You can configure an OpenLDAP Directory connection with Directories Management.

Though there are several different LDAP protocols, OpenLDAP is the only protocol that is tested and approved for use with vRealize Automation Directories Management.

To integrate your LDAP directory, you create a corresponding Directories Management directory and sync users and groups from your LDAP directory to the Directories Management directory. You can set up a regular sync schedule for subsequent updates.

You also select the LDAP attributes that you want to sync for users and map them to Directories Management attributes.

Your LDAP directory configuration may be based on default schemas or you may have created custom schemas. You may also have defined custom attributes. For Directories Management to be able to query your LDAP directory to obtain user or group objects, you need to provide the LDAP search filters and attribute names that are applicable to your LDAP directory.

Specifically, you need to provide the following information.

  • LDAP search filters for obtaining groups, users, and the bind user

  • LDAP attribute names for group membership, UUID, and distinguished name

Note:

Directories Management uses the default page size of 1500 for LDAP queries. If you configure an OpenLDAP directory connection, then you must enable the simple page results control extension for OpenLDAP to limit the number of results displayed. Failure to use this extension may cause user and group sync errors.

Prerequisites

  • Review the configuration on the User Attributes page and add any other attributes that you want to sync. You will map the Directories Management attributes to your LDAP directory attributes when you create the directory. These attributes will be synced for the users in the directory.

    Note:

    When you make changes to user attributes, consider the effect on other directories in the service. If you plan to add both Active Directory and LDAP directories, ensure that you do not mark any attributes as required except for userName. The settings on the User Attributes page apply to all directories in the service. If an attribute is marked required, users without that attribute are not synced to the Directories Management service.

  • A Bind DN user account. Using a Bind DN user account with a non-expiring password is recommended.

  • In your LDAP directory, the UUID of users and groups must be in plain text format.

  • In your LDAP directory, a domain attribute must exist for all users and groups.

    You map this attribute to the Directories Management domain attribute when you create the Directories Management directory.

  • User names must not contain spaces. If a user name contains a space, the user is synced but entitlements are not available to the user.

  • If you use certificate authentication, users must have values for userPrincipalName and email address attributes.

Procedure

  1. Select Administration > Directories Management > Directories.
  2. Click Add Directory and select Add LDAP Directory.
  3. Enter the required information in the Add LDAP Directory page.

    Option

    Description

    Directory Name

    Enter a name for the Directories Management directory.

    Directory Sync and Authentication

    1. In the Sync Connector field, select the connector you want to use to sync users and groups from your LDAP directory to the Directories Management directory.

      A connector component is always available with the Directories Management service by default. This connector appears in the drop-down list. If you install multiple Directories Management appliances for high availability, the connector component of each appears in the list.

      You do not need a separate connector for an LDAP directory. A connector can support multiple directories, regardless of whether they are Active Directory or LDAP directories.

    2. In the Authentication field, if you want to use this LDAP directory to authenticate users, select Yes.

      If you want to use a third-party identity provider to authenticate users, select No. After you add the directory connection to sync users and groups, go to the Administration > Directories Management > Identity Providers page to add the third-party identity provider for authentication.

    3. For most configurations, leave the Custom default selected in the Directory Search Attribute text box. In the Custom Directory Search Attribute field, specify the LDAP directory attribute to be used for user and group names. This attribute uniquely identifies entities, such as users and groups, from the LDAP server. For example, cn.

    Server Location

    Enter the LDAP Directory server host and port number. For the server host, you can specify either the fully-qualified domain name or the IP address. For example, myLDAPserver.example.com or 100.00.00.0.

    If you have a cluster of servers behind a load balancer, enter the load balancer information instead.

    LDAP Configuration

    Specify the LDAP search filters and attributes that Directories Management can use to query your LDAP directory. Default values are provided based on the core LDAP schema.

    Filter Queries

    • Groups: The search filter for obtaining group objects.

      For example: (objectClass=group)

    • Bind user: The search filter for obtaining the bind user object, that is, the user that can bind to the directory.

