A quick post on the process to add identity sources to vCenter. Why would you want to do this? I know you already know this answer otherwise you wouldn’t be reading this 🙂
Anyways, this allows the ability to provide access control to VMware environment using your directory services, predominantly Microsoft Active Directory. You can use other directory services as well but I have not tested it.
So how to do this. Here you go.
- Login to vSphere Web Client with administrative credentials to the PSC domain (default account is administrator@vsphere.local unless you have a custom PSC domain – I do)
- Click on Administration
- Select Configuration –> Identity Sources –> Plus symbol
- Active Directory (Integrated Windows Authentication)
You can use this if you vCenter is joined to the AD domain. If using external PSC, then it also needs to be added to the AD domain. Simplest of options.
Select the radio button next to it and as long as you have the vCSA (including external PSC – if you are using it) joined to AD, there are no additional steps to configure.
- Active Directory as an LDAP server
If the vCenter and PSC appliances are not joined to the domain or for some reason you can’t add it to the domain (compliance or something!) then use this option. More hands on and will require an AD service account.
Lets dive into it.
Name: Give some name for this connection. Ideally something that identifies the directory services. Could be the domain name in case of Active Directory
Base DN for users: DC=<domain>,DC=<com>
Domain Name: <domain name e.g. degetec.com>
Domain Alias: <NetBIOS name of the AD domain>
Base DN for groups: DC=<domain>,DC=<com>
Primary Server URL: <Primary domain controller – use format ldap://hostname:port. Port is typically 389 for ldap or 3268 for ldaps>
Secondary Server URL: <Secondary domain controller – use format ldap://hostname:port. Port is typically 389 for ldap or 3268 for ldaps>
Username: <AD service account with minimum of read-only access to Base DN>
Password: <Password for the service account>
With vSphere 6.5, instead of entering the primary and secondary domain controllers, you can enter the FQDN of the domain. Do not use IP address. And ensure the FQDN is resolvable by vCenter. If not, correct the DNS settings in vCenter first.
- Open LDAP
As the name suggests, this is for open source implementation of Lightweight Directory Access Protocol (LDAP)
- Local OS
Again this is if you are going to create users local to the PSC domain and assign permissions. There are user cases for this – test environment that doesn’t have AD.
The next steps will be to test the connection by clicking on “Test Connection” and clicking OK. Now you are good to proceed to create roles and map it to users/groups in your directory services.
Comments welcome. Enjoy.