Configure Lightweight Directory Access Protocol (LDAP) integration within your vSphere 7 environment. This post is a part of a free Study Guide when preparing to pass the VMware VCP-DCV certification exam. In our free guide, we cover all topics from VCP-DCV 2021 exam that are listed on the original VMware blueprint that has 80 objectives.
The Active Directory over LDAP identity source is preferred over the Active Directory (Integrated Windows Authentication) option. The OpenLDAP Server identity source is available for environments that use OpenLDAP.
If you are configuring an OpenLDAP identity source, see the VMware knowledge base article at http://kb.vmware.com/kb/2064977 for additional requirements.
- Service Principal Name (SPN) – Select this option if you expect to rename the local machine. You must specify an SPN, a user who can authenticate with the identity source, and a password for the user.
- Use Machine account – you'll use this option to use the local machine account (computer account in AD) as Service principal name (SPN). In this case, you'll need to specify only the domain name. (do not select this option if you planning to rename this machine).
However, please note that:
Before you add the AD as an Identity source you'll have to join the VM to Microsoft AD and reboot. You'll do that on the Active Directory Domain TAB.
Note that OpenLDAP is also supported, but there are some requirements that need to be met:
Currently, vCenter Single Sign-On supports the use of OpenLDAP as an identity source only if it satisfies all of these requirements:
- OpenLDAP versions 2.4 and later
- The OpenLDAP schema is RFC4519 compliant.
- All users have an objectClass of inetOrgPerson.
- All groups have an objectClass of groupOfUniqueNames.
- All groups have a group membership attribute of uniqueMember.
- All users and group objects have entryUUID configured (The objects have a unique GUID and should not be changing)
Also note that:
Starting in vSphere 7.0 Update 2, you can enable FIPS on vCenter Server. See the vSphere Security documentation. AD over LDAP and IWA are not supported when FIPS is enabled. Use external identity provider federation when in FIPS mode.
A future update to Microsoft Windows will change the default behavior of Active Directory to require strong authentication and encryption. This change will impact how vCenter Server authenticates to Active Directory. If you use Active Directory as your identity source for vCenter Server, you must plan to enable LDAPS.
Find other chapters on the main page of the guide – VCP7-DCV Study Guide – VCP-DCV 2021 Certification,
Thanks for reading and stay tuned for more…
Direct download/buy links:
- VMware vSphere 7.0 Essentials PLUS
- VMware vSphere 7.0 Essentials
- VMware vSphere 7.0 Enterprise PLUS
- vSphere Essentials Per Incident Support
- Upgrade to vSphere Enterprise Plus
- VMware Current Promotions
More posts from ESX Virtualization:
- vSphere 7 U2 Released
- vSphere 7.0 Download Now Available
- vSphere 7.0 Page [All details about vSphere and related products here]
- VMware vSphere 7.0 Announced – vCenter Server Details
- VMware vSphere 7.0 DRS Improvements – What's New
- How to Patch vCenter Server Appliance (VCSA) – [Guide]
- What is The Difference between VMware vSphere, ESXi and vCenter
- How to Configure VMware High Availability (HA) Cluster