      For example: (objectClass=person)

    • Users: The search filter for obtaining users to sync.

      For example:(&(objectClass=user)(objectCategory=person))

    Attributes

    • Membership: The attribute that is used in your LDAP directory to define the members of a group.

      For example: member

    • Object UUID: The attribute that is used in your LDAP directory to define the UUID of a user or group.

      For example: entryUUID

    • Distinguished Name: The attribute that is used in your LDAP directory for the distinguished name of a user or group.

      For example: entryDN

    Certificates

    If your LDAP directory requires access over SSL, select the This Directory requires all connections to use SSL check box. Then copy and paste the LDAP directory server's root CA SSL certificate into the SSL Certificate text box. Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.

    Finally, ensure that the correct port number is specified in the Server Port field in the Server Location section of the page.

    Bind User Details

    Base DN: Enter the DN from which to start searches. For example, cn=users,dc=example,dc=com

    All applicable users must reside under the Base DN. If a particular user is not located under the Base DN, that user will be unable to log in even if he is a member of a group that is under the Base DN.

    Bind DN: Enter the DN to use to bind to the LDAP directory. You can also enter user names, but a DN is more appropriate for most deployments.

    Note:

    Using a Bind DN user account with a non-expiring password is recommended.

    Bind DN Password: Enter the password for the Bind DN user.

  4. To test the connection to the LDAP directory server, click Test Connection.

    If the connection is not successful, check the information you entered and make the appropriate changes.

  5. Click Save & Next.
  6. Verify the correct domain is selected on the Select the Domains page, and then click Next.
  7. In the Map Attributes page, verify that the Directories Management attributes are mapped to the correct LDAP attributes.

    These attributes will be synced for users.

    Important:

    You must specify a mapping for the domain attribute.

    You can add attributes to the list from the User Attributes page.

  8. Click Next.
  9. Click + to select the groups you want to sync from the LDAP directory to the Directories Management directory on Select the groups (users) you want to sync page.

    If you have multiple groups with the same name in your LDAP directory, you must specify unique names for them in the groups page.

    When you add a group from Active Directory, if members of that group are not in the Users list, they are added. When you sync a group, any users that lack Domain Users as their primary group in Active Directory are not synced.

    The Sync nested group members option is enabled by default. When this option is enabled, all the users that belong directly to the group you select as well as all the users that belong to nested groups under it are synced. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the Directories Management directory, these users will appear as members of the top-level group that you selected for sync. In effect, the hierarchy under a selected group is flattened and users from all levels appear in Directories Management as members of the selected group.

    If this option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync.

    Note:

    The Directories Management user authentication system imports data from Active Directory when adding groups and users, and the speed of the system is limited by Active Directory capabilities. As a result, import operations may require a significant amount of time depending on the number of groups and users being added. To minimize the potential for delays or problems, limit the number of groups and users to only those required for vRealize Automation operation.

    If your system performance degrades or if errors occur, close any unneeded applications and ensure that your system has appropriate memory allocated to Directories Management. If problems persist, increase the Directories Management memory allocation as needed. For systems with large numbers of users and groups, you may need to increase the Directories Management memory allocation to as much as 24 GB.

  10. Click Next.
  11. Click + to add additional users. For example, enter CN=username,CN=Users,OU=myUnit,DC=myCorp,DC=com.

    You can add organizational units as well as individual users here.

    You can create a filter to exclude some types of users. Select the user attribute to filter by, the query rule, and the value.

  12. Click Next.
  13. Review the page to see how many users and groups will sync to the directory and to view the default sync schedule.

    To make changes to users and groups, or to the sync frequency, click the Edit links.

  14. Click Sync Directory to start the directory sync.

Results

The connection to the LDAP directory is established and users and groups are synced from the LDAP directory to the Directories Management directory.

You can now assign user and groups to the appropriate vRealize Automation roles by selecting Administration > Users and Groups > Directory Users and Groups. See Assign Roles to Directory Users or Groups for more information.