Setting up LDAP Authentication in vCloud Director


Logging in to your vCloud Director system/organisation via the web interface can be achieved in a number of ways. You can use local authentication (users local to vCloud Director), your Active Directory, or another LDAP v3 compliant directory service for authentication and group membership lookup.

After you connect vCloud Director to an LDAP server, you can import system administrators from the groups and users in the LDAP directory. You can also use the system LDAP settings to import users and groups to an organization, or you can specify separate LDAP settings for each organization. An LDAP user cannot log in to vCloud Director until you import them to the system or an organization.

Note:

1: vCloud Director does not support hierarchical domains for LDAP authentication.

2: vCloud Director cannot modify the information in your LDAP directory. You can add, delete, or modify LDAP users or groups only in the LDAP directory itself.

Below table shows supported combinations of Operating System, LDAP Server, and Authentication Method which vCloud Director supports.

ad

Since this is my lab environment I am using unencrypted simple LDAP binds. But for production environment this is a very bad idea, as they pass the AD user credentials across the network in plain text.

If you tend to use simple LDAP binds then it should be encrypted using SSL. This is better, but it is still preferable not to send the password at all, encrypted or not.

If you don’t wish to send any kind of password across the network then you can use Kerberos authentication. With Kerberos, no passwords cross the wire – just encrypted Kerberos tickets with a limited lifespan.

If you are looking for using LDAP with SSL I would suggest you to look following 2 articles:

Enable LDAP over SSL with a third-party certification authority

Mike Laverick Blog

If you are looking for setting Kerberos authentication with vCD please follow the VMware KB 2015986

The below table lists the port details and their usage:

port

LDAP or Local Authentication?

As discussed earlier vCloud Director supports both LDAP and Local logins.

You can configure an OU structure on the domain to reflect the different organizations – and then allow the Organization just to be able to “see” the users and groups in that Organization. Alternatively, each Organization can have its one per-Org LDAP configuration.

Limitations with using local user accounts

There’s a whole bunch of limitations with local users which makes their use debatable.

  • Groups cannot be used
  • A minimum length of 6 character only
  • No password complexity policies
  • No password expiration policies
  • No password history
  • No authentication failure controls
  • No integration with enterprise identity management system

One advantage of having local login is that it can serve as a backdoor entry to your cloud infrastructure when your directory services are down.

Lets have a look on how to configure LDAP for use with vCD

Login to the vCloud Director Web interface and navigate to Administration tab.

Under System Settings select LDAP. You have to supply following information:

server name: FQDN of your AD/LDAP server

port: LDAP port. Please refer the table shown above to identify the correct port

Base distinguished name: in the format (dc=example,dc=com)

SSL: check mark the box if you want to use LDAP with SSL

Additionally you can configure your vCD to use kerberos authentication. In this case you have to define the Kerberos Realm and credentials.

ldap-1

I am not using secure LDAP or Kerberos in my lab so my configuration looks like as shown below:

ldap-2

Do not modify the fields shown in below screenshot untill and unless your AD/LDAP admin have setup the server with specific settings. For most of the deployment default settings are enough and should not be touched.

ldap-3

Once you have filled up the LDAP details, hit Test LDAP button to check if vCD is able to contact LDAP. If the connection is successful between vCD and LDAP you will see a screen like as shown below:

ldap-4

You can search for a particular user account to verify vCD is able to pull up details of that user from LDAP. In the search box type username and hit Test button.

ldap-5

I hope this post is informational to you. You can hit like and share it on social media as well.

About Alex Hunt

Hi All I am Manish Kumar Jha aka Alex Hunt. I am currently working in VMware Software India Pvt Ltd as Operations System Engineer (vCloud Air Operations). I have around 5 Years of IT experience and have exposure on VMware vSphere, vCloud Director, RHEL and modern data center technologies like Cisco UCS and Cisco Nexus 1000v and NSX. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.
This entry was posted in vCloud Director, Vmware and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s