from the directory's Sync Settings page after creating the directory.

    2. For Authentication, select Yes if you want to authenticate users of this directory with the User Auth service. The User Auth service must already be installed. If you select Yes, the Password (cloud deployment) authentication method and an identity provider named IDP for directoryName of type Embedded are automatically created for the directory.

      Select No if you do not want to authenticate users of this directory with the User Auth service. If you decide to use the User Auth service later, you can create the Password (cloud deployment) authentication method and identity provider for the directory manually. When you do so, create a new identity provider for the directory by selecting Add Identity Provider > Create Built-in IDP in the Identity & Access Management > Identity Providers page. Using the pre-created identity provider named Built-in is not recommended.

    3. The User Auth Services option appears when Authentication is set to Yes. Select one or more User Auth service instances to use to authenticate users of this directory. All User Auth service instances that are registered with the tenant and that are in Active state are listed.

      If you select multiple instances, Workspace ONE Access sends authentication requests to the selected instances in round-robin order.

    4. In the User Name text box, select the LDAP directory attribute to use for user name. If the attribute is not listed, select Custom and type the custom attribute name to use for users and for groups. For example, cn.
    Server Location Enter the LDAP Directory server host and port number. For the server host, you can specify either the fully-qualified domain name or the IP address. For example, myLDAPserver.example.com or 100.00.00.0.

    If you have a cluster of servers behind a load balancer, enter the load balancer information instead.

    LDAP Configuration Specify the LDAP search filters and attributes that VMware Workspace ONE Access can use to query your LDAP directory. Default values are provided based on the core LDAP schema.

    Filter Queries

    • Groups: The search filter for obtaining group objects.

      For example: (objectClass=groupOfNames)

    • Bind User: The search filter for obtaining the bind user object, that is, the user that can bind to the directory.

      For example: (objectClass=person)

    • Users: The search filter for obtaining users to sync.

      For example:(&(objectClass=user)(objectCategory=person))

    Attributes

    • Membership: The attribute that is used in your LDAP directory to define the members of a group.

      For example: member

    • External ID: The attribute that you want to use as the unique identifier for users and groups in the Workspace ONE Access directory. The default value is entryUUID.
      Important: All users must have a unique and non-empty value defined for the attribute. The value must be unique across the Workspace ONE Access tenant. If any users do not have a value for the attribute, the directory will not be synced.

      Keep the following considerations in mind while setting the External ID:

      • If you are integrating Workspace ONE Access with Workspace ONE UEM, make sure that you set the External ID to the same attribute in both products.
      • You can change the External ID after creating the directory. However, the best practice is to set the External ID before syncing users to Workspace ONE Access. When you change the External ID, users are recreated. As a result, all users will be logged out and will have to log in again. You will also have to reconfigure user entitlements for Web apps and ThinApps. Entitlements for Horizon, Horizon Cloud, and Citrix will be deleted and then recreated at the next entitlements sync.
      • The External ID option is available with Workspace ONE Access connector 20.10 and 19.03.0.1. All connectors associated with the Workspace ONE Access service must be version 20.10 or they must all be version 19.03.0.1. If different versions of the connector are associated with the service, the External ID option does not display.
    • Distinguished Name: (Optional) The attribute that is used in your LDAP directory for the distinguished name of a user or group.

      For example: dn

      By default, the distinguished name attribute is used to uniquely identify user and group objects. If your LDAP schema does not have the distinguished name attribute, select the Enable advanced LDAP configuration option and enter the values to use to identify groups and users.

    • Enable advanced LDAP configuration: Select the check box to view advanced LDAP configuration options. Use the advanced configuration if your LDAP schema does not have the distinguished name attribute or if it uses posixGroups.
      • Group Filter: The value to use to query and identify groups. This value is required if your LDAP schema does not have the distinguished name attribute.

        For example: cn

      • User Filter: The value to use to query and identify users. This value is required if your LDAP schema does not have the distinguished name attribute.

        For example: uid

      • User Membership Mapping Filter: (Optional) This option is typically required for LDAP directories that use posixGroups. The User Membership Mapping Filter is used to query and identify users returned by the Membership attribute.

        For example: uidNumber

    Certificates If your LDAP directory requires access over SSL, select the This Directory requires all connections to use SSL check box and copy and paste the LDAP directory server's root CA SSL certificate into the text box. Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.
    Bind User Details Base DN: Enter the DN from which to start searches. For example, cn=users,dc=example,dc=com
    Bind User DN: Enter the user name to use to bind to the LDAP directory.
    Note: Using a Bind DN user account with a non-expiring password is recommended.

