VCP-IaaS Study Notes: Section 2.2

This is Section 2.2 in the VCP-IaaS blueprint Guide 1.2. The rest of the (completed) sections can be found here.

Identify AD/LDAP infrastructure components

  • An LDAP server is a authentication server in it self. When a user logs on vCloud Director checks the credentials of the user against the LDAP directory.

Configure Open LDAP with vCD

  • OpenLDAP is supported with authentication method of Simple and Simple SSL.
  • Click the Administration tab and click LDAP in the left pane.
  • Type the host name or IP address of the LDAP server.
  • Type a port number.
    • For LDAP, the default port number is 389. For LDAP over SSL (LDAPS), the default port number is 636.
  • Type the base distinguished name (DN).
    • The base DN is the location in the LDAP directory where vCloud Director connects. VMware recommends connecting at the root. Type the domain components only, for example, DC=example, DC=com.
    • To connect to a node in the tree, type the distinguished name for that node, for example, OU=ServiceDirector, DC=example, DC=com. Connecting to a node limits the scope of the directory available to vCloud Director.
  • Select the SSL check box to use LDAPS and choose one of the certificate options.

  • Select an authentication method.

  • Type a user name and password to connect to the LDAP server.
    • If anonymous read support is enabled on your LDAP server, you can leave these text boxes blank.

  • Click Apply.

Configure Active Directory with vCD

  • Most AD’s use Kerberos as the main authentication method  so before you configure AD with vCD you will need to add a Kerberos realm. Other than that the process is the same as simple LDAP configuration (see bullet above).
  • Click the Administration tab and click LDAP in the left pane.
  • Click Edit All Realms.
  • (Optional) On the Realm tab, select Allow lower-case realms to allow realm names that include lowercase letters.
  • On the Realm tab, click Add.
  • Type a realm and its Key Distribution Center (KDC) and click OK.
    • If you did not choose to allow lower-case realms, the realm name must be all capital letters. For example, REALM.
  • On the DNS tab, click Add.
  • Type a DNS, select a realm, and click OK.
    • You can use the period (.) as a wildcard character in the DNS. For example, type .example.com.
  • Click Close and click Apply.

Test connectivity to external LDAP

  • Click the Administration tab and click LDAP in the left pane.
  • Click Test LDAP Settings.
  • Type the name of a user in the LDAP directory and click Test.
  • Review the attribute mapping and click OK.

Import users and groups from external LDAP

  • LDAP attributes provide vCloud Director with details about how user and group information is defined in the LDAP directory. vCloud Director maps the information to its own database. Modify the syntax for user and group attributes to match your LDAP directory.
  • vCloud Director automatically synchronizes its user and group information with the LDAP server on a regular basis. You can also manually synchronize with the LDAP server at any time.
  • Users and groups are ready to be used after configuring, testing and syncing to the LDAP server.

Troubleshoot common LDAP external connectivity issues

  • Ports not open, LDAP user used to connect with wrong credentials, wrong DN, SSL misconfigured, lower case REALM name, incorrect attributes.
  • Not to much work to fix.

Leave a Reply

Your email address will not be published. Required fields are marked *