To authenticate and manage user permissions, Orchestrator requires a connection to an LDAP server, a connection to a Single Sign-On server, or a connection to vRealize Automation.


LDAP authentication is deprecated and will not be supported in future versions.

When you download, and deploy the Orchestrator Appliance, the Orchestrator server is preconfigured to work with the in-process ApacheDS LDAP server distributed with the appliance. The default in-process LDAP configuration is suitable testing purposes only. To use Orchestrator in a production environment, you must set up either an LDAP server, a vCenter Single Sign-On server, or set up a connection with vRealize Automation and configure Orchestrator to work with it.

Connect to the LDAP server that is physically closest to your Orchestrator server to avoid long response times for LDAP queries that slow down system performance. Orchestrator supports the Active Directory and OpenLDAP service types.

To improve the performance of the LDAP queries, keep the user and group lookup base as narrow as possible. Limit the users to targeted groups that need access, rather than including whole organizations with many users who do not need access. The resources that you need depend on the combination of database and directory service you choose. For recommendations, see the documentation for your LDAP server.

To use the vCenter Single Sign-On authentication method, you must first install vCenter Single Sign-On. You must configure the Orchestrator server to use the vCenter Single Sign-On server that you installed and configured.

You can use Single Sign-On authentication through vRealize Automation and vSphere from the authentication settings in Control Center.