To authenticate and manage user permissions, Orchestrator requires a connection to an LDAP server or a connection to a Single Sign-On server.

Orchestrator supports the Active Directory, OpenLDAP, eDirectory, and Sun Java System Directory Server directory service types.

When you install Orchestrator together with vCenter Server, the Orchestrator server is preconfigured to use vCenter Single Sign-On as an authentication method.

When you install Orchestrator standalone, it is preconfigured to use an embedded LDAP server. The embedded LDAP server is suitable for testing purposes only. If you want to use Orchestrator with an LDAP server in a production environment, you must set up a separate LDAP server and configure Orchestrator to connect to it.

If you download and deploy the Orchestrator Appliance, the Orchestrator server is preconfigured to work with the OpenLDAP server distributed together with the appliance. The default OpenLDAP configuration is suitable for small- or medium-scale environment. To use Orchestrator in a production environment, you must set up either an LDAP server or a vCenter Single Sign-On server and configure Orchestrator to work with it.

To use LDAP server, you must connect your system to the LDAP server that is physically closest to your Orchestrator server, and avoid connections to remote LDAP servers. Long response times for LDAP queries can lead to slower performance of the whole system.

To improve the performance of the LDAP queries, keep the user and group lookup base as narrow as possible. Limit the users to targeted groups that need access, rather than to whole organizations with many users who do not need access. The resources that you need depend on the combination of database and directory service you choose. For recommendations, see the documentation for your LDAP server.

To use the vCenter Single Sign-On authentication method, you must first install vCenter Single Sign-On. If you install Orchestrator separately from vCenter Server and want to use vCenter Single Sign-On, you must configure the Orchestrator server to use the vCenter Single Sign-On server that you installed and configured.

To use Single Sign-On authentication through vCloud Automation Center, you must run the Register vCO in vCAC Component Registry workflow in the Orchestrator client.