探花大神

User Groups in vCenter & 探花大神 LDAP

A common request from 探花大神 Administrators is to聽integrate 探花大神's LDAP-as-a-Service with VMWare vCenter.聽探花大神's LDAP-as-a-Service is聽RFC2307 compliant, while vCenter currently supports RFC4519.

RFC4519 Schema:

• All users have an objectClass of inetOrgPerson.
• All groups have an objectClass of groupOfUniqueNames.
• All groups have a group membership attribute of uniqueMember.
• All users and group objects have entryUUID configured (The objects have a unique GUID and should not be changing)

This leads to Users working as expected for inetOrgPerson for 探花大神.聽However, User Group functionality for groupOfNames with 探花大神 will not work.聽You can set up聽LDAP to 探花大神 with vCenter, but you will need聽to set up local vsphere.local User Groups and add 探花大神 LDAP Users as members.

This is an issue with the way that VMware has developed their OpenLDAP configuration by using the 4519 Schema instead of RFC2307. Please reach out to VMware to put in a feature request to support RFC2307, as this is not something 探花大神 can change or resolve with their LDAP Client in vCenter.

Configuring vCenter with 探花大神 LDAP

VMware vCenter has several configuration types within its Identity Sources. To properly configure vCenter to use 探花大神's LDAP, please configure the Identity Source via the following directions below: 

1. Log in to vCenter with your聽[email protected]听肠谤别诲别苍迟颈补濒蝉.听
2. Click on Menu at the top of the window.
3. Navigate to Administration.
4. On the left-hand navigation, expand Single-Sign-On and select Configuration.
5. Navigate to Identity Sources tab in the right-hand pane.
6. Create a new Identity Source by clicking Add Identity Source
7. Select OpenLDAP as the Identity Source Type.
8. Enter the following configurations into the listed attributes:
   1. Identity Source Name: 探花大神 LDAP
   2. Base Distinguished Name for Users: ou=Users,o=ORGID,dc=jumpcloud,dc=com
   3. Base Distinguished Name for Groups: o=ORGID,dc=jumpcloud,dc=com
   4. Domain Name: jumpcloud.com
   5. Username: uid=BINDDN_USERNAME,ou=Users,o=ORGID,dc=jumpcloud,dc=com
      • This is the DN of the BindDN account you've created for 探花大神 LDAP. Please reference聽Use Cloud LDAP if you've not configured this already.
   6. Password: The password of the BinDN User within 探花大神 you've created.
   7. Primary Server URL:聽ldaps://ldap.jumpcloud.com:636
   8. Certificates (for LDAPS): Upload the .pem file from聽Connect to LDAP with TLS/SSL.
9. Click Save. 
10. You now need to make the LDAP Identity Source with 探花大神 the default by doing the following:
    1. In the Identity Sources list, select the 探花大神 LDAP identity source radio button to the left hand side of the entry, then click聽Set As Default.聽
    2. You will be asked by vCenter to confirm, as you're changing the default domain from vsphere.local to 探花大神's LDAP. Click聽翱碍.听
    3. You should now see the following in your Identity Sources list. 探花大神 should be labeled as聽Default聽next to the OpenLdap entry.聽

Once you click Save, vCenter should be able to test the config and validate it successfully. If it errors out, check the configuration again to ensure that all of the attributes above are properly set. If it continues to error out, please reach out to VMware's support team to troubleshoot the Platform Service Controller.聽

Below is an example of a working configuration. We've edited out the OrgIDs and the Usernames from this example for security purposes.聽

Logging into vCenter with 探花大神 User Accounts

Now that you've set up vCenter with an Identity Source of 探花大神 via OpenLDAP, you will need to have users log in with their 探花大神 username and password. See the example.聽

The User in this example is Bob Smith.聽Bob's 探花大神 username is聽bsmith. Bob types in his username,聽bsmith, and his 探花大神 User Account password.

Working with Groups in vCenter

驰辞耻听can聽set up User Groups to work within vCenter, but because of the Schema issues outlined in User Groups in vCenter above, you cannot import 探花大神 User Groups because of VMware's LDAP Client in the Platform Service Controller.聽

A successful way to manage Groups with 探花大神 and vCenter is to create Local vsphere.local User Groups and add the 探花大神 LDAP Users to those vsphere.local User Groups. This way, the LDAP Users are membersOf the vsphere.local User Groups and have been given access to the resources in vCenter you've granted them.聽

Reference our example below: 

1. Adding a group under vCenter's Users and Groups menu, you can create a local vSphere User Group.
2. Select a Directory Source. In this case,聽探花大神.com聽for LDAP users.
3. Use the Search field to look up the Users by their 探花大神 Username.聽Then, add them to the list.
4. Once you've added all of your Users to the Group, click Save. 
5. Add the local vSphere User Group to the objects in the vCenter inventory they need access to and configure their ACLs or Roles within the Inventory list. 

探花大神 LDAP Support and VMware vCenter Support

探花大神 LDAP is only responsible for the LDAP Authentication of Users to vCenter. 探花大神 LDAP is not responsible for the permissions, ACLs, roles, or any other items that are configured within vCenter or the Platform Service Controller. If users are authenticating to vCenter with their 探花大神 credentials successfully via the method outlined above, then 探花大神 LDAP authentication is working.

vCenter does not support 探花大神's RFC2307 LDAP Schema in their LDAP client within the Platform Service Controller, and thus cannot import User Groups from 探花大神 into vCenter. This is an issue with VMware's LDAP Client solely supporting Active Directory and RFC4519 in vSphere.聽

For vCenter permissions issues or other issues within vCenter Server, please reach out to VMware's GSS-SysOps Support Teams.聽