You can configure Orchestrator to connect to a working LDAP server on your infrastructure to manage user permissions.
If you are using secure LDAP over SSL, Windows Server 2008 or 2012, and AD, verify that the LDAP Server Signing Requirements group policy is disabled on the LDAP server.
If you configure Orchestrator to work with LDAP, you cannot use the Orchestrator Web Client for managing vSphere inventory objects.
Multiple domains that are not in the same tree, but have a two-way trust, are not supported and do not work with Orchestrator. The only configuration supported for multi-domain Active Directory is domain tree. Forest and external trusts are not supported.