When you import user account information that resides on another machine, you must define the criteria used to import the user accounts from the source machine.

Where You Add or Edit Authentication Sources

  1. To add authentication sources, from the left menu, click Administration, and then click the Authentication Sources tile.
  2. Click Add.
  3. To edit authentication sources, click Edit.
Table 1. Authentication Sources Add Source for User and Group Import
Option Description
Source Display Name Name that you assign to the authentication source.
Source Type
Note: The option you select in the Source Type drop-down box, determines the options available in this dialog box.
Indicates the type of directory services access technology to access the source machine where the database of user accounts resides. There are two types of databases: LDAP and single sign-on. Options include:
  • SSO SAML: An XML-based standard for a web browser single sign-on that enables users to perform single sign-on to multiple applications.
  • Open LDAP: A platform-independent protocol that provides access to an LDAP database on another machine to import user accounts.
  • Other: Specifies any other LDAP-based directory services, such as Novel or OpenDJ, used to import user accounts from an LDAP database on a Linux Mac machine.
  • VMware Identity Manager: A platform where you can manage users and groups, manage resources and user authentication, and access policies and entitle users to resources.
Table 2. Authentication Sources Add Source for User and Group Import - Options Available When SSO SAML Is Selected.
Name Description
Host Name or IP address of the host machine where the single sign-on user server resides.
Port The single sign-on listening port. By default this is set to 443.
User Name Name of the user account that can log in to the single sign-on host machine.
Password Password of the user account that can log in to the single sign-on host machine.
Grant administrator role to vRealize Operations for future configuration? When you create a single sign-on source, a new vRealize Operations user account is created on the single sign-on server.
  • Select Yes, to grant vRealize Operations an administrative role so that it can be used to configure the SSO source if changes are made to the vRealize Operations setup.
  • If you select No and the vRealize Operations setup is changed, SSO users will not be able to log in until you re-register the SSO source.
Automatically redirect to vRealize Operations single sign-on URL? After you have configured a single sign-on source, users are redirected to the vCenter SSO server.
  • Select Yes, to redirect users to the single sign-on server for authentication.
  • If you select No users must sign in through the vRealize Operations login page.
Import single sign-on user groups after adding the current source? When you have set up a single sign-on source, you import users and user groups into vRealize Operations so that single sign-on users can access the system with their single sign-on permissions.
  • If you select Yes, the wizard directs you to the Import User Groups page so that you can import user groups when you have finished setting up the SSO source.
  • If you want to import user accounts, or user groups at a later stage, select No.
Advanced If your system uses a load balancer, enter the IP address of the load balancer.
Test

Tests whether the host machine can be reached with the credentials provided.

Table 3. Authentication Sources Add Source for User and Group Import - Options Available When Open LDAP, Active Directory, and Other Are Selected.
Option Description

Integration Mode Basic settings

Applies basic settings to integrate the LDAP import source with the instance of vRealize Operations.

Use Basic integration mode to have vRealize Operations discover the host machine where the LDAP database resides, and set the base distinguished name (Base DN) used to search for users. You provide the name of the domain and the subdomain, which vRealize Operations uses to populate the Host and Base DN details, and the name and password of the user who can log in to the LDAP host machine.

In Basic mode, attempts to fetch the host and port from the DNS server, and obtain the Global Catalog and domain controllers for the domain, with preference given to SSL/TLS-enabled servers.

  • Domain/Subdomain. Domain information for the LDAP user account.
    Note: To import users and groups from multiple subdomains, use the root domain.com instead of subdomain. Using a subdomain limits the visibility of vRealize Operations to groups and users from that specific subdomain.
  • Use SSL/TLS. When selected, vRealize Operations uses the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol to provide secure communication when you import users from an LDAP database. You do not need to install the SSL/TLS certificate. Instead, vRealize Operations prompts you to view and verify the thumbprint, and accept the LDAP server certificate. After you accept the certificate, the LDAP communication proceeds.
  • If Active Directory uses a self-signed certificate, then the certificate should contain the Subject Alternative Name field. vRealize Operations can successfully verify the Active Directory certificate and integrate with Active Directory only if, the host name or the IP address provided in the Subject Alternative Name field matches the address of the domain controller on which the certificate is used.
  • User Name. Name of the user account that can log in to the LDAP host machine.
  • Reset Password. Reset the password of the user account that can log in to the LDAP host machine.
  • Automatically synchronize user membership for configured groups. When selected, enables vRealize Operations to map imported LDAP users to user groups.
  • Host. Name or IP address of the host machine where the LDAP user database resides.
  • Port. Port used for the import. Use port 389 if you are not using SSL/TLS, or port 636 if you are using SSL/TLS, or another port number of your choice. Global Catalog ports are 3268 for non-SSL/TLS, and 3269 for SSL/TLS.
  • Base DN. Base distinguished name for the user search. vRealize Operations locates only the users under the Base DN. The Base DN is an elementary entry for an imported user's distinguished name (DN), which is the base entry for the user name without the need for other related information such as the full path to the user account, or the inclusion of related domain components. Although vRealize Operations populates the Base DN, an Administrator must verify the Base DN before saving the LDAP configuration.
  • Common Name. LDAP attribute used to identify the user name. The default attribute for Active Directory is userPrincipalName.