    Bind User Password: Enter the password for the Bind DN user.

  4. Click Save & Next.
  5. In the Domains page, verify that the correct domain is listed, then click Next.
  6. In the Map Attributes page, verify that the VMware Workspace ONE Access attributes are mapped to the correct LDAP directory attributes and make changes if necessary.

    These attributes will be synced for users.

    Important: You must specify a mapping for the domain attribute.

    You can add attributes and manage the list of required attributes from the Setup > User Attributes page.

  7. Click Next.
  8. Select the groups you want to sync from your LDAP directory to the Workspace ONE Access directory.
    Keep the following considerations in mind while adding groups.
    • As a best practice, add and sync a small number of groups when you create a directory. After the initial setup, you can add more groups.
    • When groups are added and synced, group names are synced to the directory. Users that are members of the group are not synced to the directory until the group is entitled to an application or the group name is added to an access policy rule.
      Note: You can override this restriction by enabling the Sync Group Members to the Directory When Adding Group option in the Identity & Access Management > Setup > Preferences page.
    • If you have multiple groups with the same name in your LDAP directory, you must specify unique names for them in the groups page.
    To select groups, you specify one or more group DNs and select the groups under them.
    1. In the Specify the group DNs row, click + and specify the group DN. For example, CN=users,DC=example,DC=company,DC=com.
      Tip: Entering a high-level DN such as the Base DN to search under is not recommended, as search will take a long time. Try to enter a more specific DN to search under.
      Important: Specify group DNs that are under the Base DN that you entered in the Base DN text box in the Add Directory page. If a group DN is outside the Base DN, users from that DN will be synced but will not be able to log in.
    2. If you want to select all the groups under the group DN, click Select All.
      If groups are added or deleted to the group DN in Active Directory after the directory is created, the changes are reflected in subsequent syncs.
    3. If you want to select specific groups under the group DN instead of selecting all of them, click Select, make your selections, and click Save.
      When you click Select, all the groups found in the DN are listed. You can narrow the results or search for specific groups by entering a search term in the search box.
    4. Select or deselect the Sync nested group members option, as needed.
      The Sync nested group members option is enabled by default. When this option is enabled, all the users that belong directly to the group you select as well as all the users that belong to nested groups under it are synced when the group is entitled. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the Workspace ONE Access directory, these users will be members of the parent group that you selected for sync.

      If the Sync nested group members option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync.

  9. Click Next.
  10. Select the users to sync.
    Keep the following considerations in mind while adding users:
    • Because members in groups do not sync to the directory until the group is entitled to applications or added to an access policy rule, add all users who need to authenticate before group entitlements are configured.
    • The Bind user that you specified in the Bind Details section is not synced to the Workspace ONE Access service by default. If you want to sync the Bind user, enter the user DN on this tab.
    1. In the Specify the user DNs row, click + and enter the user DNs. For example:

      CN=username,CN=Users,OU=Sales,DC=example,DC=com

      Important: Specify user DNs that are under the Base DN that you entered in the Base DN text box in the Add Directory page. If a user DN is outside the Base DN, users from that DN will be synced but will not be able to log in.
    2. Specify filters to include or exclude users from the DNs, if needed.
  11. In the Sync Frequency page, set up a sync schedule to sync users and groups at regular intervals or select Manually in the Sync Frequency drop-down list if you do not want to set a schedule.
    The time is set in UTC.
    Tip: Schedule the sync intervals to be longer than the time to sync. If users and groups are being synced to the directory when the next sync is scheduled, the new sync starts immediately after the end of the previous sync. With this schedule, the sync process is continuous.
    If you select Manually, you must click the Sync button on the directory page whenever you want to sync the directory.
  12. Click Save to create the directory or Sync Directory to create the directory and start syncing it.

Results

The connection to the LDAP directory is established. If you clicked Sync Directory, users and group names are synced from the LDAP directory to the Workspace ONE Access directory.

For more information about how groups are synced, see "Managing Users and Groups" in VMware Workspace ONE Access Administration.

What to do next

  • If you set the Authentication option to Yes, an identity provider named IDP for directoryname and a Password (cloud deployment) authentication method are automatically created for the directory. You can view these on the Identity & Access Management > Manage > Identity Providers and Enterprise Authentication Methods pages. You can also create more authentication methods for the directory from the Enterprise Authentication Methods tab. For more information about creating authentication methods, see the <Auth> guide.
  • Review the default access policy on the Identity & Access Management > Manage > Policies page.
  • Review the default sync safeguards settings and make changes if required. See Setting up Directory Sync Safeguards for information.