When you import user account information that resides on another machine, you must define the criteria used to import the user accounts from the source machine.

Where You Add or Edit Authentication Sources

  1. To add authentication sources, in the menu, click Administration, and then in the left pane click Access > Authentication Sources.

  2. Click Add.

  3. To edit authentication sources, click Edit.

Table 1. Authentication Sources Add Source for User and Group Import

Option

Description

Source Display Name

Name that you assign to the authentication source.

Source Type

Note:

The option you select in the Source Type drop-down box, determines the options available in this dialog box.

Indicates the type of directory services access technology to access the source machine where the database of user accounts resides. There are two types of databases: LDAP and single sign-on. Options include:

  • SSO SAML: An XML-based standard for web browser single sign-on that enables users to perform single sign-on to multiple applications.

  • Open LDAP: A platform-independent protocol that provides access to an LDAP database on another machine to import user accounts.

  • Other: Specifies any other LDAP based directory services, such as Novel or OpenDJ, used to import user accounts from an LDAP database on a Linux Mac machine.

  • VMware Identity Manager: A platform where you can manage users and groups, manage resources and user authentication, and access policies and entitle users to resources.

Table 2. Authentication Sources Add Source for User and Group Import - options available when SSO SAML is selected.

Name

Description

Host

Name or IP address of the host machine where the single sign-on user server resides.

Port

The single sign-on listening port. By default this is set to 443.

User Name

Name of the user account that can log in to the single sign-on host machine.

Password

Password of the user account that can log in to the single sign-on host machine.

Grant administrator role to vRealize Operations Manager for future configuration?

When you create a single sign-on source, a new vRealize Operations Manager user account is created on the single sign-on server.

  • Select Yes, to grant vRealize Operations Manager an administrative role so that it can be used to configure the SSO source if changes are made to the vRealize Operations Manager setup.

  • If you select No and the vRealize Operations Manager setup is changed, SSO users will not be able to log in until you re-register the SSO source.

Automatically redirect to vRealize Operations single sign-on URL?

After you have configured a single sign-on source, users are redirected to the vCenter SSO server.

  • Select Yes, to redirect users to the single sign-on server for authentication.

  • If you select No users must sign in through the vRealize Operations Manager login page.

Import single sign-on user groups after adding the current source?

When you have set up a single sign-on source, you import users and user groups into vRealize Operations Manager so that single sign-on users can access the system with their single sign-on permissions.

  • If you select Yes, the wizard directs you to the Import User Groups page so that you can import user groups as soon as you have finished setting up the SSO source.

  • If you want to import user accounts, or user groups at a later stage, select No.

Advanced

If your system uses a load balancer, enter the IP address of the load balancer.

Test

Tests whether the host machine can be reached with the credentials provided.

Table 3. Authentication Sources Add Source for User and Group Import - options available when Open LDAP, Active Directory, and Other are selected.

Option

Description

Integration Mode Basic settings

Applies basic settings to integrate the LDAP import source with the instance of vRealize Operations Manager.

Use Basic integration mode to have vRealize Operations Manager discover the host machine where the LDAP database resides, and set the base distinguished name (Base DN) used to search for users. You provide the name of the domain and the subdomain, which vRealize Operations Manager uses to populate the Host and Base DN details, and the name and password of the user who can log in to the LDAP host machine.

In Basic mode, vRealize Operations Manager attempts to fetch the host and port from the DNS server, and obtain the Global Catalog and domain controllers for the domain, with preference given to SSL/TLS-enabled servers.

  • Domain/Subdomain. Domain information for the LDAP user account.

  • Use SSL/TLS. When selected, vRealize Operations Manager uses the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol to provide secure communication when you import users from an LDAP database. You do not need to install the SSL/TLS certificate. Instead, vRealize Operations Manager prompts you to view and verify the thumbprint, and accept the LDAP server certificate. After you accept the certificate, the LDAP communication proceeds.

  • User Name. Name of the user account that can log in to the LDAP host machine.

  • Reset Password. Reset the password of the user account that can log in to the LDAP host machine.

  • Automatically synchronize user membership for configured groups. When selected, enables vRealize Operations Manager to map imported LDAP users to user groups.

  • Host. Name or IP address of the host machine where the LDAP user database resides.

  • Port. Port used for the import. Use port 389 if you are not using SSL/TLS, or port 636 if you are using SSL/TLS, or another port number of your choice. Global Catalog ports are 3268 for non-SSL/TLS, and 3269 for SSL/TLS.