Integration Mode Advanced settings

Applies advanced settings to integrate the LDAP import source with the instance of vRealize Operations.

Use Advanced integration mode to manually provide the host name and base distinguished name (Base DN) to have vRealize Operations import users. You provide the name and password of the user who can log in to the LDAP host machine.

  • Host. Name or IP address of the host machine where the LDAP user database resides.
  • Use SSL/TLS. When selected, vRealize Operations uses the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol to provide secure communication when you import users from an LDAP database. You do not need to install the SSL/TLS certificate. Instead, vRealize Operations prompts you to view and verify the thumbprint, and accept the LDAP server certificate. After you accept the certificate, the LDAP communication proceeds.
  • If Active Directory uses a self-signed certificate, then the certificate should contain the Subject Alternative Name field. vRealize Operations can successfully verify the Active Directory certificate and integrate with Active Directory only if, the host name or the IP address provided in the Subject Alternative Name field matches the address of the domain controller on which the certificate is used.
  • Base DN. Base distinguished name for the user search. vRealize Operations will locate only the users under the Base DN. The Base DN is an elementary entry for an imported user's distinguished name (DN), which is the base entry for the user name without the need for other related information such as the full path to the user account, or the inclusion of related domain components. Although vRealize Operations populates the Base DN, an Administrator must verify the Base DN before saving the LDAP configuration.
  • User Name. Name of the user account that can log in to the LDAP host machine.
  • Reset Password. Reset the password of the user account that can log in to the LDAP host machine.
  • Automatically synchronize user membership for configured groups. When selected, enables vRealize Operations to map imported LDAP users to user groups.
  • Common Name. LDAP attribute used to identify the user name. The default attribute for Active Directory is userPrincipalName.
  • Port. Port used for the import. Use port 389 if you are not using SSL/TLS, or port 636 if you are using SSL/TLS, or another port number of your choice. Global Catalog ports are 3268 for non-SSL/TLS, and 3269 for SSL/TLS.

Search Criteria

Displays the search criteria settings.

Although vRealize Operations populates part of the search criteria, an Administrator must verify the settings to ensure that the settings are correct according to the properties of the LDAP type.

  • Group Search Criteria. Search criteria to find LDAP groups. If not included, vRealize Operations uses the default search parameters: (|(objectClass=group)(objectClass=groupOfNames))
  • Member Attribute. Name of the attribute for a group object that contains the list of members. If not included, vRealize Operations uses member by default.
  • User Search Criteria. Search criteria to use the member field to find and cache LDAP users. You enter sets of key=value pairs in the form (|(key1=value1)(key2=value2)). If not included, vRealize Operations searches for each user separately. This operation might take extra time.
  • Member Match Field. Name of the attribute for a user object to match with the member entry from a group object. If not included, vRealize Operations treats the member entry as a distinguished name.
  • LDAP Context Attributes. Attributes that vRealize Operations applies to the LDAP context environment. You enter sets of key=value pairs separated by commas, such as java.naming.referral=ignore,java.naming.ldap.deleteRDNfalse.

Test

Tests whether the host machine can be reached, with the credentials provided. Although a test of the connection is successful, users who use the search feature must have read permissions in the LDAP source.

This test does not verify the accuracy of the Base DN or Common Name entries.

Table 4. Authentication Sources Add Source for User and Group Import - Options Available When VMware Identity Manager Is Selected.
Option Description
Host Name or IP address of the VMware Identity Manager machine where the single sign-on user server resides.
Port The single sign-on listening port. By default this is set to 443.
Tenant This is an optional field.
User name VMware Identity Manager system-domain tenant administrator user name.
Password Password of the VMware Identity Manager system-domain tenant administrator.
Redirect IP/ FQDN

This is the IP address of vRealize Operations node where a user is redirected after a successful authentication from VMware Identity Manager. By default, this is the IP address of the vRealize Operations primary node.

Note: When the primary replica becomes the primary node on vRealize Operations, then vRealize Operations administrator has to manually edit the IP address and set it to the IP address of the current primary node.
Test

Tests whether the VMware Identity Manager machine can be reached, with the credentials provided.