As a tenant administrator, you want to configure an Active Directory over LDAP directory connection to support user authentication for your highly available vRealize Automation deployment.

About this task

Each vRealize Automation appliance includes a connector that supports user authentication, although only one connector is typically configured to perform directory synchronization. It does not matter which connector you choose to serve as the sync connector. To support Directories Management high availability, you must configure a second connector that corresponds to your second vRealize Automation appliance, which connects to your Identity Provider and points to the same Active Directory. With this configuration, if one appliance fails, the other takes over management of user authentication.

In a high availability environment, all nodes must serve the same set of Active Directories, users, authentication methods, etc. The most direct method to accomplish this is to promote the Identity Provider to the cluster by setting the load balancer host as the Identity Provider host. With this configuration, all authentication requests are directed to the load balancer, which forwards the request to either connector as appropriate.

Prerequisites

  • Install a distributed vRealize Automation deployment with appropriate load balancers. See Installing vRealize Automation 7.3.

  • Log in to the vRealize Automation console as a tenant administrator.

Procedure

  1. Select Administration > Directories Management > Directories.
  2. Click Add Directory.
  3. Enter your specific Active Directory account settings, and accept the default options.

    Option

    Sample Input

    Directory Name

    Add the IP address of your active directory domain name.

    Sync Connector

    Every vRealize Automation appliance contains a connector. Use any of the available connectors.

    Base DN

    Enter the Distinguished Name (DN) of the starting point for directory server searches. For example, cn=users,dc=corp,dc=local.

    Bind DN

    Enter the full distinguished name (DN), including common name (CN), of an Active Directory user account that has privileges to search for users. For example, cn=config_admin infra,cn=users,dc=corp,dc=local.

    Bind DN Password

    Enter the Active Directory password for the account that can search for users.

  4. Click Test Connection to test the connection to the configured directory.

    If the connection fails, check your entries in all fields and consult your system administrator if necessary.

  5. Click Save & Next.

    The Select the Domains page with the list of domains appears.

  6. Leave the default domain selected and click Next.
  7. Verify that the attribute names are mapped to the correct Active Directory attributes. If not, select the correct Active Directory attribute from the drop-down menu. Click Next.
  8. Select the groups and users you want to sync.
    1. Click the Add icon (Add).
    2. Enter the user domain and click Find Groups.

      For example, cn=users,dc=corp,dc=local.

    3. Select the Select All check box.
    4. Click Select.
    5. Click Next.
    6. Click Add to add additional users. For example, enter as CN-username,CN=Users,OU-myUnit,DC=myCorp,DC=com.

      To exclude users, click + to create a filter to exclude some types of users. You select the user attribute to filter by, the query rule, and the value.

    7. Click Next.
  9. Review the page to see how many users and groups are syncing to the directory and click Sync Directory.

    The directory sync process takes some time, but it happens in the background and you can continue working.

  10. Configure a second connector to support high availability.
    1. Log in to the load balancer for your vRealize Automation deployment as a tenant administrator.

      The load balancer URL is load balancer address/vcac/org/tenant_name.

    2. Select Administration > Directories Management > Identity Providers.
    3. Click the Identity Provider that is currently in use for your system.

      The existing directory and connector that provide basic identity management for your system appears.

    4. Click the Add a Connector drop-down list, and select the connector that corresponds to your secondary vRealize Automation appliance.
    5. Enter the appropriate password in the Bind DN Password text box that appears when you select the connector.
    6. Click Add Connector.
    7. Edit the host name to point to your load balancer.

Results

You connected your corporate Active Directory to vRealize Automation and configured Directories Management for high availability.

What to do next

To provide enhanced security, you can configure bi-directional trust between your identity provider and your Active Directory. See Configure a Bi Directional Trust Relationship Between vRealize Automation and Active Directory.