You can add users or groups to an existing Active Directory connection.

Before you begin

  • Connector installed and the activation code activated. Select the required default attributes and add additional attributes on the User Attributes page.

    See ../com.vmware.vra.prepare.use.doc/GUID-9B25F502-EC8C-40CF-8ACF-4731B5A6903A.html.

  • List of the Active Directory groups and users to sync from Active Directory.

  • For Active Directory over LDAP, information required includes the Base DN, Bind DN, and Bind DN password.

  • For Active Directory Integrated Windows Authentication, the information required includes the domain's Bind user UPN address and password.

  • If Active Directory is accessed over SSL, a copy of the SSL certificate is required.

  • If you have a multi-forest Active Directory integrated with Windows Authentication and the Domain Local group contains members from different forests, do the following. Add the Bind user to the Administrators group of the Domain Local group. If the Bind user is not added, these members are missing from the Domain Local group.

  • Log in to the vRealize Automation console as a tenant administrator.

About this task

The Directories Management user authentication system imports data from Active Directory when adding groups and users. The speed of the data transport is limited by Active Directory capabilities. As a result, actions can take a long time depending on the number of groups and users that are added. To minimize problems, limit the groups and users to only the groups and users required for a vRealize Automation action. If problems occur, close unneeded applications and verify that your deployment has appropriate memory allocated to Active Directory. If problems continue, increase the Active Directory memory allocation. For deployments with large numbers of users and groups, you might need to increase the Active Directory memory allocation to as much as 24 GB.

When you sync a vRealize Automation deployment with a many users and groups, there might be a delay before the Log details are available. The time stamp on the log file can differ from the completed time displayed on the console.

If members of a group are not in the Users list, when you add the group from Active Directory, the members are added to the list. When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.

Note:

You cannot cancel a synchronize action after you start the action.

Procedure

  1. Select Administration > Directories Management > Directories.
  2. Click the desired directory name.
  3. Click Sync Settings to open a dialog box with synchronization options.
  4. Click the appropriate icon depending on whether you want to change the user or group configuration.

    To edit the group configuration:

    • To add groups, click the + icon to add a line for group DN definitions and enter the appropriate group DN.

    • If you want to delete a group DN definition, click the x icon for the desired group DN.

    To edit the user configuration:

    • To add users, click the + icon to add a line for a user DN definition and enter the appropriate user DN.

    If you want to delete a user DN definition, click the x icon for the desired user DN.

  5. Click Save to save your changes without synchronizing your updates immediately. Click Save & Sync to save your changes and synchronize your updates immediately.