The LDAP service provider uses a URL to configure the connection to the directory server. To generate the LDAP connection URL, you must specify the LDAP host, port, and root.
About this task
The supported directory service types are Active Directory, OpenLDAP, eDirectory, and Sun Java System Directory Server.
- Log in to the Orchestrator configuration interface as vmware.
- Click Authentication.
- Select LDAP Authentication from the Authentication mode drop-down menu.
- From the LDAP client drop-down menu, select the directory server type that you are using as the LDAP server.
If you change the LDAP server or type after you set permissions on Orchestrator objects (such as access rights on workflows or actions), you must reset these permissions.
If you change the LDAP settings after configuring custom applications that capture and store user information, the LDAP authentication records created in the database become invalid when used against the new LDAP database.
- In the Primary LDAP host text box, type the IP address or the DNS name of the host on which your primary LDAP service runs.
This is the first host on which the Orchestrator configuration interface verifies user credentials.
- (Optional) In the Secondary LDAP host text box, type the IP address or the DNS name of the host on which your secondary LDAP service runs.
If the primary LDAP host becomes unavailable, Orchestrator verifies user credentials on the secondary host.
- In the Port text box, type the value for the lookup port of your LDAP server.
Orchestrator supports the Active Directory hierarchical domains structure. If your domain controller is configured to use Global Catalog, you must use port 3268. You cannot use the default port 389 to connect to the Global Catalog server.
- In the Root text box, type the root element of your LDAP service.
If your domain name is company.org, your root LDAP is dc=company,dc=org.
This is the node used for browsing your service directory after typing the appropriate credentials. For large service directories, specifying a node in the tree narrows the search and improves performance. For example, rather than searching in the entire directory, you can specify ou=employees,dc=company,dc=org. This displays all the users in the Employees group.
- (Optional) Select Use SSL to activate encrypted certification for the connection between Orchestrator and LDAP.
If your LDAP uses SSL, you must first import the SSL certificate and restart the Orchestrator Configuration service. See Import the LDAP Server SSL Certificate.
- (Optional) Select Use Global Catalog to allow LDAP referrals when the LDAP client is Active Directory.
The LDAP server lookup port number changes to 3268. Orchestrator follows the LDAP referrals to find users and groups in a subdomain that is part of the Active Directory tree to which Orchestrator is connected. You can add permissions on any groups that can be accessed from your Global Catalog.
Values and Resulting LDAP Connection URL Addresses
Examples of the values that you enter in the required fields and the resulting LDAP connection URL.
LDAP host: DomainController
Connection URL: ldap://DomainController:389/ou=employees,dc=company,dc=org
LDAP host using Global Catalog: 10.23.90.130
Connection URL: ldap://10.23.90.130:3268/dc=company,dc=org
What to do next
Assign credentials to Orchestrator to ensure its access to the LDAP server. See Specify the Browsing Credentials.