You can create this directory type when you plan to connect to a single Active Directory domain environment. For the Active Directory over an LDAP directory type, the connector binds to the Active Directory using a simple bind authentication.
- List the Active Directory groups and users to sync from Active Directory.
- Verify that you have specified the required default attributes and add additional attributes on the User Attributes definition.
- Verify that you have the required user credentials to add a directory.
- Click Identity and Tenant Management on the My Services dashboard.
- Navigate to Directory Management tab, click Directories.
- Click Add Directory, and select Add Active Directory Over LDAP.
- On the Directory Detail tab:
Fields Description Directory Information Enter a valid Directory Name. Directory Sync and Authentication Select the connector to sync with Active Directory. Connector is a VMware Identity Manager service component that synchronizes users and group data between Active Directory and VMware Identity Manager service.
When used as an identity provider, it also authenticates users. Each VMware Identity Manager appliance node contains a default connector component. When required a dedicated connector can also be deployed through a global environment scale-out.
Authentication Enabled If you want the connector to perform authentication, select Yes.
You can indicate whether the selected connector also performs authentication. If you are using a third-party identity provider to authenticate users, click No.
Directory Search Attribute Select an account attribute from the drop-down menu that contains a user name. Server Location Select Directory supports DNS Service Location check box.
- If your Active Directory requires access over SSL/TLS, select the Directory requires all connections to use STARTTLS or SSL check box in the Certificates section, and copy and paste the domain controllers intermediate (if used) and Root CA certificates into the SSL Certificate text box. Enter the intermediate CA certificate first, then the Root CA certificate. Ensure that each certificate is in the PEM format and includes the BEGIN CERTIFICATE and END CERTIFICATE lines. If the domain controllers have certificates from multiple Intermediate and Root Certificate Authorities, enter all the Intermediate-Root CA certificate chains, one after another. If your Active Directory requires access over SSL/TLS and you do not provide the certificates, you cannot create the directory.
- If you do not want to use DNS Service Location, verify that the Directory supports DNS Service Location check box is not selected and enter the Active Directory server host name and port number.
If your Active Directory requires access over SSL/TLS, select the Directory requires all connections to use SSL check box in the Certificates section and copy and paste the domain controller's Intermediate (if used) and Root CA certificate into the SSL Certificate text box. Enter the Intermediate CA certificate first, then the Root CA certificate. Ensure that the certificate is in the PEM format and includes the BEGIN CERTIFICATE and END CERTIFICATE lines. If your Active Directory requires access over SSL/TLS and you do not provide the certificate, you cannot create the directory.
Bind User Details
- Base DN - Enter the DN to start account searches. For example, OU=myUnit,DC=myCorp, DC=com. The Base DN is used for authentication. Only users under the Base DN can authenticate. Ensure that the group DNs and user DNs that you specify later for sync are under this Base DN.
- Bind User DN - Enter the account details. For example, CN=binduser,OU=myUnit,DC=myCorp, DC=com. Use a Bind user account with a non-expiring password.
- Bind Password: Click Test Connection to verify that the directory can connect to your Active Directory.
- Click Create and Next.
For Active Directory over LDAP, the domains are listed with a check mark.
- On the Domain Selection Detail tab, select the domain and click Next.
- To map the directory attribute to the Active Directory, on the Map Attribute tab, select the required attribute and click Save and Next.
- On the Group Selection tab, to sync from Active Directory to the VMware Identity Manager directory specify the Group DN details and click Next.
You can also select all the active directory groups that are already available in the list to sync to the directory.
- To select groups, click Add Group Distinguished Name, and specify one or more group DNs. Select the groups under them. Specify group DNs that are under the Base DN that you entered in the “Base DN” text box in the Add Directory page. If a group DN is outside the Base DN, users from that DN will be synced but will not be able to log in.
- Click Find Groups. The Actions column lists the number of groups found in the DN. To select all the groups in the DN, click Select All, or click the number and select the specific groups to sync. When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.
- Select the Sync Nested Group Members option.
- On the User Selection tab, enter the User DN details and click Next.
Suite administrators is a user name in the Active Directory who acts as an Admin user for the deployed suite products, Logs, and AD table.
- Select the Sync Nested Group Members option and enter the Suite Administrators.
When this option is enabled, all the users that belong directly to the group you select and all the users that belong to the nested groups under it are synced when the group is entitled. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the VMware Identity Manager directory, these users will be members of the parent group that you selected for sync. If the “Sync nested group members” option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large Active Directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync.
- Click Save and Next. In User Selection page, click Add User and specify the users DNs to sync. Specify user DNs that are under the Base DN that you entered in the Base DN text box in the Add Directory page. If a user DN is outside the Base DN, users from that DN will be synced but will not be able to log in. Click Save and Next.
- Review the Dry Run Check tab, read the summary, click Sync and Complete to start the sync to the directory. The connection to Active Directory will be established, and users and group names are synced from the Active Directory to the VMware Identity Manager directory.
- Click Submit.
- To edit, click the Edit icon on the specific active directory in the list of active directories. Any information added is appended to the configuration on VMware Identity Manager. However, any removal through editing only removes the configuration from the vRealize Suite Lifecycle Manager inventory and not from the VMware Identity Manager.
- To delete, click the Delete icon on the specific active directory in the list of active directories. The delete action deletes the active directory only from the vRealize Suite Lifecycle Manager inventory and not from VMware Identity Manager.