To authenticate and manage user permissions, Orchestrator requires a connection to an LDAP server or a connection to a Single Sign-On server.

Orchestrator supports the Active Directory, OpenLDAP, eDirectory, and Sun Java System Directory Server directory service types.


LDAP authentication is deprecated.

If you download and deploy the Orchestrator Appliance, the Orchestrator server is preconfigured to work with the OpenLDAP server distributed together with the appliance. The default OpenLDAP configuration is suitable for small- or medium-scale environment. To use Orchestrator in a production environment, you must set up either an LDAP server or a vCenter Single Sign-On server and configure Orchestrator to work with it.

To use LDAP server, you must connect your system to the LDAP server that is physically closest to your Orchestrator server, and avoid connections to remote LDAP servers. Long response times for LDAP queries can lead to slower performance of the whole system.

To improve the performance of the LDAP queries, keep the user and group lookup base as narrow as possible. Limit the users to targeted groups that need access, rather than to whole organizations with many users who do not need access. The resources that you need depend on the combination of database and directory service you choose. For recommendations, see the documentation for your LDAP server.

To use the vCenter Single Sign-On authentication method, you must first install vCenter Single Sign-On. You must configure the Orchestrator server to use the vCenter Single Sign-On server that you installed and configured.

To use Single Sign-On authentication through vCloud Automation Center, you must run the Register Orchestrator in vCloud Automation Center component registry workflow in the Orchestrator client.