Active Directory over LDAP and OpenLDAP Server Identity Source Settings

The Active Directory over LDAP identity source is preferred over the Active Directory (Integrated Windows Authentication) option. The OpenLDAP Server identity source is available for environments that use OpenLDAP.

If you are configuring an OpenLDAP identity source, see the VMware knowledge base article at http://kb.vmware.com/kb/2064977 for additional requirements.

Note: A future update to Microsoft Windows will change the default behavior of Active Directory to require strong authentication and encryption. This change will impact how vCenter Server authenticates to Active Directory. If you use Active Directory as your identity source for vCenter Server, you must plan to enable LDAPS. For more information about this Microsoft security update, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023 and https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding-signing-adv190023.html.

Table 1. Active Directory over LDAP and OpenLDAP Server Settings
Option	Description
Name	Name of the identity source.
Base DN for users	Base Distinguished Name for users. Enter the DN from which to start user searches. For example, cn=Users,dc=myCorp,dc=com.
Base DN for groups	The Base Distinguished Name for groups. Enter the DN from which to start group searches. For example, cn=Groups,dc=myCorp,dc=com.
Domain name	The FQDN of the domain.
Domain alias	For Active Directory identity sources, the domain's NetBIOS name. Add the NetBIOS name of the Active Directory domain as an alias of the identity source if you are using SSPI authentications. For OpenLDAP identity sources, the domain name in capital letters is added if you do not specify an alias.
User name	ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups. The ID can be in any of these formats: UPN (user@domain.com) NetBIOS (DOMAIN\user) DN (cn=user,cn=Users,dc=domain,dc=com) The user name must be fully-qualified. An entry of "user" does not work.
Password	Password of the user who is specified by Username.
Connect to	Domain controller to connect to. Can be any domain controller in the domain, or specific controllers.
Primary Server URL	Primary domain controller LDAP server for the domain. You can use either the host name or the IP address. Use the format `ldap://hostname_or_IPaddress:port` or `ldaps://hostname_or_IPaddress:port`. The port is typically 389 for LDAP connections and 636 for LDAPS connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for LDAP and 3269 for LDAPS. A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use `ldaps://` in the primary or the secondary LDAP URL.
Secondary server URL	Address of a secondary domain controller LDAP server that is used when the primary domain controller is unavailable. You can use either the host name or the IP address. For every LDAP operation, vCenter Server always tries the primary domain controller before falling back to the secondary domain controller. This can lead to Active Directory logins taking some time, and even failing, when the primary domain controller is unavailable. Note: When the primary domain controller fails, the secondary domain controller might not take over automatically.
Certificates (for LDAPS)	If you want to use LDAPS with your Active Directory LDAP Server or OpenLDAP Server identity source, click `Browse` to select a certificate that was exported from the domain controller specified in the LDAPS URL. (Note that the certificate used here is not a root CA certificate.) To export the certificate from Active Directory, consult the Microsoft documentation.