You can define the users and groups lookup information.

Before you begin

You must have a working LDAP service on your infrastructure.

About this task

Two global roles are identified in Orchestrator: Developers and Administrators. The users in the Developers role have editing privileges on all elements. The users in the Administrators role have unrestricted privileges. Administrators can manage permissions, or discharge administration duties on a selected set of elements to any other group or user. These two groups must be contained in the Group lookup base.

Procedure

  1. Log in to the Orchestrator configuration interface as vmware.
  2. Click Authentication.
  3. Select LDAP Authentication from the Authentication mode drop-down menu.
  4. Specify the primary and secondary LDAP hosts, the lookup port of the LDAP server, the root element, and the browsing credentials.
  5. Define the User lookup base.

    This is the LDAP container (the top-level domain name or organizational unit) where Orchestrator searches for potential users.

    1. Click Search and type the top-level domain name or organizational unit.

      Searching for company returns dc=company,dc=org and other common names containing the search term. If you type dc=company,dc=org as a search term, no results are found.

    2. Click the LDAP connection string for the discovered branch to insert it in the User lookup base text box.

      If no matches are found, check your LDAP connection string in the main LDAP page.

      Note:

      You can connect to the Global Catalog Server through port 3268. It issues LDAP referrals that Orchestrator follows to find the account or group in a subdomain.

  6. Define the Group lookup base.

    This is the LDAP container where Orchestrator looks up groups.

    1. Click Search and type the top-level domain name or organizational unit.
    2. Click the LDAP string for the discovered branch to insert it in the Group lookup base text box.
  7. Define the vRO Admin group.

    This must be an LDAP group (like Domain Users) to which you grant administrative privileges for Orchestrator.

    1. Click Search and type the top-level group name.
    2. Click the LDAP string for the discovered branch to insert it in the vRO Admin group text box.
    Important:

    In eDirectory installations, only the eDirectory administrator can see users or user groups that have administration rights. If you are using an eDirectory LDAP server, and you log in to Orchestrator as a member of the vRO Admin group but you are not the eDirectory administrator, you can create users or user groups with administration rights, but you cannot see those users. This problem does not apply to other LDAP servers.

  8. Click the Test Login tab and type credentials for a user to test whether they can access the Orchestrator smart client.

    After a successful login, the system checks if the user is part of the Orchestrator Administrator group.

What to do next

Define the LDAP search options and apply your changes.