You can create this directory type when you plan to connect to a multi-domain Active Directory environment. The connector binds to Active Directory using Integrated Windows Authentication.

Prerequisites

Verify that you have the required user credentials to add a directory.

Procedure

  1. Click Identity and Tenant Management on the My Services dashboard.
  2. Navigate to Directory Management tab, click Directories.
  3. Click +Add Directory and click Add Active Directory Over IWA.
  4. On the Directory Detail tab:
    Fields Description
    Directory Information Enter a valid Directory Name.
    Directory Sync and Authentication Select the connector to sync with Active Directory. Connector is a VMware Identity Manager service component that synchronizes users and group data between Active Directory andVMware Identity Manager service. It authenticates users. Each VMware Identity Manager appliance node contains a default connector component. If necessary, a dedicated connector can also be deployed through a global environment scale-out.
    Authentication Enabled

    You can indicate whether the selected connector also performs authentication. If you are using a third-party identity provider to authenticate users, click No.
    Directory Search Attribute Select a search attribute from the drop-down menu.
    Certificates
    • If your Active Directory requires access over SSL/TLS, select the Directory requires all connections to use STARTTLS check box in the Certificates section, and copy and paste the domain controllers Intermediate (if used) and Root CA certificates into the SSL Certificate text box. Enter the Intermediate CA certificate first, then the Root CA certificate. Ensure that each certificate is in the PEM format and includes the BEGIN CERTIFICATE and END CERTIFICATE lines. If the domain controllers have certificates from multiple Intermediate and Root Certificate Authorities, enter all the Intermediate-Root CA certificate chains, one after the other. If your Active Directory requires access over SSL/TLS and you do not provide the certificates, you cannot create the directory.
    Join Domain Details Enter the Domain Name, Domain Admin user name, and Domain Password.
    Bind User Details
    • Enter the Bind Username and Bind Password of the bind user who has permission to query users and groups for the required domains. Enter the user name as sAMAccountName@domain, where domain is the fully qualified domain name. Using a Bind user account with a non-expiring password.
  5. Click Create and Next.
    You can select the domains that should be associated with the Active Directory connection.
  6. On the Domain Selection Detail tab, select the domain and click Submit and Next.
    The Active Directory with IWA populates the list of domains and you can select or edit the domains as required.
  7. To verify that the VMware Identity Manager directory attribute names are mapped to the correct Active Directory attributes, on the Map Attribute tab, select the required attribute and click Submit and Next.
  8. On the Group Selection tab, specify the Group DN details and click Next.

    To select groups, click Add Group Distinguished Name, and specify one or more group DNs and select the groups under them. Specify group DNs that are under the Base DN that you entered in the Base DN text box in the Add Directory section. If a group DN is outside the Base DN, users from that DN will be synced but you cannot log in.

    When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.

    1. Select the Sync Nested Group Members option.
  9. On the User Selection tab, enter the User DN details and click Next.
    Note: When this option is enabled, all the users that belong directly to the group you select and all the users that belong to nested groups under it are synced when the group is entitled. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the VMware Identity Manager directory, these users are members of the parent group that you selected for sync. If the Sync nested group members option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large Active Directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync.
    Suite administrators is a user name in the Active Directory who acts as an Admin user for the deployed suite products, Logs, and AD table.
  10. On the Dry Run Check tab, read the Summary.
  11. Click Sync and Complete to start the sync to the directory. The connection to Active Directory will be established and users and group names are synced from the Active Directory to the VMware Identity Manager directory.
  12. Click Submit.
  13. To edit, click the Edit icon on the specific active directory in the list of active directories. Any information added, gets appended to the configuration on VMware Identity Manager. However, if remove through editing you can only remove the configuration from the vRealize Suite Lifecycle Manager inventory and not from the VMware Identity Manager.
  14. To delete, click the Delete icon on the specific active directory in the list of active directories. You can delete the active directory only from vRealize Suite Lifecycle Manager inventory and not from VMware Identity Manager.