Connect with us

Gadgets

How to configure Active Directory over LDAP in vCenter

[ad_1]

Read this article to learn how to configure Active Directory over LDAP as an identity provider in a vCenter Server.

Step 1: Create an AD Service Account

When you configure Active Directory over LDAP, you must specify a service account. Follow these steps to create a service account.

  1. Open Active Directory Users and Computer (ADUC). Then, right-click the OU you wish to create the account, and point to New > User.
Create an AD Service Account - step 1
  1. On the first page of the “New Object – User” page, enter the details and click Next.

I am using  “Ldap Service Account” as the name of the account and ldap_user as the login name.

Create an AD Service Account - step 2Create an AD Service Account - step 2
  1. On the next page, enter a password and repeat it. Then, uncheck “User must change password and check “Password never expires,” then click Finish on the next page to create the account.
Create an AD Service Account - step 3Create an AD Service Account - step 3

Step 2: Get the Required Information

You need some information to configure AD over LDAP. To make the next step easy, let’s put the information together.

Firstly, you require the DistinguishedName (DN) of the service account you created in step 1. Additionally, you need the base DN of the domain.

Follow these steps to get this information:

  1. On Active Directory Users and Computers, click View and select Advanced Features. Note that before you click Advanced Features, there will be no tick beside it.
  1. Next, to get the DN of the AD Domain, right-click the domain and select Properties.
Get DistinguishedName with ADUC - step 2Get DistinguishedName with ADUC - step 2
  1. Click the Attributed Editor tab, then, locate DistinguishedName and double-click it.
  1. Finally, copy the DN
  1. Repeat steps 1 to 4 for the LDAP service account you created earlier. Finally, you require the IP address of at least one Domain Controller and the Fully Qualified Domain Name (FQDN) of the domain.

Before you proceed, note the following:

a) The DistinguishedName of the domain name and the LDAP service account
b) The IP address of at least one DC in the Domain
c) You also require the FQDN of the domain, for example, corp.itechguides.com
d) The password of the LDAP service account

Once you have these, proceed to step 3 below.

Step 3: Configure Active Directory over LDAP in vCenter

  1. Log in to vCenter with an account that has the required permission. Then, click the menu in vCenter and select Administration.
  1. Under Single Sign on, click Configuration > Identity Sources > ADD.
  1. Then, select “Active Directory over LDAP” on the Add Identity Source > Identity Source Type drop-down.
Get DistinguishedName with ADUC - step 2Get DistinguishedName with ADUC - step 2
  1. Finally, configure the identity provider as shown in the screenshot and explanations below:

On the Identity source name, enter the first part of the domain. If the FQDN of the domain is lab.itechguides.com, the Identity source name is “lab”.

Next, on the “Base distinguished name for users” and “Base distinguished name for groups,” enter the domain’s DN.

After that, on the Domain name enter the domain’s FQDN. The Alias is the same as the Identity source name.

On the User name and Password, enter the DN of the LDAP user account and the account’s password. On the Connect to option, select “Specific domain controllers.”

Enter the IP address of a DC in the Primary server URL, starting with “ldap://“. Finally, enter the IP of a second DC in the Secondary server URL.

When you finish supplying the required information, click ADD at the bottom right of the page.

Before proceeding, make the new vCenter Identity provider default. Use this screenshot as a guide.

Step 3: Grant Active Directory Users Access to vCenter

Follow this screenshot to add an AD group to a vCenter group. I added the Domain Admins group to the vCenter’s Global Administrator group in this example.

If you need to add a user or group to a vCenter role, click Roles on the left pane, select the role, and then add the user.

Conclusion

Active Directory over LDAP as a vCenter identity provider delivers AD Single Sign-on for vCemter. With this feature, you avoid the duplicate work of creating and managing vCenter users locally.

Instead, you can grant AD users access by adding them to vCenter groups. Meanwhile, you also avoid joining vCenter to the AD domain.

By the way, VMWare recommends configuring Active Directory over LDAP instead of joining vCenter to the AD domain.

I’m confident that this guide made your day! Why not let me know by responding to the “Was this page helpful?” question below?

Before you go, see if any of the articles in the “Related Articles” section below interests you. Thank you for visiting Itechguides!

[ad_2]

Victor Ashiedu

Source link

Related Topics: