Several concepts related to Active Directory are integral to understanding how Directories Management integrates with your Active Directory environments.

Connector

The connector, a component of the service, performs the following functions.

  • Syncs user and group data your active Directory or LDAP directory to the service.

  • When being used as an identity provider, authenticates users to the service.

    The connector is the default identity provider. For the authentication methods the connector supports, see VMware Identity Manager Administration. You can also use third-party identity providers that support the SAML 2.0 protocol. Use a third-party identity provider for an authentication type the connector does not support or for an authentication type the connector does support, if the third-party identity provider is preferable based on your enterprise security policy.

    Note:

    If you use third-party identity providers, you can either configure the connector to sync user and group data or configure Just-in-Time user provisioning. See the Just-in-Time User Provisioning section in VMware Identity Manager Administration for more information.

    Note:

    Even if you use third-party identity providers, you must configure the connector to sync user and group data.

Directory

The Directories Management service has its own concept of a directory, corresponding to the Active Directory or LDAP directory in your environment. This directory uses attributes to define users and groups.

  • Active Directory

    • Active Directory over LDAP. Create this directory type if you plan to connect to a single Active Directory domain environment. For the Active Directory over LDAP directory type, the connector binds to Active Directory using simple bind authentication.

    • Active Directory, Integrated Windows Authentication. Create this directory type if you plan to connect to a multi-domain or multi-forest Active Directory environment. The connector binds to Active Directory using Integrated Windows Authentication.

    The type and number of directories that you create varies depending on your Active Directory environment, such as single domain or multi-domain, and on the type of trust used between domains. In most environments, you create one directory.

  • LDAP Directory

The service does not have direct access to your Active Directory or LDAP directory. Only the connector has direct access. Therefore, you associate each directory created in the service with a connector instance.

Worker

When you associate a directory with a connector instance, the connector creates a partition for the associated directory called a worker. A connector instance can have multiple workers associated with it. Each worker acts as an identity provider. You define and configure authentication methods per worker.

The connector syncs user and group data between your Active Directory or LDAP directory and the service through one or more workers.

Important:

You cannot have two workers of the Active Directory, Integrated Windows Authentication type on the same connector instance.