  • Base DN. Base distinguished name for the user search. vRealize Operations Manager will locate only the users under the Base DN. The Base DN is an elementary entry for an imported user's distinguished name (DN), which is the base entry for the user name without the need for other related information such as the full path to the user account, or the inclusion of related domain components. Although vRealize Operations Manager populates the Base DN, an Administrator must verify the Base DN before saving the LDAP configuration.

  • Common Name. LDAP attribute used to identify the user name. The default attribute for Active Directory is userPrincipalName.

Integration Mode Advanced settings

Applies advanced settings to integrate the LDAP import source with the instance of vRealize Operations Manager.

Use Advanced integration mode to manually provide the host name and base distinguished name (Base DN) to have vRealize Operations Manager import users. You provide the name and password of the user who can log in to the LDAP host machine.

  • Host. Name or IP address of the host machine where the LDAP user database resides.

  • Use SSL/TLS. When selected, vRealize Operations Manager uses the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol to provide secure communication when you import users from an LDAP database. You do not need to install the SSL/TLS certificate. Instead, vRealize Operations Manager prompts you to view and verify the thumbprint, and accept the LDAP server certificate. After you accept the certificate, the LDAP communication proceeds.

  • Base DN. Base distinguished name for the user search. vRealize Operations Manager will locate only the users under the Base DN. The Base DN is an elementary entry for an imported user's distinguished name (DN), which is the base entry for the user name without the need for other related information such as the full path to the user account, or the inclusion of related domain components. Although vRealize Operations Manager populates the Base DN, an Administrator must verify the Base DN before saving the LDAP configuration.

  • User Name. Name of the user account that can log in to the LDAP host machine.

  • Reset Password. Reset the password of the user account that can log in to the LDAP host machine.

  • Automatically synchronize user membership for configured groups. When selected, enables vRealize Operations Manager to map imported LDAP users to user groups.

  • Common Name. LDAP attribute used to identify the user name. The default attribute for Active Directory is userPrincipalName.

  • Port. Port used for the import. Use port 389 if you are not using SSL/TLS, or port 636 if you are using SSL/TLS, or another port number of your choice. Global Catalog ports are 3268 for non-SSL/TLS, and 3269 for SSL/TLS.

Search Criteria

Displays the search criteria settings.

Although vRealize Operations Manager populates part of the search criteria, an Administrator must verify the settings to ensure that the settings are correct according to the properties of the LDAP type.

  • Group Search Criteria. Search criteria to find LDAP groups. If not included, vRealize Operations Manager uses the default search parameters: (|(objectClass=group)(objectClass=groupOfNames))

  • Member Attribute. Name of the attribute for a group object that contains the list of members. If not included, vRealize Operations Manager uses member by default.

  • User Search Criteria. Search criteria to use the member field to find and cache LDAP users. You type sets of key=value pairs in the form (|(key1=value1)(key2=value2)). If not included, vRealize Operations Manager searches for each user separately. This operation might take extra time.

  • Member Match Field. Name of the attribute for a user object to match with the member entry from a group object. If not included, vRealize Operations Manager treats the member entry as a distinguished name.

  • LDAP Context Attributes. Attributes that vRealize Operations Manager applies to the LDAP context environment. You type sets of key=value pairs separated by commas, such as java.naming.referral=ignore,java.naming.ldap.deleteRDNfalse.

Test

Tests whether the host machine can be reached, with the credentials provided. Although a test of the connection is successful, users who use the search feature must have read permissions in the LDAP source.

This test does not verify the accuracy of the Base DN or Common Name entries.

Table 4. Authentication Sources Add Source for User and Group Import - Options available when VMware Identity Manager is selected.

Option

Description

Host

Name or IP address of the vIDM machine where the single sign-on user server resides.

Port

The single sign-on listening port. By default this is set to 443.

Tenant

This is an optional field.

Username

vIDM system-domain tenant administrator username.

Password

Password of the vIDM system-domain tenant administrator.

Redirect IP

This is the IP address of vRealize Operations Manager node where a user is redirected after a successful authentication from VMware Identity Manager. By default, this is the IP address of the vRealize Operations Manager master node.

Note:

When the master replica becomes the master node on vRealize Operations Manager, then vRealize Operations Manager administrator has to manually edit the IP address and set it to the IP address of the current master node.

Test

Tests whether the vIDM machine can be reached, with the credentials provided.